fix: explode yaml anchors (#5987)

* fix: explode yaml anchors

* do not require code changes at several places
* self referencing anchors cause error

* fix

Author: ChristopherHX

pkg/model/action.go

@@ -100,6 +100,11 @@ type Action struct {
 }
 
 func (a *Action) UnmarshalYAML(node *yaml.Node) error {
+	// TODO enable after verifying that this runner side feature has rolled out in actions/runner
+	// // Resolve yaml anchor aliases first
+	// if err := resolveAliases(node); err != nil {
+	// 	return err
+	// }
 	// Validate the schema before deserializing it into our model
 	if err := (&schema.Node{
 		Definition: "action-root",

pkg/model/anchors.go

@@ -0,0 +1,38 @@
+package model
+
+import (
+	"errors"
+
+	"gopkg.in/yaml.v3"
+)
+
+func resolveAliasesExt(node *yaml.Node, path map[*yaml.Node]bool, skipCheck bool) error {
+	if !skipCheck && path[node] {
+		return errors.New("circular alias")
+	}
+	switch node.Kind {
+	case yaml.AliasNode:
+		aliasTarget := node.Alias
+		if aliasTarget == nil {
+			return errors.New("unresolved alias node")
+		}
+		path[node] = true
+		*node = *aliasTarget
+		if err := resolveAliasesExt(node, path, true); err != nil {
+			return err
+		}
+		delete(path, node)
+
+	case yaml.DocumentNode, yaml.MappingNode, yaml.SequenceNode:
+		for _, child := range node.Content {
+			if err := resolveAliasesExt(child, path, false); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func resolveAliases(node *yaml.Node) error {
+	return resolveAliasesExt(node, map[*yaml.Node]bool{}, false)
+}

pkg/model/anchors_test.go

@@ -0,0 +1,114 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"gopkg.in/yaml.v3"
+)
+
+func TestVerifyNilAliasError(t *testing.T) {
+	var node yaml.Node
+	err := yaml.Unmarshal([]byte(`
+test:
+- a
+- b
+- c`), &node)
+	*node.Content[0].Content[1].Content[1] = yaml.Node{
+		Kind: yaml.AliasNode,
+	}
+	assert.NoError(t, err)
+	err = resolveAliases(&node)
+	assert.Error(t, err)
+}
+
+func TestVerifyNoRecursion(t *testing.T) {
+	table := []struct {
+		name      string
+		yaml      string
+		yamlErr   bool
+		anchorErr bool
+	}{
+		{
+			name: "no anchors",
+			yaml: `
+a: x
+b: y
+c: z
+`,
+			yamlErr:   false,
+			anchorErr: false,
+		},
+		{
+			name: "simple anchors",
+			yaml: `
+a: &a x
+b: &b y
+c: *a
+`,
+			yamlErr:   false,
+			anchorErr: false,
+		},
+		{
+			name: "nested anchors",
+			yaml: `
+a: &a
+  val: x
+b: &b
+  val: y
+c: *a
+`,
+			yamlErr:   false,
+			anchorErr: false,
+		},
+		{
+			name: "circular anchors",
+			yaml: `
+a: &b
+  ref: *c
+b: &c
+  ref: *b
+`,
+			yamlErr:   true,
+			anchorErr: false,
+		},
+		{
+			name: "self-referencing anchor",
+			yaml: `
+a: &a
+  ref: *a
+`,
+			yamlErr:   false,
+			anchorErr: true,
+		},
+		{
+			name: "reuse snippet with anchors",
+			yaml: `
+a: &b x
+b: &a
+   ref: *b
+c: *a
+`,
+			yamlErr:   false,
+			anchorErr: false,
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			var node yaml.Node
+			err := yaml.Unmarshal([]byte(tt.yaml), &node)
+			if tt.yamlErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			err = resolveAliases(&node)
+			if tt.anchorErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

pkg/model/workflow.go

@@ -69,6 +69,10 @@ func (w *Workflow) OnEvent(event string) interface{} {
 }
 
 func (w *Workflow) UnmarshalYAML(node *yaml.Node) error {
+	// Resolve yaml anchor aliases first
+	if err := resolveAliases(node); err != nil {
+		return err
+	}
 	// Validate the schema before deserializing it into our model
 	if err := (&schema.Node{
 		Definition: "workflow-root",
@@ -83,6 +87,10 @@ func (w *Workflow) UnmarshalYAML(node *yaml.Node) error {
 type WorkflowStrict Workflow
 
 func (w *WorkflowStrict) UnmarshalYAML(node *yaml.Node) error {
+	// Resolve yaml anchor aliases first
+	if err := resolveAliases(node); err != nil {
+		return err
+	}
 	// Validate the schema before deserializing it into our model
 	if err := (&schema.Node{
 		Definition: "workflow-root-strict",

pkg/model/workflow_test.go

@@ -560,3 +560,55 @@ jobs:
 	_, err := ReadWorkflow(strings.NewReader(yaml), true)
 	assert.Error(t, err, "read workflow should succeed")
 }
+
+func TestReadWorkflow_AnchorStrict(t *testing.T) {
+	yaml := `
+on: push
+
+jobs:
+  test:
+    runs-on: &runner ubuntu-latest
+    steps:
+    - uses: &checkout actions/checkout@v5
+  test2:
+    runs-on: *runner
+    steps:
+    - uses: *checkout
+`
+
+	w, err := ReadWorkflow(strings.NewReader(yaml), true)
+	assert.NoError(t, err, "read workflow should succeed")
+
+	for _, job := range w.Jobs {
+		assert.Equal(t, []string{"ubuntu-latest"}, job.RunsOn())
+		assert.Equal(t, "actions/checkout@v5", job.Steps[0].Uses)
+	}
+}
+
+func TestReadWorkflow_Anchor(t *testing.T) {
+	yaml := `
+
+jobs:
+  test:
+    runs-on: &runner ubuntu-latest
+    steps:
+    - uses: &checkout actions/checkout@v5
+  test2: &job
+    runs-on: *runner
+    steps:
+    - uses: *checkout
+    - run: echo $TRIGGER
+      env:
+        TRIGGER: &trigger push
+  test3: *job
+on: push #*trigger
+`
+
+	w, err := ReadWorkflow(strings.NewReader(yaml), false)
+	assert.NoError(t, err, "read workflow should succeed")
+
+	for _, job := range w.Jobs {
+		assert.Equal(t, []string{"ubuntu-latest"}, job.RunsOn())
+		assert.Equal(t, "actions/checkout@v5", job.Steps[0].Uses)
+	}
+}