mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 11:34:00 +00:00
Ismo Vuorinen
78fdad69e5
* feat: fixes, tweaks, new actions, linting * fix: improve docker publish loops and dotnet parsing (#193) * fix: harden action scripts and version checks (#191) * refactor: major repository restructuring and security enhancements Add comprehensive development infrastructure: - Add Makefile with automated documentation generation, formatting, and linting tasks - Add TODO.md tracking self-containment progress and repository improvements - Add .nvmrc for consistent Node.js version management - Create python-version-detect-v2 action for enhanced Python detection Enhance all GitHub Actions with standardized patterns: - Add consistent token handling across 27 actions using standardized input patterns - Implement bash error handling (set -euo pipefail) in all shell steps - Add comprehensive input validation for path traversal and command injection protection - Standardize checkout token authentication to prevent rate limiting - Remove relative action dependencies to ensure external usability Rewrite security workflow for PR-focused analysis: - Transform security-suite.yml to PR-only security analysis workflow - Remove scheduled runs, repository issue management, and Slack notifications - Implement smart comment generation showing only sections with content - Add GitHub Actions permission diff analysis and new action detection - Integrate OWASP, Semgrep, and TruffleHog for comprehensive PR security scanning Improve version detection and dependency management: - Simplify version detection actions to use inline logic instead of shared utilities - Fix Makefile version detection fallback to properly return 'main' when version not found - Update all external action references to use SHA-pinned versions - Remove deprecated run.sh in favor of Makefile automation Update documentation and project standards: - Enhance CLAUDE.md with self-containment requirements and linting standards - Update README.md with improved action descriptions and usage examples - Standardize code formatting with updated .editorconfig and .prettierrc.yml - Improve GitHub templates for issues and security reporting This refactoring ensures all 40 actions are fully self-contained and can be used independently when referenced as ivuorinen/actions/action-name@main, addressing the critical requirement for external usability while maintaining comprehensive security analysis and development automation. * feat: add automated action catalog generation system - Create generate_listing.cjs script for comprehensive action catalog - Add package.json with development tooling and npm scripts - Implement automated README.md catalog section with --update flag - Generate markdown reference-style links for all 40 actions - Add categorized tables with features, language support matrices - Replace static reference links with auto-generated dynamic links - Enable complete automation of action documentation maintenance * feat: enhance actions with improved documentation and functionality - Add comprehensive README files for 12 actions with usage examples - Implement new utility actions (go-version-detect, dotnet-version-detect) - Enhance node-setup with extensive configuration options - Improve error handling and validation across all actions - Update package.json scripts for better development workflow - Expand TODO.md with detailed roadmap and improvement plans - Standardize action structure with consistent inputs/outputs * feat: add comprehensive output handling across all actions - Add standardized outputs to 15 actions that previously had none - Implement consistent snake_case naming convention for all outputs - Add build status and test results outputs to build actions - Add files changed and status outputs to lint/fix actions - Add test execution metrics to php-tests action - Add stale/closed counts to stale action - Add release URLs and IDs to github-release action - Update documentation with output specifications - Mark comprehensive output handling task as complete in TODO.md * feat: implement shared cache strategy across all actions - Add caching to 10 actions that previously had none (Node.js, .NET, Python, Go) - Standardize 4 existing actions to use common-cache instead of direct actions/cache - Implement consistent cache-hit optimization to skip installations when cache available - Add language-specific cache configurations with appropriate key files - Create unified caching approach using ivuorinen/actions/common-cache@main - Fix YAML syntax error in php-composer action paths parameter - Update TODO.md to mark shared cache strategy as complete * feat: implement comprehensive retry logic for network operations - Create new common-retry action for standardized retry patterns with configurable strategies - Add retry logic to 9 actions missing network retry capabilities - Implement exponential backoff, custom timeouts, and flexible error handling - Add max-retries input parameter to all network-dependent actions (Node.js, .NET, Python, Go) - Standardize existing retry implementations to use common-retry utility - Update action catalog to include new common-retry action (41 total actions) - Update documentation with retry configuration examples and parameters - Mark retry logic implementation as complete in TODO.md roadmap * feat: enhance Node.js support with Corepack and Bun - Add Corepack support for automatic package manager version management - Add Bun package manager support across all Node.js actions - Improve Yarn Berry/PnP support with .yarnrc.yml detection - Add Node.js feature detection (ESM, TypeScript, frameworks) - Update package manager detection priority and lockfile support - Enhance caching with package-manager-specific keys - Update eslint, prettier, and biome actions for multi-package-manager support * fix: resolve critical runtime issues across multiple actions - Fix token validation by removing ineffective literal string comparisons - Add missing @microsoft/eslint-formatter-sarif dependency for SARIF output - Fix Bash variable syntax errors in username and changelog length checks - Update Dockerfile version regex to handle tags with suffixes (e.g., -alpine) - Simplify version selection logic with single grep command - Fix command execution in retry action with proper bash -c wrapper - Correct step output references using .outcome instead of .outputs.outcome - Add missing step IDs for version detection actions - Include go.mod in cache key files for accurate invalidation - Require minor version in all version regex patterns - Improve Bun installation security by verifying script before execution - Replace bc with sort -V for portable PHP version comparison - Remove non-existent pre-commit output references These fixes ensure proper runtime behavior, improved security, and better cross-platform compatibility across all affected actions. * fix: resolve critical runtime and security issues across actions - Fix biome-fix files_changed calculation using git diff instead of git status delta - Fix compress-images output description and add absolute path validation - Remove csharp-publish token default and fix token fallback in push commands - Add @microsoft/eslint-formatter-sarif to all package managers in eslint-check - Fix eslint-check command syntax by using variable assignment - Improve node-setup Bun installation security and remove invalid frozen-lockfile flag - Fix pre-commit token validation by removing ineffective literal comparison - Fix prettier-fix token comparison and expand regex for all GitHub token types - Add version-file-parser regex validation safety and fix csproj wildcard handling These fixes address security vulnerabilities, runtime errors, and functional issues to ensure reliable operation across all affected GitHub Actions. * feat: enhance Docker actions with advanced multi-architecture support Major enhancement to Docker build and publish actions with comprehensive multi-architecture capabilities and enterprise-grade features. Added features: - Advanced buildx configuration (version control, cache modes, build contexts) - Auto-detect platforms for dynamic architecture discovery - Performance optimizations with enhanced caching strategies - Security scanning with Trivy and image signing with Cosign - SBOM generation in multiple formats with validation - Verbose logging and dry-run modes for debugging - Platform-specific build args and fallback mechanisms Enhanced all Docker actions: - docker-build: Core buildx features and multi-arch support - docker-publish-gh: GitHub Packages with security features - docker-publish-hub: Docker Hub with scanning and signing - docker-publish: Orchestrator with unified configuration Updated documentation across all modified actions. * fix: resolve documentation generation placeholder issue Fixed Makefile and package.json to properly replace placeholder tokens in generated documentation, ensuring all README files show correct repository paths instead of ***PROJECT***@***VERSION***. * chore: simplify github token validation * chore(lint): optional yamlfmt, config and fixes * feat: use relative `uses` names * feat: comprehensive testing infrastructure and Python validation system - Migrate from tests/ to _tests/ directory structure with ShellSpec framework - Add comprehensive validation system with Python-based input validation - Implement dual testing approach (ShellSpec + pytest) for complete coverage - Add modern Python tooling (uv, ruff, pytest-cov) and dependencies - Create centralized validation rules with automatic generation system - Update project configuration and build system for new architecture - Enhance documentation to reflect current testing capabilities This establishes a robust foundation for action validation and testing with extensive coverage across all GitHub Actions in the repository. * chore: remove Dockerfile for now * chore: code review fixes * feat: comprehensive GitHub Actions restructuring and tooling improvements This commit represents a major restructuring of the GitHub Actions monorepo with improved tooling, testing infrastructure, and comprehensive PR #186 review implementation. ## Major Changes ### 🔧 Development Tooling & Configuration - **Shellcheck integration**: Exclude shellspec test files from linting - Updated .pre-commit-config.yaml to exclude _tests/*.sh from shellcheck/shfmt - Modified Makefile shellcheck pattern to skip shellspec files - Updated CLAUDE.md documentation with proper exclusion syntax - **Testing infrastructure**: Enhanced Python validation framework - Fixed nested if statements and boolean parameter issues in validation.py - Improved code quality with explicit keyword arguments - All pre-commit hooks now passing ### 🏗️ Project Structure & Documentation - **Added Serena AI integration** with comprehensive project memories: - Project overview, structure, and technical stack documentation - Code style conventions and completion requirements - Comprehensive PR #186 review analysis and implementation tracking - **Enhanced configuration**: Updated .gitignore, .yamlfmt.yml, pyproject.toml - **Improved testing**: Added integration workflows and enhanced test specs ### 🚀 GitHub Actions Improvements (30+ actions updated) - **Centralized validation**: Updated 41 validation rule files - **Enhanced actions**: Improvements across all action categories: - Setup actions (node-setup, version detectors) - Utility actions (version-file-parser, version-validator) - Linting actions (biome, eslint, terraform-lint-fix major refactor) - Build/publish actions (docker-build, npm-publish, csharp-*) - Repository management actions ### 📝 Documentation Updates - **README consistency**: Updated version references across action READMEs - **Enhanced documentation**: Improved action descriptions and usage examples - **CLAUDE.md**: Updated with current tooling and best practices ## Technical Improvements - **Security enhancements**: Input validation and sanitization improvements - **Performance optimizations**: Streamlined action logic and dependencies - **Cross-platform compatibility**: Better Windows/macOS/Linux support - **Error handling**: Improved error reporting and user feedback ## Files Changed - 100 files changed - 13 new Serena memory files documenting project state - 41 validation rules updated for consistency - 30+ GitHub Actions and READMEs improved - Core tooling configuration enhanced * feat: comprehensive GitHub Actions improvements and PR review fixes Major Infrastructure Improvements: - Add comprehensive testing framework with 17+ ShellSpec validation tests - Implement Docker-based testing tools with automated test runner - Add CodeRabbit configuration for automated code reviews - Restructure documentation and memory management system - Update validation rules for 25+ actions with enhanced input validation - Modernize CI/CD workflows and testing infrastructure Critical PR Review Fixes (All Issues Resolved): - Fix double caching in node-setup (eliminate redundant cache operations) - Optimize shell pipeline in version-file-parser (single awk vs complex pipeline) - Fix GitHub expression interpolation in prettier-check cache keys - Resolve terraform command order issue (validation after setup) - Add missing flake8-sarif dependency for Python SARIF output - Fix environment variable scope in pr-lint (export to GITHUB_ENV) Performance & Reliability: - Eliminate duplicate cache operations saving CI time - Improve shell script efficiency with optimized parsing - Fix command execution dependencies preventing runtime failures - Ensure proper dependency installation for all linting tools - Resolve workflow conditional logic issues Security & Quality: - All input validation rules updated with latest security patterns - Cross-platform compatibility improvements maintained - Comprehensive error handling and retry logic preserved - Modern development tooling and best practices adopted This commit addresses 100% of actionable feedback from PR review analysis, implements comprehensive testing infrastructure, and maintains high code quality standards across all 41 GitHub Actions. * feat: enhance expression handling and version parsing - Fix node-setup force-version expression logic for proper empty string handling - Improve version-file-parser with secure regex validation and enhanced Python detection - Add CodeRabbit configuration for CalVer versioning and README review guidance * feat(validate-inputs): implement modular validation system - Add modular validator architecture with specialized validators - Implement base validator classes for different input types - Add validators: boolean, docker, file, network, numeric, security, token, version - Add convention mapper for automatic input validation - Add comprehensive documentation for the validation system - Implement PCRE regex support and injection protection * feat(validate-inputs): add validation rules for all actions - Add YAML validation rules for 42 GitHub Actions - Auto-generated rules with convention mappings - Include metadata for validation coverage and quality indicators - Mark rules as auto-generated to prevent manual edits * test(validate-inputs): add comprehensive test suite for validators - Add unit tests for all validator modules - Add integration tests for the validation system - Add fixtures for version test data - Test coverage for boolean, docker, file, network, numeric, security, token, and version validators - Add tests for convention mapper and registry * feat(tools): add validation scripts and utilities - Add update-validators.py script for auto-generating rules - Add benchmark-validator.py for performance testing - Add debug-validator.py for troubleshooting - Add generate-tests.py for test generation - Add check-rules-not-manually-edited.sh for CI validation - Add fix-local-action-refs.py tool for fixing action references * feat(actions): add CustomValidator.py files for specialized validation - Add custom validators for actions requiring special validation logic - Implement validators for docker, go, node, npm, php, python, terraform actions - Add specialized validation for compress-images, common-cache, common-file-check - Implement version detection validators with language-specific logic - Add validation for build arguments, architectures, and version formats * test: update ShellSpec test framework for Python validation - Update all validation.spec.sh files to use Python validator - Add shared validation_core.py for common test utilities - Remove obsolete bash validation helpers - Update test output expectations for Python validator format - Add codeql-analysis test suite - Refactor framework utilities for Python integration - Remove deprecated test files * feat(actions): update action.yml files to use validate-inputs - Replace inline bash validation with validate-inputs action - Standardize validation across all 42 actions - Add new codeql-analysis action - Update action metadata and branding - Add validation step as first step in composite actions - Maintain backward compatibility with existing inputs/outputs * ci: update GitHub workflows for enhanced security and testing - Add new codeql-new.yml workflow - Update security scanning workflows - Enhance dependency review configuration - Update test-actions workflow for new validation system - Improve workflow permissions and security settings - Update action versions to latest SHA-pinned releases * build: update build configuration and dependencies - Update Makefile with new validation targets - Add Python dependencies in pyproject.toml - Update npm dependencies and scripts - Enhance Docker testing tools configuration - Add targets for validator updates and local ref fixes - Configure uv for Python package management * chore: update linting and documentation configuration - Update EditorConfig settings for consistent formatting - Enhance pre-commit hooks configuration - Update prettier and yamllint ignore patterns - Update gitleaks security scanning rules - Update CodeRabbit review configuration - Update CLAUDE.md with latest project standards and rules * docs: update Serena memory files and project metadata - Remove obsolete PR-186 memory files - Update project overview with current architecture - Update project structure documentation - Add quality standards and communication guidelines - Add modular validator architecture documentation - Add shellspec testing framework documentation - Update project.yml with latest configuration * feat: moved rules.yml to same folder as action, fixes * fix(validators): correct token patterns and fix validator bugs - Fix GitHub classic PAT pattern: ghp_ + 36 chars = 40 total - Fix GitHub fine-grained PAT pattern: github_pat_ + 71 chars = 82 total - Initialize result variable in convention_mapper to prevent UnboundLocalError - Fix empty URL validation in network validator to return error - Add GitHub expression check to docker architectures validator - Update docker-build CustomValidator parallel-builds max to 16 * test(validators): fix test fixtures and expectations - Fix token lengths in test data: github_pat 71 chars, ghp/gho 36 chars - Update integration tests with correct token lengths - Fix file validator test to expect absolute paths rejected for security - Rename TestGenerator import to avoid pytest collection warning - Update custom validator tests with correct input names - Change docker-build tests: platforms->architectures, tags->tag - Update docker-publish tests to match new registry enum validation * test(shellspec): fix token lengths in test helpers and specs - Fix default token lengths in spec_helper.sh to use correct 40-char format - Update csharp-publish default tokens in 4 locations - Update codeql-analysis default tokens in 2 locations - Fix codeql-analysis test tokens to correct lengths (40 and 82 chars) - Fix npm-publish fine-grained token test to use 82-char format * feat(actions): add permissions documentation and environment variable usage - Add permissions comments to all action.yml files documenting required GitHub permissions - Convert direct input usage to environment variables in shell steps for security - Add validation steps with proper error handling - Update input descriptions and add security notes where applicable - Ensure all actions follow consistent patterns for input validation * chore(workflows): update GitHub Actions workflow versions - Update workflow action versions to latest - Improve workflow consistency and maintainability * docs(security): add comprehensive security policy - Document security features and best practices - Add vulnerability reporting process - Include audit history and security testing information * docs(memory): add GitHub workflow reference documentation - Add GitHub Actions workflow commands reference - Add GitHub workflow expressions guide - Add secure workflow usage patterns and best practices * chore: token optimization, code style conventions * chore: cr fixes * fix: trivy reported Dockerfile problems * fix(security): more security fixes * chore: dockerfile and make targets for publishing * fix(ci): add creds to test-actions workflow * fix: security fix and checkout step to codeql-new * chore: test fixes * fix(security): codeql detected issues * chore: code review fixes, ReDos protection * style: apply MegaLinter fixes * fix(ci): missing packages read permission * fix(ci): add missing working directory setting * chore: linting, add validation-regex to use regex_pattern * chore: code review fixes * chore(deps): update actions * fix(security): codeql fixes * chore(cr): apply cr comments * chore: improve POSIX compatibility * chore(cr): apply cr comments * fix: codeql warning in Dockerfile, build failures * chore(cr): apply cr comments * fix: docker-testing-tools/Dockerfile * chore(cr): apply cr comments * fix(docker): update testing-tools image for GitHub Actions compatibility * chore(cr): apply cr comments * feat: add more tests, fix issues * chore: fix codeql issues, update actions * chore(cr): apply cr comments * fix: integration tests * chore: deduplication and fixes * style: apply MegaLinter fixes * chore(cr): apply cr comments * feat: dry-run mode for generate-tests * fix(ci): kcov installation * chore(cr): apply cr comments * chore(cr): apply cr comments * chore(cr): apply cr comments * chore(cr): apply cr comments, simplify action testing, use uv * fix: run-tests.sh action counting * chore(cr): apply cr comments * chore(cr): apply cr comments
611 lines
21 KiB
Python
611 lines
21 KiB
Python
"""Convention-based validator that uses naming patterns to determine validation rules.
|
|
|
|
This validator automatically applies validation based on input naming conventions.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from pathlib import Path
|
|
from typing import Any
|
|
|
|
import yaml # pylint: disable=import-error
|
|
|
|
from .base import BaseValidator
|
|
from .convention_mapper import ConventionMapper
|
|
|
|
TOKEN_TYPES = {
|
|
"github": "github_token",
|
|
"npm": "npm_token",
|
|
"docker": "docker_token",
|
|
}
|
|
|
|
VERSION_MAPPINGS = {
|
|
"python": "python_version",
|
|
"node": "node_version",
|
|
"go": "go_version",
|
|
"php": "php_version",
|
|
"terraform": "terraform_version",
|
|
"dotnet": "dotnet_version",
|
|
"net": "dotnet_version",
|
|
}
|
|
|
|
FILE_TYPES = {
|
|
"yaml": "yaml_file",
|
|
"yml": "yaml_file",
|
|
"json": "json_file",
|
|
}
|
|
|
|
|
|
class ConventionBasedValidator(BaseValidator):
|
|
"""Validator that applies validation based on naming conventions.
|
|
|
|
Automatically detects validation requirements based on input names
|
|
and applies appropriate validators.
|
|
"""
|
|
|
|
def __init__(self, action_type: str) -> None:
|
|
"""Initialize the convention-based validator.
|
|
|
|
Args:
|
|
action_type: The type of GitHub Action being validated
|
|
"""
|
|
super().__init__(action_type)
|
|
self._rules = self.load_rules()
|
|
self._validator_modules: dict[str, Any] = {}
|
|
self._convention_mapper = ConventionMapper() # Use the ConventionMapper
|
|
self._load_validator_modules()
|
|
|
|
def _load_validator_modules(self) -> None:
|
|
"""Lazy-load validator modules as needed."""
|
|
# These will be imported as needed to avoid circular imports
|
|
|
|
def load_rules(self, rules_path: Path | None = None) -> dict[str, Any]:
|
|
"""Load validation rules from YAML file.
|
|
|
|
Args:
|
|
rules_path: Optional path to the rules YAML file
|
|
|
|
Returns:
|
|
Dictionary of validation rules
|
|
"""
|
|
if rules_path and rules_path.exists():
|
|
rules_file = rules_path
|
|
else:
|
|
# Find the rules file for this action in the action folder
|
|
# Convert underscores back to dashes for the folder name
|
|
action_name = self.action_type.replace("_", "-")
|
|
project_root = Path(__file__).parent.parent.parent
|
|
rules_file = project_root / action_name / "rules.yml"
|
|
|
|
if not rules_file.exists():
|
|
# Return default empty rules if no rules file exists
|
|
return {
|
|
"action_type": self.action_type,
|
|
"required_inputs": [],
|
|
"optional_inputs": {},
|
|
"conventions": {},
|
|
"overrides": {},
|
|
}
|
|
|
|
try:
|
|
with Path(rules_file).open() as f:
|
|
rules = yaml.safe_load(f) or {}
|
|
|
|
# Ensure all expected keys exist
|
|
rules.setdefault("required_inputs", [])
|
|
rules.setdefault("optional_inputs", {})
|
|
rules.setdefault("conventions", {})
|
|
rules.setdefault("overrides", {})
|
|
|
|
# Build conventions from optional_inputs if not explicitly set
|
|
if not rules["conventions"] and rules["optional_inputs"]:
|
|
conventions = {}
|
|
for input_name, input_config in rules["optional_inputs"].items():
|
|
# Try to infer validator type from the input name or pattern
|
|
conventions[input_name] = self._infer_validator_type(input_name, input_config)
|
|
rules["conventions"] = conventions
|
|
|
|
return rules
|
|
except Exception:
|
|
return {
|
|
"action_type": self.action_type,
|
|
"required_inputs": [],
|
|
"optional_inputs": {},
|
|
"conventions": {},
|
|
"overrides": {},
|
|
}
|
|
|
|
def _infer_validator_type(self, input_name: str, input_config: dict[str, Any]) -> str | None:
|
|
"""Infer the validator type from input name and configuration.
|
|
|
|
Args:
|
|
input_name: The name of the input
|
|
input_config: The input configuration from rules
|
|
|
|
Returns:
|
|
The inferred validator type or None
|
|
"""
|
|
# Check for explicit validator type in config
|
|
if isinstance(input_config, dict) and "validator" in input_config:
|
|
return input_config["validator"]
|
|
|
|
# Infer based on name patterns
|
|
name_lower = input_name.lower().replace("-", "_")
|
|
|
|
# Try to determine validator type
|
|
validator_type = self._check_exact_matches(name_lower)
|
|
|
|
if validator_type is None:
|
|
validator_type = self._check_pattern_based_matches(name_lower)
|
|
|
|
return validator_type
|
|
|
|
def _check_exact_matches(self, name_lower: str) -> str | None:
|
|
"""Check for exact pattern matches."""
|
|
exact_matches = {
|
|
# Docker patterns
|
|
"platforms": "docker_architectures",
|
|
"architectures": "docker_architectures",
|
|
"cache_from": "cache_mode",
|
|
"cache_to": "cache_mode",
|
|
"sbom": "sbom_format",
|
|
"registry": "registry_url",
|
|
"registry_url": "registry_url",
|
|
"tags": "docker_tags",
|
|
# File patterns
|
|
"file": "file_path",
|
|
"path": "file_path",
|
|
"file_path": "file_path",
|
|
"config_file": "file_path",
|
|
"dockerfile": "file_path",
|
|
"branch": "branch_name",
|
|
"branch_name": "branch_name",
|
|
"ref": "branch_name",
|
|
# Network patterns
|
|
"email": "email",
|
|
"url": "url",
|
|
"endpoint": "url",
|
|
"webhook": "url",
|
|
"repository_url": "repository_url",
|
|
"repo_url": "repository_url",
|
|
"scope": "scope",
|
|
"username": "username",
|
|
"user": "username",
|
|
# Boolean patterns
|
|
"dry_run": "boolean",
|
|
"draft": "boolean",
|
|
"prerelease": "boolean",
|
|
"push": "boolean",
|
|
"delete": "boolean",
|
|
"all_files": "boolean",
|
|
"force": "boolean",
|
|
"skip": "boolean",
|
|
"enabled": "boolean",
|
|
"disabled": "boolean",
|
|
"verbose": "boolean",
|
|
"debug": "boolean",
|
|
# Numeric patterns
|
|
"retries": "retries",
|
|
"retry": "retries",
|
|
"attempts": "retries",
|
|
"timeout": "timeout",
|
|
"timeout_ms": "timeout",
|
|
"timeout_seconds": "timeout",
|
|
"threads": "threads",
|
|
"workers": "threads",
|
|
"concurrency": "threads",
|
|
# Other patterns
|
|
"category": "category_format",
|
|
"cache": "package_manager_enum",
|
|
"package_manager": "package_manager_enum",
|
|
"format": "report_format",
|
|
"output_format": "report_format",
|
|
"report_format": "report_format",
|
|
}
|
|
return exact_matches.get(name_lower)
|
|
|
|
def _check_pattern_based_matches(self, name_lower: str) -> str | None: # noqa: PLR0912
|
|
"""Check for pattern-based matches."""
|
|
result = None
|
|
|
|
# Token patterns
|
|
if "token" in name_lower:
|
|
token_types = TOKEN_TYPES
|
|
for key, value in token_types.items():
|
|
if key in name_lower:
|
|
result = value
|
|
break
|
|
if result is None:
|
|
result = "github_token" # Default token type
|
|
|
|
# Docker patterns
|
|
elif name_lower.startswith("docker_"):
|
|
result = f"docker_{name_lower[7:]}"
|
|
|
|
# Version patterns
|
|
elif "version" in name_lower:
|
|
version_mappings = VERSION_MAPPINGS
|
|
for key, value in version_mappings.items():
|
|
if key in name_lower:
|
|
result = value
|
|
break
|
|
if result is None:
|
|
result = "flexible_version" # Default to flexible version
|
|
|
|
# File suffix patterns
|
|
elif name_lower.endswith("_file") and name_lower != "config_file":
|
|
file_types = FILE_TYPES
|
|
for key, value in file_types.items():
|
|
if key in name_lower:
|
|
result = value
|
|
break
|
|
if result is None:
|
|
result = "file_path"
|
|
|
|
# CodeQL patterns
|
|
elif name_lower.startswith("codeql_"):
|
|
result = name_lower
|
|
|
|
# Cache-related check (special case for returning None)
|
|
elif "cache" in name_lower and name_lower != "cache":
|
|
result = None # cache-related but not numeric
|
|
|
|
return result
|
|
|
|
def get_required_inputs(self) -> list[str]:
|
|
"""Get the list of required input names from rules.
|
|
|
|
Returns:
|
|
List of required input names
|
|
"""
|
|
return self._rules.get("required_inputs", [])
|
|
|
|
def get_validation_rules(self) -> dict[str, Any]:
|
|
"""Get the validation rules.
|
|
|
|
Returns:
|
|
Dictionary of validation rules
|
|
"""
|
|
return self._rules
|
|
|
|
def validate_inputs(self, inputs: dict[str, str]) -> bool:
|
|
"""Validate inputs based on conventions and rules.
|
|
|
|
Args:
|
|
inputs: Dictionary of input names to values
|
|
|
|
Returns:
|
|
True if all inputs are valid, False otherwise
|
|
"""
|
|
valid = True
|
|
|
|
# First validate required inputs
|
|
valid &= self.validate_required_inputs(inputs)
|
|
|
|
# Get conventions and overrides from rules
|
|
conventions = self._rules.get("conventions", {})
|
|
overrides = self._rules.get("overrides", {})
|
|
|
|
# Validate each input
|
|
for input_name, value in inputs.items():
|
|
# Skip if explicitly overridden to null
|
|
if input_name in overrides and overrides[input_name] is None:
|
|
continue
|
|
|
|
# Get validator type from overrides or conventions
|
|
validator_type = self._get_validator_type(input_name, conventions, overrides)
|
|
|
|
if validator_type:
|
|
# Check if this is a required input
|
|
is_required = input_name in self.get_required_inputs()
|
|
valid &= self._apply_validator(
|
|
input_name, value, validator_type, is_required=is_required
|
|
)
|
|
|
|
return valid
|
|
|
|
def _get_validator_type(
|
|
self,
|
|
input_name: str,
|
|
conventions: dict[str, str],
|
|
overrides: dict[str, str],
|
|
) -> str | None:
|
|
"""Determine the validator type for an input.
|
|
|
|
Args:
|
|
input_name: The name of the input
|
|
conventions: Convention mappings
|
|
overrides: Override mappings
|
|
|
|
Returns:
|
|
The validator type or None if no validator found
|
|
"""
|
|
# Check overrides first
|
|
if input_name in overrides:
|
|
return overrides[input_name]
|
|
|
|
# Check exact convention match
|
|
if input_name in conventions:
|
|
return conventions[input_name]
|
|
|
|
# Check with dash/underscore conversion
|
|
if "_" in input_name:
|
|
dash_version = input_name.replace("_", "-")
|
|
if dash_version in overrides:
|
|
return overrides[dash_version]
|
|
if dash_version in conventions:
|
|
return conventions[dash_version]
|
|
elif "-" in input_name:
|
|
underscore_version = input_name.replace("-", "_")
|
|
if underscore_version in overrides:
|
|
return overrides[underscore_version]
|
|
if underscore_version in conventions:
|
|
return conventions[underscore_version]
|
|
|
|
# Fall back to convention mapper for pattern-based detection
|
|
return self._convention_mapper.get_validator_type(input_name)
|
|
|
|
def _apply_validator(
|
|
self,
|
|
input_name: str,
|
|
value: str,
|
|
validator_type: str,
|
|
*,
|
|
is_required: bool,
|
|
) -> bool:
|
|
"""Apply the appropriate validator to an input value.
|
|
|
|
Args:
|
|
input_name: The name of the input
|
|
value: The value to validate
|
|
validator_type: The type of validator to apply
|
|
is_required: Whether the input is required
|
|
|
|
Returns:
|
|
True if valid, False otherwise
|
|
"""
|
|
# Get the validator module and method
|
|
validator_module, method_name = self._get_validator_method(validator_type)
|
|
|
|
if not validator_module:
|
|
# Unknown validator type, skip validation
|
|
return True
|
|
|
|
try:
|
|
# Call the validation method
|
|
if hasattr(validator_module, method_name):
|
|
method = getattr(validator_module, method_name)
|
|
|
|
# Some validators need additional parameters
|
|
if validator_type == "github_token" and method_name == "validate_github_token":
|
|
result = method(value, required=is_required)
|
|
elif "numeric_range" in validator_type:
|
|
# Parse range from validator type
|
|
min_val, max_val = self._parse_numeric_range(validator_type)
|
|
result = method(value, min_val, max_val, input_name)
|
|
else:
|
|
# Standard validation call
|
|
result = method(value, input_name)
|
|
|
|
# Copy errors from the validator module to this validator
|
|
# Skip if validator_module is self (for internal validators)
|
|
if validator_module is not self and hasattr(validator_module, "errors"):
|
|
for error in validator_module.errors:
|
|
if error not in self.errors:
|
|
self.add_error(error)
|
|
# Clear the module's errors after copying
|
|
validator_module.errors = []
|
|
|
|
return result
|
|
# Method not found, skip validation
|
|
return True
|
|
|
|
except Exception as e:
|
|
self.add_error(f"Validation error for {input_name}: {e}")
|
|
return False
|
|
|
|
def _get_validator_method(self, validator_type: str) -> tuple[Any, str]: # noqa: C901, PLR0912
|
|
"""Get the validator module and method name for a validator type.
|
|
|
|
Args:
|
|
validator_type: The validator type string
|
|
|
|
Returns:
|
|
Tuple of (validator_module, method_name)
|
|
"""
|
|
# Lazy import validators to avoid circular dependencies
|
|
|
|
# Token validators
|
|
if validator_type in [
|
|
"github_token",
|
|
"npm_token",
|
|
"docker_token",
|
|
"namespace_with_lookahead",
|
|
]:
|
|
if "token" not in self._validator_modules:
|
|
from . import token
|
|
|
|
self._validator_modules["token"] = token.TokenValidator()
|
|
return self._validator_modules["token"], f"validate_{validator_type}"
|
|
|
|
# Docker validators
|
|
if validator_type.startswith("docker_") or validator_type in [
|
|
"cache_mode",
|
|
"sbom_format",
|
|
"registry_enum",
|
|
]:
|
|
if "docker" not in self._validator_modules:
|
|
from . import docker
|
|
|
|
self._validator_modules["docker"] = docker.DockerValidator()
|
|
if validator_type.startswith("docker_"):
|
|
method = f"validate_{validator_type[7:]}" # Remove "docker_" prefix
|
|
elif validator_type == "registry_enum":
|
|
method = "validate_registry"
|
|
else:
|
|
method = f"validate_{validator_type}"
|
|
return self._validator_modules["docker"], method
|
|
|
|
# Version validators
|
|
if "version" in validator_type or validator_type in ["calver", "semantic", "flexible"]:
|
|
if "version" not in self._validator_modules:
|
|
from . import version
|
|
|
|
self._validator_modules["version"] = version.VersionValidator()
|
|
return self._validator_modules["version"], f"validate_{validator_type}"
|
|
|
|
# File validators
|
|
if validator_type in [
|
|
"file_path",
|
|
"branch_name",
|
|
"file_extensions",
|
|
"yaml_file",
|
|
"json_file",
|
|
"config_file",
|
|
]:
|
|
if "file" not in self._validator_modules:
|
|
from . import file
|
|
|
|
self._validator_modules["file"] = file.FileValidator()
|
|
return self._validator_modules["file"], f"validate_{validator_type}"
|
|
|
|
# Network validators
|
|
if validator_type in [
|
|
"email",
|
|
"url",
|
|
"scope",
|
|
"username",
|
|
"registry_url",
|
|
"repository_url",
|
|
]:
|
|
if "network" not in self._validator_modules:
|
|
from . import network
|
|
|
|
self._validator_modules["network"] = network.NetworkValidator()
|
|
return self._validator_modules["network"], f"validate_{validator_type}"
|
|
|
|
# Boolean validator
|
|
if validator_type == "boolean":
|
|
if "boolean" not in self._validator_modules:
|
|
from . import boolean
|
|
|
|
self._validator_modules["boolean"] = boolean.BooleanValidator()
|
|
return self._validator_modules["boolean"], "validate_boolean"
|
|
|
|
# Numeric validators
|
|
if validator_type.startswith("numeric_range") or validator_type in [
|
|
"retries",
|
|
"timeout",
|
|
"threads",
|
|
]:
|
|
if "numeric" not in self._validator_modules:
|
|
from . import numeric
|
|
|
|
self._validator_modules["numeric"] = numeric.NumericValidator()
|
|
if validator_type.startswith("numeric_range"):
|
|
return self._validator_modules["numeric"], "validate_range"
|
|
return self._validator_modules["numeric"], f"validate_{validator_type}"
|
|
|
|
# Security validators
|
|
if validator_type in ["security_patterns", "injection_patterns", "prefix", "regex_pattern"]:
|
|
if "security" not in self._validator_modules:
|
|
from . import security
|
|
|
|
self._validator_modules["security"] = security.SecurityValidator()
|
|
if validator_type == "prefix":
|
|
# Use no_injection for prefix - checks for injection patterns
|
|
# without character restrictions
|
|
return self._validator_modules["security"], "validate_no_injection"
|
|
return self._validator_modules["security"], f"validate_{validator_type}"
|
|
|
|
# CodeQL validators
|
|
if validator_type.startswith("codeql_") or validator_type in ["category_format"]:
|
|
if "codeql" not in self._validator_modules:
|
|
from . import codeql
|
|
|
|
self._validator_modules["codeql"] = codeql.CodeQLValidator()
|
|
return self._validator_modules["codeql"], f"validate_{validator_type}"
|
|
|
|
# PHP-specific validators
|
|
if validator_type in ["php_extensions", "coverage_driver"]:
|
|
# Return self for PHP-specific validation methods
|
|
return self, f"_validate_{validator_type}"
|
|
|
|
# Package manager and report format validators
|
|
if validator_type in ["package_manager_enum", "report_format"]:
|
|
# These could be in a separate module, but for now we'll put them in file validator
|
|
if "file" not in self._validator_modules:
|
|
from . import file
|
|
|
|
self._validator_modules["file"] = file.FileValidator()
|
|
# These methods need to be added to file validator or a new module
|
|
return None, ""
|
|
|
|
# Default: no validator
|
|
return None, ""
|
|
|
|
def _parse_numeric_range(self, validator_type: str) -> tuple[int, int]:
|
|
"""Parse min and max values from a numeric_range validator type.
|
|
|
|
Args:
|
|
validator_type: String like "numeric_range_1_100"
|
|
|
|
Returns:
|
|
Tuple of (min_value, max_value)
|
|
"""
|
|
parts = validator_type.split("_")
|
|
if len(parts) >= 4:
|
|
try:
|
|
return int(parts[2]), int(parts[3])
|
|
except ValueError:
|
|
pass
|
|
# Default range
|
|
return 0, 100
|
|
|
|
def _validate_php_extensions(self, value: str, input_name: str) -> bool:
|
|
"""Validate PHP extensions format.
|
|
|
|
Args:
|
|
value: The extensions value (comma-separated list)
|
|
input_name: The input name for error messages
|
|
|
|
Returns:
|
|
True if valid, False otherwise
|
|
"""
|
|
import re
|
|
|
|
if not value:
|
|
return True
|
|
|
|
# Check for injection patterns
|
|
if re.search(r"[;&|`$()@#]", value):
|
|
self.add_error(f"Potential injection detected in {input_name}: {value}")
|
|
return False
|
|
|
|
# Check format - should be alphanumeric, underscores, commas, spaces only
|
|
if not re.match(r"^[a-zA-Z0-9_,\s]+$", value):
|
|
self.add_error(f"Invalid format for {input_name}: {value}")
|
|
return False
|
|
|
|
return True
|
|
|
|
def _validate_coverage_driver(self, value: str, input_name: str) -> bool:
|
|
"""Validate coverage driver enum.
|
|
|
|
Args:
|
|
value: The coverage driver value
|
|
input_name: The input name for error messages
|
|
|
|
Returns:
|
|
True if valid, False otherwise
|
|
"""
|
|
valid_drivers = ["none", "xdebug", "pcov", "xdebug3"]
|
|
|
|
if value and value not in valid_drivers:
|
|
self.add_error(
|
|
f"Invalid {input_name}: {value}. Must be one of: {', '.join(valid_drivers)}"
|
|
)
|
|
return False
|
|
|
|
return True
|