Support Parallel Workflow Steps + More Lenient Parsing#445
Draft
SUSTAPLE117 wants to merge 3 commits into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the GitHub Actions workflow/action parser (
models/github_actions.go) on two fronts, benchmarked against GitHub's officialworkflow-parser: it no longer drops whole files on locally-malformed YAML, and it now understands the newparallel:step blocks.1. Lenient, per-node parsing (no more silent file drops)
Problem:
ParseFromMemorydiscards an entire workflow wheneveryaml.Unmarshalreturns an error, and many customUnmarshalYAMLmethods returned an error on a single odd sub-node. So one malformed field (a permission typo, an empty cron, a wrong-shapedbranches, etc.) silently removed the whole workflow from the scan — a false-negative / scan-evasion risk. GitHub's own parser records errors but keeps a partial result.Fix: every error-returning branch in the custom unmarshalers now degrades gracefully — it skips the offending sub-tree (or that one job/step/event) and keeps parsing the rest, matching the pattern already used by
GithubActionsStrategy. Touched:Jobs,JobSecrets,StringList,Events(schedule/cron),Outputs,Inputs,Envs,Permissions(unknown scalar → empty),JobRunsOn,Container,Environment. Genuinely malformed YAML (e.g.[]], a lexer-level syntax error) still surfaces as an error.A new lenient
GithubActionsSteps.UnmarshalYAMLwas added so that a single malformed step drops only that step instead of failing its whole job.2. Support for
parallel:step blocksGitHub recently added parallel steps:
Previously a
parallel:item decoded into an empty husk step and every nestedrun/usessink vanished — invisible to all rego rules (injection, untrusted-checkout-exec, known-vuln, etc.).The parser now flattens parallel children inline into the steps list (recursively, so nested
parallelworks too). Because every rule and the inventory already iterate the flatjob.steps[_]/action.runs.steps[_], this needs zero rego changes and composite actions are covered for free. Per-step line numbers are preserved. Parallelism ordering/grouping is intentionally not modeled — no rule needs it.Tests
TestGithubActionsWorkflowJobs/TestGithubActionsWorkflowEventsto encode the new lenient contract (added aDroppedflag distinguishing "sub-tree skipped, no error" from genuine YAML syntax errors).TestGithubActionsWorkflowLenientResilience— a workflow combining a wrong-shapedbranches, an empty cron, an invalid permission scalar, a malformed step, and an undecodable job; asserts it still parses, stays valid, and retains all well-formed content.TestGithubWorkflowMalformedNotDropped(scanner) — provesParseFromMemoryretains a malformed-but-valid workflow.TestGithubActionsParallelStepsFlattened— the doc example flattens to 4 visible steps (+ nested-parallel case).Full suite green including snapshot regression tests;
make fmt/make lint-branchclean.