Relax container image schema and add custom validation

expressions/src/features.ts

@@ -28,6 +28,13 @@ export interface ExperimentalFeatures {
    * @default false
    */
   blockScalarChompingWarning?: boolean;
+
+  /**
+   * Enable improved container image validation that handles
+   * expressions gracefully and validates empty/docker:// images.
+   * @default false
+   */
+  containerImageValidation?: boolean;
 }
 
 /**
@@ -39,7 +46,11 @@ export type ExperimentalFeatureKey = Exclude<keyof ExperimentalFeatures, "all">;
  * All known experimental feature keys.
  * This list must be kept in sync with the ExperimentalFeatures interface.
  */
-const allFeatureKeys: ExperimentalFeatureKey[] = ["missingInputsQuickfix", "blockScalarChompingWarning"];
+const allFeatureKeys: ExperimentalFeatureKey[] = [
+  "missingInputsQuickfix",
+  "blockScalarChompingWarning",
+  "containerImageValidation"
+];
 
 export class FeatureFlags {
   private readonly features: ExperimentalFeatures;

workflow-parser/src/model/convert.ts

@@ -1,3 +1,4 @@
+import {FeatureFlags} from "@actions/expressions";
 import {TemplateContext} from "../templates/template-context.js";
 import {TemplateToken, TemplateTokenError} from "../templates/tokens/template-token.js";
 import {FileProvider} from "../workflows/file-provider.js";
@@ -37,9 +38,15 @@ export type WorkflowTemplateConverterOptions = {
    * By default, conversion will be skipped if there are errors in the {@link TemplateContext}.
    */
   errorPolicy?: ErrorPolicy;
+
+  /**
+   * Feature flags for experimental features.
+   * When not provided, all experimental features are disabled.
+   */
+  featureFlags?: FeatureFlags;
 };
 
-const defaultOptions: Required<WorkflowTemplateConverterOptions> = {
+const defaultOptions: Omit<Required<WorkflowTemplateConverterOptions>, "featureFlags"> = {
   maxReusableWorkflowDepth: 4,
   fetchReusableWorkflowDepth: 0,
   errorPolicy: ErrorPolicy.ReturnErrorsOnly
@@ -54,6 +61,11 @@ export async function convertWorkflowTemplate(
   const result = {} as WorkflowTemplate;
   const opts = getOptionsWithDefaults(options);
 
+  // Store feature flags in context for converter functions
+  if (options.featureFlags) {
+    context.state["featureFlags"] = options.featureFlags;
+  }
+
   if (context.errors.getErrors().length > 0 && opts.errorPolicy === ErrorPolicy.ReturnErrorsOnly) {
     result.errors = context.errors.getErrors().map(x => ({
       Message: x.message
@@ -132,7 +144,9 @@ export async function convertWorkflowTemplate(
   return result;
 }
 
-function getOptionsWithDefaults(options: WorkflowTemplateConverterOptions): Required<WorkflowTemplateConverterOptions> {
+function getOptionsWithDefaults(
+  options: WorkflowTemplateConverterOptions
+): Omit<Required<WorkflowTemplateConverterOptions>, "featureFlags"> {
   return {
     maxReusableWorkflowDepth:
       options.maxReusableWorkflowDepth !== undefined

workflow-parser/src/model/converter/container.test.ts

@@ -0,0 +1,318 @@
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+import {nullTrace} from "../../test-utils/null-trace.js";
+import {parseWorkflow} from "../../workflows/workflow-parser.js";
+import {convertWorkflowTemplate, ErrorPolicy} from "../convert.js";
+
+// Minimal FeatureFlags-compatible object for tests
+const featureFlags = {isEnabled: (f: string) => f === "containerImageValidation"};
+
+async function getErrors(content: string): Promise<string[]> {
+  const result = parseWorkflow({name: "wf.yaml", content}, nullTrace);
+  result.context.state["featureFlags"] = featureFlags;
+  const template = await convertWorkflowTemplate(result.context, result.value!, undefined, {
+    errorPolicy: ErrorPolicy.TryConversion
+  });
+  return (template.errors ?? []).map((e: {Message: string}) => e.Message);
+}
+
+function expectNoContainerErrors(errors: string[]): void {
+  const containerErrors = errors.filter(e => e.includes("Container image"));
+  expect(containerErrors).toHaveLength(0);
+}
+
+function expectContainerError(errors: string[], count = 1): void {
+  const containerErrors = errors.filter(e => e.includes("Container image cannot be empty"));
+  expect(containerErrors).toHaveLength(count);
+}
+
+describe("container image validation", () => {
+  describe("shorthand form", () => {
+    it("container: '' is silent for job container", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container: ''
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("container: docker:// errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container: docker://
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("container: valid-image passes", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container: ubuntu:16.04
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+  });
+
+  describe("mapping form", () => {
+    it("container image: '' errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container:
+      image: ''
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("container image: docker:// errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container:
+      image: docker://
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("container: {} (empty object, missing image) errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container: {}
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("container image: null errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container:
+      image:
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("empty image with expression in other field still errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container:
+      image: ''
+      options: \${{ matrix.opts }}
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+  });
+
+  describe("services shorthand", () => {
+    it("services svc: '' errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      svc: ''
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("services svc: docker:// errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      svc: docker://
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+  });
+
+  describe("services mapping", () => {
+    it("services svc image: '' errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      svc:
+        image: ''
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("services svc image: docker:// errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      svc:
+        image: docker://
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("services svc: {} (empty object) errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      svc: {}
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+
+    it("empty image with expression sibling service still errors", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      svc1:
+        image: ''
+      svc2: \${{ matrix.svc }}
+    steps:
+      - run: echo hi`);
+      expectContainerError(errors);
+    });
+  });
+
+  describe("expression safety", () => {
+    it("container: expression skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container: \${{ matrix.container }}
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("container image: expression skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container:
+      image: \${{ matrix.image }}
+      options: --privileged
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("container with expression key skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container:
+      \${{ vars.KEY }}: ubuntu
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("services: expression skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services: \${{ fromJSON(inputs.services) }}
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("services with expression alias key skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      \${{ matrix.alias }}: postgres
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("services container with expression key skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      db:
+        \${{ vars.KEY }}: postgres
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("container with all expression fields skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    container:
+      image: \${{ matrix.image }}
+      options: \${{ matrix.options }}
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("services svc: expression skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      db: \${{ matrix.db }}
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+
+    it("services image: expression skips validation", async () => {
+      const errors = await getErrors(`on: push
+jobs:
+  build:
+    runs-on: linux
+    services:
+      db:
+        image: \${{ matrix.db_image }}
+        options: --health-cmd pg_isready
+    steps:
+      - run: echo hi`);
+      expectNoContainerErrors(errors);
+    });
+  });
+});