fix: explode yaml anchors (#126)

* do not require code changes at several places
2026-03-20 11:56:47 +08:00 · 2025-09-13 15:46:46 +02:00
parent 0274911c8d
commit 79360e4ed1
4 changed files with 119 additions and 0 deletions
--- a/pkg/model/anchors.go
+++ b/pkg/model/anchors.go
@@ -0,0 +1,30 @@
+package model
+
+import (
+	"errors"
+
+	"gopkg.in/yaml.v3"
+)
+
+// Assumes there is no cycle ensured via test TestVerifyCycleIsInvalid
+func resolveAliases(node *yaml.Node) error {
+	switch node.Kind {
+	case yaml.AliasNode:
+		aliasTarget := node.Alias
+		if aliasTarget == nil {
+			return errors.New("unresolved alias node")
+		}
+		*node = *aliasTarget
+		if err := resolveAliases(node); err != nil {
+			return err
+		}
+
+	case yaml.DocumentNode, yaml.MappingNode, yaml.SequenceNode:
+		for _, child := range node.Content {
+			if err := resolveAliases(child); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
--- a/pkg/model/anchors_test.go
+++ b/pkg/model/anchors_test.go
@@ -0,0 +1,35 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"gopkg.in/yaml.v3"
+)
+
+func TestVerifyCycleIsInvalid(t *testing.T) {
+	var node yaml.Node
+	err := yaml.Unmarshal([]byte(`
+a: &a
+  ref: *b
+
+b: &b
+  ref: *a
+`), &node)
+	assert.Error(t, err)
+}
+
+func TestVerifyNilAliasError(t *testing.T) {
+	var node yaml.Node
+	err := yaml.Unmarshal([]byte(`
+test:
+- a
+- b
+- c`), &node)
+	*node.Content[0].Content[1].Content[1] = yaml.Node{
+		Kind: yaml.AliasNode,
+	}
+	assert.NoError(t, err)
+	err = resolveAliases(&node)
+	assert.Error(t, err)
+}
--- a/pkg/model/workflow.go
+++ b/pkg/model/workflow.go
@@ -76,6 +76,9 @@ func (w *Workflow) UnmarshalYAML(node *yaml.Node) error {
 	}).UnmarshalYAML(node); err != nil {
 		return errors.Join(err, fmt.Errorf("actions YAML Schema Validation Error detected:\nFor more information, see: https://actions-oss.github.io/act-docs/usage/schema.html"))
 	}
+	if err := resolveAliases(node); err != nil {
+		return err
+	}
 	type WorkflowDefault Workflow
 	return node.Decode((*WorkflowDefault)(w))
 }
@@ -90,6 +93,9 @@ func (w *WorkflowStrict) UnmarshalYAML(node *yaml.Node) error {
 	}).UnmarshalYAML(node); err != nil {
 		return errors.Join(err, fmt.Errorf("actions YAML Strict Schema Validation Error detected:\nFor more information, see: https://nektosact.com/usage/schema.html"))
 	}
+	if err := resolveAliases(node); err != nil {
+		return err
+	}
 	type WorkflowDefault Workflow
 	return node.Decode((*WorkflowDefault)(w))
 }
--- a/pkg/model/workflow_test.go
+++ b/pkg/model/workflow_test.go
@@ -560,3 +560,51 @@ jobs:
 	_, err := ReadWorkflow(strings.NewReader(yaml), true)
 	assert.Error(t, err, "read workflow should succeed")
 }
+
+func TestReadWorkflow_AnchorStrict(t *testing.T) {
+	yaml := `
+on: push
+
+jobs:
+  test:
+    runs-on: &runner ubuntu-latest
+    steps:
+    - uses: &checkout actions/checkout@v5
+  test2:
+    runs-on: *runner
+    steps:
+    - uses: *checkout
+`
+
+	w, err := ReadWorkflow(strings.NewReader(yaml), true)
+	assert.NoError(t, err, "read workflow should succeed")
+
+	for _, job := range w.Jobs {
+		assert.Equal(t, []string{"ubuntu-latest"}, job.RunsOn())
+		assert.Equal(t, "actions/checkout@v5", job.Steps[0].Uses)
+	}
+}
+
+func TestReadWorkflow_Anchor(t *testing.T) {
+	yaml := `
+on: push
+
+jobs:
+  test:
+    runs-on: &runner ubuntu-latest
+    steps:
+    - uses: &checkout actions/checkout@v5
+  test2:
+    runs-on: *runner
+    steps:
+    - uses: *checkout
+`
+
+	w, err := ReadWorkflow(strings.NewReader(yaml), false)
+	assert.NoError(t, err, "read workflow should succeed")
+
+	for _, job := range w.Jobs {
+		assert.Equal(t, []string{"ubuntu-latest"}, job.RunsOn())
+		assert.Equal(t, "actions/checkout@v5", job.Steps[0].Uses)
+	}
+}