Revert "support secrets: inherit in callable workflow (fix #138)"

This reverts commit 15cea15.
rhysd · May 14, 2022 · 13e5d00 · 13e5d00
1 parent 73b7bdb
commit 13e5d00
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 66 deletions.
diff --git a/ast.go b/ast.go
@@ -233,9 +233,6 @@ type WorkflowCallEvent struct {
 	// Secrets is a map from name of secret to secret configuration.
 	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecrets
 	Secrets map[*String]*WorkflowCallEventSecret
-	// InheritSecrets is true when 'secrets: inherit' is specified. In this case, Secrets must be empty.
-	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecretsinherit
-	InheritSecrets bool
 	// Outputs is a map from name of output to output configuration.
 	// https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow
 	Outputs map[*String]*WorkflowCallEventOutput

diff --git a/expr_sema.go b/expr_sema.go
@@ -369,13 +369,6 @@ func (sema *ExprSemanticsChecker) UpdateNeeds(ty *ObjectType) {
 func (sema *ExprSemanticsChecker) UpdateSecrets(ty *ObjectType) {
 	sema.ensureVarsCopied()
 
-	// When the secrets object is loose, adding each properties is unnecessary. This happens when
-	// `secrets: inherit` is specified in a callable workflow.
-	if ty.IsLoose() {
-		sema.vars["secrets"] = ty
-		return
-	}
-
 	// Merges automatically supplied secrets with manually defined secrets.
 	// ACTIONS_STEP_DEBUG and ACTIONS_RUNNER_DEBUG seem supplied from caller of the workflow (#130)
 	copied := NewStrictObjectType(map[string]ExprType{

diff --git a/parse.go b/parse.go
@@ -485,38 +485,28 @@ func (p *parser) parseWorkflowCallEvent(pos *Pos, n *yaml.Node) *WorkflowCallEve
 				ret.Inputs[name] = input
 			}
 		case "secrets":
-			if kv.val.Kind == yaml.ScalarNode {
-				// `secrets: inherit` special case
-				// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecretsinherit
-				if kv.val.Value == "inherit" {
-					ret.InheritSecrets = true
-				} else {
-					p.errorf(kv.val, "expected mapping node for secrets or \"inherit\" string node but found %q node", kv.val.Value)
-				}
-			} else {
-				secrets := p.parseSectionMapping("secrets", kv.val, true)
-				ret.Secrets = make(map[*String]*WorkflowCallEventSecret, len(secrets))
-				for _, kv := range secrets {
-					name, spec := kv.key, kv.val
-					secret := &WorkflowCallEventSecret{}
-
-					for _, attr := range p.parseMapping("secret of workflow_call event", spec, true) {
-						switch attr.key.Value {
-						case "description":
-							secret.Description = p.parseString(attr.val, true)
-						case "required":
-							secret.Required = p.parseBool(attr.val)
-						default:
-							p.unexpectedKey(attr.key, "secrets", []string{"description", "required"})
-						}
-					}
+			secrets := p.parseSectionMapping("secrets", kv.val, true)
+			ret.Secrets = make(map[*String]*WorkflowCallEventSecret, len(secrets))
+			for _, kv := range secrets {
+				name, spec := kv.key, kv.val
+				secret := &WorkflowCallEventSecret{}
 
-					if secret.Description == nil {
-						p.errorfAt(name.Pos, "\"description\" is missing at %q secret of workflow_call event", name.Value)
+				for _, attr := range p.parseMapping("secret of workflow_call event", spec, true) {
+					switch attr.key.Value {
+					case "description":
+						secret.Description = p.parseString(attr.val, true)
+					case "required":
+						secret.Required = p.parseBool(attr.val)
+					default:
+						p.unexpectedKey(attr.key, "secrets", []string{"description", "required"})
 					}
+				}
 
-					ret.Secrets[name] = secret
+				if secret.Description == nil {
+					p.errorfAt(name.Pos, "\"description\" is missing at %q secret of workflow_call event", name.Value)
 				}
+
+				ret.Secrets[name] = secret
 			}
 		case "outputs":
 			outputs := p.parseSectionMapping("outputs", kv.val, true)

diff --git a/rule_expression.go b/rule_expression.go
@@ -105,16 +105,12 @@ func (rule *RuleExpression) VisitWorkflowPre(n *Workflow) error {
 			}
 			rule.inputsTy = ity
 
-			if e.InheritSecrets {
-				rule.secretsTy = NewEmptyObjectType()
-			} else {
-				sty := NewEmptyStrictObjectType()
-				for n, s := range e.Secrets {
-					sty.Props[n.Value] = StringType{}
-					rule.checkString(s.Description)
-				}
-				rule.secretsTy = sty
+			sty := NewEmptyStrictObjectType()
+			for n, s := range e.Secrets {
+				sty.Props[n.Value] = StringType{}
+				rule.checkString(s.Description)
 			}
+			rule.secretsTy = sty
 
 			for _, o := range e.Outputs {
 				rule.checkString(o.Description)

diff --git a/testdata/err/invalid_secrets_workflow_call.out b/testdata/err/invalid_secrets_workflow_call.out
diff --git a/testdata/err/invalid_secrets_workflow_call.yaml b/testdata/err/invalid_secrets_workflow_call.yaml
diff --git a/testdata/ok/secrets_inherit.yaml b/testdata/ok/secrets_inherit.yaml