diff --git a/ast.go b/ast.go index 8ac524810..8e9464268 100644 --- a/ast.go +++ b/ast.go @@ -233,9 +233,6 @@ type WorkflowCallEvent struct { // Secrets is a map from name of secret to secret configuration. // https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecrets Secrets map[*String]*WorkflowCallEventSecret - // InheritSecrets is true when 'secrets: inherit' is specified. In this case, Secrets must be empty. - // https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecretsinherit - InheritSecrets bool // Outputs is a map from name of output to output configuration. // https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow Outputs map[*String]*WorkflowCallEventOutput diff --git a/expr_sema.go b/expr_sema.go index a796e9040..6a858f672 100644 --- a/expr_sema.go +++ b/expr_sema.go @@ -369,13 +369,6 @@ func (sema *ExprSemanticsChecker) UpdateNeeds(ty *ObjectType) { func (sema *ExprSemanticsChecker) UpdateSecrets(ty *ObjectType) { sema.ensureVarsCopied() - // When the secrets object is loose, adding each properties is unnecessary. This happens when - // `secrets: inherit` is specified in a callable workflow. - if ty.IsLoose() { - sema.vars["secrets"] = ty - return - } - // Merges automatically supplied secrets with manually defined secrets. // ACTIONS_STEP_DEBUG and ACTIONS_RUNNER_DEBUG seem supplied from caller of the workflow (#130) copied := NewStrictObjectType(map[string]ExprType{ diff --git a/parse.go b/parse.go index bbf3f58e6..b2c31591d 100644 --- a/parse.go +++ b/parse.go @@ -485,38 +485,28 @@ func (p *parser) parseWorkflowCallEvent(pos *Pos, n *yaml.Node) *WorkflowCallEve ret.Inputs[name] = input } case "secrets": - if kv.val.Kind == yaml.ScalarNode { - // `secrets: inherit` special case - // https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecretsinherit - if kv.val.Value == "inherit" { - ret.InheritSecrets = true - } else { - p.errorf(kv.val, "expected mapping node for secrets or \"inherit\" string node but found %q node", kv.val.Value) - } - } else { - secrets := p.parseSectionMapping("secrets", kv.val, true) - ret.Secrets = make(map[*String]*WorkflowCallEventSecret, len(secrets)) - for _, kv := range secrets { - name, spec := kv.key, kv.val - secret := &WorkflowCallEventSecret{} - - for _, attr := range p.parseMapping("secret of workflow_call event", spec, true) { - switch attr.key.Value { - case "description": - secret.Description = p.parseString(attr.val, true) - case "required": - secret.Required = p.parseBool(attr.val) - default: - p.unexpectedKey(attr.key, "secrets", []string{"description", "required"}) - } - } + secrets := p.parseSectionMapping("secrets", kv.val, true) + ret.Secrets = make(map[*String]*WorkflowCallEventSecret, len(secrets)) + for _, kv := range secrets { + name, spec := kv.key, kv.val + secret := &WorkflowCallEventSecret{} - if secret.Description == nil { - p.errorfAt(name.Pos, "\"description\" is missing at %q secret of workflow_call event", name.Value) + for _, attr := range p.parseMapping("secret of workflow_call event", spec, true) { + switch attr.key.Value { + case "description": + secret.Description = p.parseString(attr.val, true) + case "required": + secret.Required = p.parseBool(attr.val) + default: + p.unexpectedKey(attr.key, "secrets", []string{"description", "required"}) } + } - ret.Secrets[name] = secret + if secret.Description == nil { + p.errorfAt(name.Pos, "\"description\" is missing at %q secret of workflow_call event", name.Value) } + + ret.Secrets[name] = secret } case "outputs": outputs := p.parseSectionMapping("outputs", kv.val, true) diff --git a/rule_expression.go b/rule_expression.go index fbc544bcc..cb18c8c82 100644 --- a/rule_expression.go +++ b/rule_expression.go @@ -105,16 +105,12 @@ func (rule *RuleExpression) VisitWorkflowPre(n *Workflow) error { } rule.inputsTy = ity - if e.InheritSecrets { - rule.secretsTy = NewEmptyObjectType() - } else { - sty := NewEmptyStrictObjectType() - for n, s := range e.Secrets { - sty.Props[n.Value] = StringType{} - rule.checkString(s.Description) - } - rule.secretsTy = sty + sty := NewEmptyStrictObjectType() + for n, s := range e.Secrets { + sty.Props[n.Value] = StringType{} + rule.checkString(s.Description) } + rule.secretsTy = sty for _, o := range e.Outputs { rule.checkString(o.Description) diff --git a/testdata/err/invalid_secrets_workflow_call.out b/testdata/err/invalid_secrets_workflow_call.out deleted file mode 100644 index 0010187b7..000000000 --- a/testdata/err/invalid_secrets_workflow_call.out +++ /dev/null @@ -1 +0,0 @@ -test.yaml:3:14: expected mapping node for secrets or "inherit" string node but found "inuherit" node [syntax-check] diff --git a/testdata/err/invalid_secrets_workflow_call.yaml b/testdata/err/invalid_secrets_workflow_call.yaml deleted file mode 100644 index ab3be4873..000000000 --- a/testdata/err/invalid_secrets_workflow_call.yaml +++ /dev/null @@ -1,9 +0,0 @@ -on: - workflow_call: - secrets: inuherit - -jobs: - test: - runs-on: ubuntu-latest - steps: - - run: echo hello diff --git a/testdata/ok/secrets_inherit.yaml b/testdata/ok/secrets_inherit.yaml deleted file mode 100644 index 3fcdb530d..000000000 --- a/testdata/ok/secrets_inherit.yaml +++ /dev/null @@ -1,9 +0,0 @@ -on: - workflow_call: - secrets: inherit - -jobs: - test: - runs-on: ubuntu-latest - steps: - - run: echo '${{secrets.any_value}}${{secrets.can}}${{secrets.be}}${{secrets.used}}'