Skip to content

Add test coverage for GitHub Actions YAML 1.2 anchor support #362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SUSTAPLE117 merged 3 commits into from
Oct 27, 2025
Merged

Add test coverage for GitHub Actions YAML 1.2 anchor support #362

SUSTAPLE117 merged 3 commits into from
Oct 27, 2025

Conversation

@fproulx-boostsecurity
Copy link
Contributor

@fproulx-boostsecurity fproulx-boostsecurity commented Oct 24, 2025
edited
Loading

Overview

Add comprehensive test coverage to validate that poutine correctly parses GitHub Actions workflows using YAML 1.2 anchors, a feature announced by GitHub in September 2025.

Changes

Test Fixtures

Added three workflow files demonstrating common anchor usage patterns:

  • anchors_env.yml: Environment variable reuse across jobs
  • anchors_job.yml: Complete job configuration reuse
  • anchors_multiple.yml: Multiple anchor references in a single workflow

Unit Tests

  • TestGithubActionsWorkflowWithAnchors: 7 sub-tests validating anchor parsing in models layer
  • TestGithubWorkflowsWithAnchors: Integration test validating end-to-end workflow scanning
  • Updated TestGithubWorkflows and TestPurls to include new fixtures

Key Finding

Testing confirms that gopkg.in/yaml.v3 already supports YAML anchors without any code changes. All anchor patterns parse correctly and workflow analysis works as expected.

Future Consideration

While the current parser (gopkg.in/yaml.v3) works well, it is deprecated and no longer maintained. A future PR may consider migrating to github.com/goccy/go-yaml for:

  • Active maintenance and security updates
  • Better YAML 1.2 compliance (higher test suite coverage)
  • Improved error messages with source location context

However, this migration is not urgent since the current implementation already handles the anchor feature correctly.

Testing

make test   # All tests passing
make fmt    # Code formatted

Coverage maintained: models (82.1%), scanner (74.0%)

References

@fproulx-boostsecurity
Add YAML anchor support test cases and fixtures
2cf35c2 
- Add comprehensive unit tests for YAML 1.2 anchors in GitHub Actions workflows
- Add test fixtures demonstrating anchor usage:
  - anchors_env.yml: environment variable reuse
  - anchors_job.yml: complete job configuration reuse
  - anchors_multiple.yml: multiple anchor references
- Update scanner tests to verify anchor workflows are parsed correctly
- Update inventory tests to include new dependencies from anchor fixtures

Tests confirm gopkg.in/yaml.v3 already supports YAML anchors.
Next step: migrate to goccy/go-yaml for better YAML 1.2 compliance
and active maintenance.
@fproulx-boostsecurity
Fix testifylint: use require.NoError for error assertions
bf0ba0d
@fproulx-boostsecurity fproulx-boostsecurity changed the title Migrate YAML parser to goccy/go-yaml for YAML 1.2 anchor support Add test coverage for GitHub Actions YAML 1.2 anchor support Oct 24, 2025
@fproulx-boostsecurity fproulx-boostsecurity marked this pull request as ready for review October 24, 2025 16:15
@fproulx-boostsecurity fproulx-boostsecurity requested a review from a team as a code owner October 24, 2025 16:15
Talgarr
Talgarr reviewed Oct 24, 2025
View reviewed changes
Copy link
Collaborator

@Talgarr Talgarr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a workflow to test-data with anchors as a sanity check that it doesn't break the detection rules.

@fproulx-boostsecurity @claude
Address PR review comments: improve anchor test coverage and verify d…
dfed411 
…etection rules

- Fix unit tests to actually verify anchors are used and values are inherited
  - "simple anchor and alias" test now verifies both jobs parse correctly
  - "anchor for steps configuration" test now uses the anchor in second job
  - "anchor for env variables" test now verifies both jobs' env vars
  - "complex nested anchor" test now verifies permissions inheritance/override

- Add integration test to ensure detection rules work with YAML anchors
  - Created anchors_with_vulnerability.yml with intentional injection flaw
  - Verified rules detect vulnerabilities in both anchor definition and usage
  - Added expected findings to TestFindings for the new test fixture

All PR feedback from Talgarr has been addressed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@SUSTAPLE117 SUSTAPLE117 merged commit 2ad992e into main Oct 27, 2025
11 checks passed
@SUSTAPLE117 SUSTAPLE117 deleted the feature/migrate-yaml-parser-goccy branch October 27, 2025 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SUSTAPLE117 SUSTAPLE117 SUSTAPLE117 approved these changes

@Talgarr Talgarr Awaiting requested review from Talgarr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fproulx-boostsecurity @SUSTAPLE117 @Talgarr