38 validate action version exists #39
Conversation
There was a problem hiding this comment.
This looks great :) I think moving the snapshot test suite to Rust makes a lot of sense since it will be easier to maintain and makes it easier to test @action-validator/cli with the same runner. If @mpalmer approves, once this is merged I plan to integrate the tests from tests/run.mjs.
In addition to the comments I left, I have the following questions:
- Is
tests/runnow redundant? - If so, can we remove it and update
.github/workflows/qa.ymlto runcargo testinstead - I think some minor updates are needed to
tests/run.mjs(updatingtesttotests) and also thevalidation_state.snap.jsonfiles need to be added for the new test cases.
Regarding point number 3, I am happy to do that myself or to give further instruction on what needs to change.
@mpalmer what do you think? Would be great to get your input on this PR when you have time since I think it probably needs to go in ahead of further Node API related re-factoring & re-factoring of the test suite.
| #[case("001_basic_workflow")] | ||
| #[case("002_basic_action")] | ||
| #[case("003_successful_globs")] | ||
| #[case("004_failing_globs")] | ||
| #[case("005_conditional_step_in_action")] | ||
| #[case("006_workflow_dispatch_inputs_options")] | ||
| #[case("007_funky_syntax")] | ||
| #[case("008_job_dependencies")] | ||
| #[case("009_multi_file")] | ||
| #[cfg(not(feature = "remote-checks"))] |
There was a problem hiding this comment.
Shouldn't these tests run regardless of whether the remote-checks feature is enabled? (it would be nice for cargo test to run all tests by default)
| #[case("001_basic_workflow")] | |
| #[case("002_basic_action")] | |
| #[case("003_successful_globs")] | |
| #[case("004_failing_globs")] | |
| #[case("005_conditional_step_in_action")] | |
| #[case("006_workflow_dispatch_inputs_options")] | |
| #[case("007_funky_syntax")] | |
| #[case("008_job_dependencies")] | |
| #[case("009_multi_file")] | |
| #[cfg(not(feature = "remote-checks"))] | |
| #[case("001_basic_workflow")] | |
| #[case("002_basic_action")] | |
| #[case("003_successful_globs")] | |
| #[case("004_failing_globs")] | |
| #[case("005_conditional_step_in_action")] | |
| #[case("006_workflow_dispatch_inputs_options")] | |
| #[case("007_funky_syntax")] | |
| #[case("008_job_dependencies")] | |
| #[case("009_multi_file")] |
There was a problem hiding this comment.
I like this as it is, because I don't like it when a test suite makes any more assumptions about the local environment than it absolutely needs to (and "I have a real, working, fully-open Internet connection" is still, in some cases, an incorrect assumption). I sometimes do dev without a working Internet connection, and a test suite that starts barfing red in all directions gives me the absolute pip.
In any event, I never trust developers (including myself!) to run all the tests before pushing (one cannot mandate that a pre-commit hook is in place in a remote repo, after all), so the most important thing is to make sure that CI is comprehensive -- which means, in this case, running the tests with remote-checks enabled.
It would be a nice "quality of life" thing if the test suite could print something at the end of a cargo test run saying "some tests weren't run because the remote-checks feature wasn't enabled", to give people a hint that re-running with extra features would be a good idea, but a lack of it wouldn't be a blocker for merge for me.
There was a problem hiding this comment.
@mpalmer when you put it like that I completely agree :D
There was a problem hiding this comment.
I see @mpalmer's point, however I made this decision for a different reason :) Interestingly, enabling remote-checks and running those first 9 tests resulted in different output for those tests! Hence why they were disabled for remote checks. We could alter those tests so they are idempotent to the issues they're testing, but I wanted to reduce the changes as much as I could.
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkouts@v2 |
There was a problem hiding this comment.
This is a nitpick but it would maybe be clearer to rename this to something obviously wrong like actions/does-not-exist@v2. I had to re-read this a few times because I didn't spot the trailing "s" (possibly this is only an issue for me because I'm dyslexic!).
| // In this case, pull access requires authorization. There are simple cases that | ||
| // only require the bearer token retrieval followed by manifest access, but there | ||
| // are also others that require user credentials. For now, we should assume that | ||
| // the tag tag is valid. We could perform authentication, but that would requrie | ||
| // user creds and adds a whole lot of scope to this feature. | ||
| return Ok(()); |
There was a problem hiding this comment.
Currently, we are logging a warning to the console in the NPM version when we skip validating a glob. This was a bit of a hack since I didn't anticipate any other use cases for warnings. However, I'm wondering if it would make sense to add record warnings in the validation state, e.g.
#[derive(Serialize, Debug)]
pub struct ValidationState {
// --snip--
pub warnings: Vec<ValidationWarning>,
}Then we could record and report a warning in this case.
Alternatively, we could also report this as an error but add a severity to errors e.g.
pub enum ErrorSeverity {
Error,
Warning,
}I guess if we went with the latter approach it would make more sense to rename errors to diagnostics but probably best to avoid breaking API changes.
What do you think?
There was a problem hiding this comment.
I'm OK with breaking API changes when we're early in the lifecycle, and I don't have strong opinions on either of these approaches, but it does seem like a good idea to be recording problems for later consumption, rather than logging anything immediately.
| return Err(ValidationError::Unknown { | ||
| code: "docker_action_not_found".into(), | ||
| detail: Some(format!("Could not find the docker action: {}", self.uses)), | ||
| path: self.origin.to_owned(), | ||
| title: "Docker Action Not Found".into(), | ||
| }); |
There was a problem hiding this comment.
I think it would be good to add a new variant to the ValidationError enum for missign actions. Maybe something like ValidationError::UnresolvedAction.
| Err(ValidationError::InvalidGlob { | ||
| code: "invalid_uses".into(), | ||
| detail: Some(format!("The `uses` {uses} is invalid.")), | ||
| path: self.origin.to_owned(), | ||
| title: "Invalid Uses".into(), | ||
| }) |
There was a problem hiding this comment.
Maybe we could use ValidationError::UnresolvedAction as suggested above, or if this is worth covering with it's own error code then perhaps something like ValidationError::InvalidActionFormat.
There was a problem hiding this comment.
I like having very granular error codes, so I'm in team "InvalidActionFormat".
|
Sorry, @award28, I missed that you'd marked this ready for review. I'm in agreement with most of @bcheidemann's comments (I'll respond to those on which I've got a differing opinion shortly). If you're up for it, I'd really appreciate it if you could pull out the dev instruction improvments and test suite run changes into their own PRs, because (a) I'd like to get those in ASAP, and (b) I find it quite difficult to wrap my head around reviewing changes with multiple different purposes (I get some sort of mental whiplash flicking back and forth). |
|
@mpalmer no worries, been very busy with work recently. This feedback sounds good, I'm happy to split this apart into two different PRs! |
@bcheidemann This all sounds good to me! I didn't remove the shell script for the run since I wasn't sure if we would want to go with this approach but I'm good to remove it based on @mpalmer's feedback. |
|
@award28 let me know if there's any way I can help with this :) I have some time off work this week so would be happy to help any way I can |
Co-authored-by: Ben Heidemann <56122437+bcheidemann@users.noreply.github.com>
|
@bcheidemann thanks for the hand, Ben! I've definitely been distracted with other stuff and haven't had the time to address this feedback. I'm going to work on extracting the testing changes/contributing.md into their own PR tonight. Once that's done, it'd be great to get some feedback on that. |
|
Once #48 is merged, I'll rebase this branch against |
TODO
README.mdto include a section on theremote-checksfeature flag.Background
This PR resolves #38, adding a feature flag to enable remote checks. When the flag is enabled,
action-validatorperforms remote checks to validate that a provided action exists, as well as the specified commit/tag/version. There are a few other additions as well, covered in the release notes.Uses Validation
Non-Remote
usesValidationThe
usesvalidation from the schema store does not perform any validation on the value which is provided. However, this value can't be anystring; it must be one of a few values.There are a few variations for each, but the core difference is that a valid
usesis either a GitHub Action, a Docker image, or a path to an action. We can perform non-remote checks for each of these by making sure they match the expected uses type. Further, for a path value, we can validate that the path exists.remote-checksFeatureThe real benefit of this PR is the
remote-checksfeature flag. With this enabled, the user is givingaction-validatorpermission to perform validation that can only be confirmed through network calls. For theusesstatement, we perform http requests to verify a given action exists or a docker image exists. There are some limitations to this, listed below.Current Limitations
Future Improvements
withattributes on uses statementsOther Changes
Documentation
CONTRIBUTING.mdfile with sections covering environment setup, running the validator locally during development, and writing tests.Testing
testtotestsso rust can find it automatically.tests/runshell script in thetests/snapshot_tests.rsto take advantage of rusts testing capabilitiessave-snapshotsfeature flag to easily update outdated snapshots