#!/usr/bin/env shellspec # Unit tests for php-tests action validation and logic # Framework is automatically loaded via spec_helper.sh Describe "php-tests action" ACTION_DIR="php-tests" ACTION_FILE="$ACTION_DIR/action.yml" Context "when validating token input" It "accepts GitHub token expression" When call validate_input_python "php-tests" "token" "\${{ github.token }}" The status should be success End It "accepts GitHub fine-grained token" When call validate_input_python "php-tests" "token" "ghp_abcdefghijklmnopqrstuvwxyz1234567890" The status should be success End It "accepts GitHub app token" When call validate_input_python "php-tests" "token" "ghs_abcdefghijklmnopqrstuvwxyz1234567890" The status should be success End It "accepts GitHub enterprise token" When call validate_input_python "php-tests" "token" "ghe_abcdefghijklmnopqrstuvwxyz1234567890" The status should be success End It "rejects invalid token format" When call validate_input_python "php-tests" "token" "invalid-token" The status should be failure End It "rejects token with command injection" When call validate_input_python "php-tests" "token" "ghp_token; rm -rf /" The status should be failure End It "accepts empty token (uses default)" When call validate_input_python "php-tests" "token" "" The status should be success End End Context "when validating username input" It "accepts valid GitHub username" When call validate_input_python "php-tests" "username" "github-actions" The status should be success End It "accepts username with hyphens" When call validate_input_python "php-tests" "username" "user-name" The status should be success End It "accepts username with numbers" When call validate_input_python "php-tests" "username" "user123" The status should be success End It "accepts single character username" When call validate_input_python "php-tests" "username" "a" The status should be success End It "accepts maximum length username" When call validate_input_python "php-tests" "username" "abcdefghijklmnopqrstuvwxyz0123456789abc" The status should be success End It "rejects username too long" When call validate_input_python "php-tests" "username" "abcdefghijklmnopqrstuvwxyz0123456789abcd" The status should be failure End It "rejects username with command injection semicolon" When call validate_input_python "php-tests" "username" "user; rm -rf /" The status should be failure End It "rejects username with command injection ampersand" When call validate_input_python "php-tests" "username" "user && rm -rf /" The status should be failure End It "rejects username with command injection pipe" When call validate_input_python "php-tests" "username" "user | rm -rf /" The status should be failure End It "accepts empty username (uses default)" When call validate_input_python "php-tests" "username" "" The status should be success End End Context "when validating email input" It "accepts valid email" When call validate_input_python "php-tests" "email" "user@example.com" The status should be success End It "accepts email with subdomain" When call validate_input_python "php-tests" "email" "user@mail.example.com" The status should be success End It "accepts email with plus sign" When call validate_input_python "php-tests" "email" "user+tag@example.com" The status should be success End It "accepts email with numbers" When call validate_input_python "php-tests" "email" "user123@example123.com" The status should be success End It "accepts email with hyphens" When call validate_input_python "php-tests" "email" "user-name@example-domain.com" The status should be success End It "rejects email without at symbol" When call validate_input_python "php-tests" "email" "userexample.com" The status should be failure End It "rejects email without domain" When call validate_input_python "php-tests" "email" "user@" The status should be failure End It "rejects email without username" When call validate_input_python "php-tests" "email" "@example.com" The status should be failure End It "rejects email without dot in domain" When call validate_input_python "php-tests" "email" "user@example" The status should be failure End It "rejects email with spaces" When call validate_input_python "php-tests" "email" "user @example.com" The status should be failure End It "accepts empty email (uses default)" When call validate_input_python "php-tests" "email" "" The status should be success End End Context "when checking action.yml structure" It "has valid YAML syntax" When call validate_action_yml_quiet "$ACTION_FILE" The status should be success End It "has correct action name" name=$(get_action_name "$ACTION_FILE") When call echo "$name" The output should equal "PHP Tests" End It "defines expected inputs" When call get_action_inputs "$ACTION_FILE" The output should include "token" The output should include "username" The output should include "email" End It "defines expected outputs" When call get_action_outputs "$ACTION_FILE" The output should include "test_status" The output should include "tests_run" The output should include "tests_passed" The output should include "coverage_path" End End Context "when testing input requirements" It "has all inputs as optional" When call uv run "_tests/shared/validation_core.py" --property "$ACTION_FILE" "" "all_optional" The output should equal "none" End It "has empty default token (runtime fallback)" When call uv run "_tests/shared/validation_core.py" --property "$ACTION_FILE" "token" "default" The output should equal "no-default" End It "has correct default username" When call uv run "_tests/shared/validation_core.py" --property "$ACTION_FILE" "username" "default" The output should equal "github-actions" End It "has correct default email" When call uv run "_tests/shared/validation_core.py" --property "$ACTION_FILE" "email" "default" The output should equal "github-actions@github.com" End End Context "when testing security validations" It "validates against command injection in username" When call validate_input_python "php-tests" "username" "user\`whoami\`" The status should be failure End It "validates against shell metacharacters in email" When call validate_input_python "php-tests" "email" "user@example.com; rm -rf /" The status should be failure End It "validates against variable expansion in token" When call validate_input_python "php-tests" "token" "\${MALICIOUS_VAR}" The status should be failure End It "validates against backtick injection in username" When call validate_input_python "php-tests" "username" "user\`echo malicious\`" The status should be failure End End Context "when testing PHP-specific validations" It "validates username length boundaries" When call validate_input_python "php-tests" "username" "$(awk 'BEGIN{for(i=1;i<=40;i++)printf "a"}')" The status should be failure End It "validates email format for Git commits" When call validate_input_python "php-tests" "email" "noreply@github.com" The status should be success End It "validates default values are secure" When call validate_input_python "php-tests" "username" "github-actions" The status should be success End It "validates default email is secure" When call validate_input_python "php-tests" "email" "github-actions@github.com" The status should be success End End End