Skip to content

verify-action-build: unified walker over composite action graph (closes #744)#750

Open
potiuk wants to merge 1 commit intomainfrom
verify-action-build-consolidate-recursion
Open

verify-action-build: unified walker over composite action graph (closes #744)#750
potiuk wants to merge 1 commit intomainfrom
verify-action-build-consolidate-recursion

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented Apr 19, 2026
edited
Loading

Closes #744.

Summary

Replace the per-check recursions in utils/verify_action_build/security.py with a single depth-first pre-order walker — walk_actions — that yields one VisitedAction per unique org/repo/sub_path@commit. Each security check becomes a pure function over visits:

for visited in walk_actions(root_org, root_repo, root_commit, root_sub_path):
    do_check(visited)

Motivation (from #744)

it looks like each check does its own recursion to perform tests on the same objects … N checks × M nested actions = N × M redundant fetches.

analyze_nested_actions and analyze_binary_downloads_recursive each re-fetched action.yml files and re-parsed the same uses: refs, with private _depth / _visited bookkeeping. As more checks land (e.g. the compatible-licensing check from #686), that cost compounds.

Changes

  • walk_actions (new, security.py) — DFS pre-order generator that yields VisitedAction dataclasses (org, repo, commit_hash, sub_path, depth, action_yml, action_type, incoming_ref, parent_yml, approved, trusted). Enforces the shared descent rules in one place:
    • local (./…) and docker (docker://…) refs are terminal stubs
    • non-hash-pinned refs are yielded but not descended
    • trusted orgs (actions, github) at depth > 0 are yielded as stubs without fetching their action.yml
    • depth cap of 3
  • analyze_binary_downloads_recursive — rewritten as a pure consumer of the walker; no recursion, no _depth / _visited kwargs.
  • analyze_nested_actions — same treatment. Preserves existing display ordering (pre-order matches the old nested printout) and the checked_actions list returned to the summary table.
  • fetch_action_yml is @lru_cache-wrapped — any remaining same-commit fetch inside a check (e.g. the lazy type lookup for a trusted-org ref in the nested-action display) reuses the walker's earlier hit.

Test plan

  • All 135 existing tests pass: uv run --with pytest python -m pytest tests/ -q
  • End-to-end: uv run utils/verify-action-build.py --from-pr 724 --ci still reports src/download/download-version.ts line 39 as an unverified tc.downloadTool call and exits 1
  • CI green on this branch

Future follow-up

With the walker in place, the compatible-licensing check from #686 can be added as another pure function over visits instead of building a third recursive walk.

@potiuk
verify-action-build: unified walker over the composite action graph
5c54054 
Closes #744.

Each security check previously did its own recursion over the nested
action graph: `analyze_nested_actions` and
`analyze_binary_downloads_recursive` each re-fetched the same
`action.yml` files, re-parsed the same `uses:` refs, and carried their
own `_depth` / `_visited` bookkeeping. As more checks are added (e.g.
the compatible-licensing check from #686), that cost compounds:
N checks × M nested actions = N × M redundant fetches.

This commit introduces a single depth-first pre-order walker,
`walk_actions`, that yields one `VisitedAction` per unique
`org/repo/sub_path@commit` reached from the root. Each check is now a
pure function that consumes the iterator:

    for visited in walk_actions(root_org, root_repo, root_commit, root_sub_path):
        do_check(visited)

The walker enforces the shared descent rules in one place: local and
docker refs are terminal stubs, non-hash-pinned refs are yielded but
not descended, trusted orgs (`actions`, `github`) at depth > 0 are
yielded as stubs without fetching their `action.yml`, and depth is
capped at 3.

`analyze_nested_actions` and `analyze_binary_downloads_recursive` are
rewritten as pure consumers of the walker — no recursion, no private
`_depth` / `_visited` / `_checked` kwargs. They can be called by a
caller that enumerates visits once and dispatches to multiple checks.

`fetch_action_yml` is also `@lru_cache`-wrapped so any remaining
same-commit fetch inside a check (e.g. the nested-action display
check's lazy type lookup for a trusted-org ref) reuses the walker's
earlier hit.

All 135 existing tests pass unchanged, and end-to-end verification
still flags the unverified `tc.downloadTool` call in
`posit-dev/setup-air` as before.

Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 19, 2026

cc: @dave2wave

@potiuk potiuk mentioned this pull request Apr 19, 2026
Open
@potiuk potiuk requested review from dave2wave and raboof April 19, 2026 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dave2wave dave2wave Awaiting requested review from dave2wave

@raboof raboof Awaiting requested review from raboof

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

verify-action-build: consolidate per-check recursion over nested actions

1 participant

@potiuk