Merge branch 'main' into robertbrignull/recursive_sarif_test

2026-01-05 06:00:32 +08:00 · 2021-01-04 15:15:44 +00:00
parent bd4e3adfd9 b1e0b46970
commit 3792ed8ceb
6 changed files with 128 additions and 10 deletions
--- a/src/actions-util.test.ts
+++ b/src/actions-util.test.ts
@@ -336,6 +336,8 @@ test("validateWorkflow() when on.pull_request for mismatched wildcard branches",
 });

 test("validateWorkflow() when HEAD^2 is checked out", (t) => {
+  process.env.GITHUB_JOB = "test";
+
  const errors = actionsutil.validateWorkflow({
    on: ["push", "pull_request"],
    jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
@@ -432,3 +434,61 @@ on:

  t.deepEqual(errors, []);
 });
+
+test("validateWorkflow() should only report the current job's CheckoutWrongHead", (t) => {
+  process.env.GITHUB_JOB = "test";
+
+  const errors = actionsutil.validateWorkflow(
+    yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+jobs:
+  test:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test2:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test3:
+    steps: []
+`)
+  );
+
+  t.deepEqual(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]);
+});
+
+test("validateWorkflow() should not report a different job's CheckoutWrongHead", (t) => {
+  process.env.GITHUB_JOB = "test3";
+
+  const errors = actionsutil.validateWorkflow(
+    yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+jobs:
+  test:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test2:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test3:
+    steps: []
+`)
+  );
+
+  t.deepEqual(errors, []);
+});
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@@ -211,10 +211,15 @@ export const WorkflowErrors = toCodedErrors({
 export function validateWorkflow(doc: Workflow): CodedError[] {
  const errors: CodedError[] = [];

-  // .jobs[key].steps[].run
-  for (const job of Object.values(doc?.jobs || {})) {
-    if (Array.isArray(job?.steps)) {
-      for (const step of job?.steps) {
+  const jobName = process.env.GITHUB_JOB;
+
+  if (jobName) {
+    const job = doc?.jobs?.[jobName];
+
+    const steps = job?.steps;
+
+    if (Array.isArray(steps)) {
+      for (const step of steps) {
        // this was advice that we used to give in the README
        // we actually want to run the analysis on the merge commit
        // to produce results that are more inline with expectations
@@ -222,6 +227,7 @@ export function validateWorkflow(doc: Workflow): CodedError[] {
        // and avoid some race conditions
        if (step?.run === "git checkout HEAD^2") {
          errors.push(WorkflowErrors.CheckoutWrongHead);
+          break;
        }
      }
    }