feat: more informative error message#662
feat: more informative error message#662reandreev wants to merge 11 commits intozizmorcore:mainfrom reandreev:main
Conversation
|
Hi @reandreev, thanks for looking into this! I'll do a full review in the coming days.
Yep, this is semi-unintentional behavior -- see zizmorcore/github-actions-models#33 for some context 🙂
Yes, let's do this! IMO a network request in an error path like this isn't ideal; it'd be a lot faster and more reliable to bake the schema into the binary (and I agree that it won't change frequently). |
There was a problem hiding this comment.
No need to do it with this PR, but a thought: we'll probably want some kind of scheduled workflow that checks periodically for updates to this file.
(That concerns the CI though, so I'll do that in a followup.)
| pub(crate) fn validate_action(contents: String) -> Error { | ||
| match serde_yaml::from_str(&contents) { | ||
| Ok(workflow) => match ACTION_VALIDATOR.apply(&workflow).basic() { | ||
| Valid(_) => anyhow!("valid action but failed unmarshaling"), |
There was a problem hiding this comment.
Not really sure how to handle this case since in theory this should be unreachable (?), maybe you have some suggestion on what to do or what error message to print out here?
There was a problem hiding this comment.
unreachable makes sense to me here 🙂
| Valid(_) => anyhow!("valid action but failed unmarshaling"), | |
| Valid(_) => unreachable!("valid action but invalid YAML"), |
There was a problem hiding this comment.
This has the side effect of making this a panic, however, so the tests below should probably become integration snapshots instead -- see https://woodruffw.github.io/zizmor/development/#writing-snapshot-tests and https://github.com/woodruffw/zizmor/blob/ee6f160a304b96fbde2b6fe346e71218c1f07bf0/tests/integration/e2e.rs#L184-L195 for some docs/examples 🙂
There was a problem hiding this comment.
I think maybe the tests can remain as unit tests by attempting to capture the panic instead, what do you think? For example:
https://github.com/woodruffw/zizmor/blob/f642eaf19a95534c42bf68169156eaf995a19261/src/utils.rs#L387-L389
Either way I did have to update a snapshot there so thanks for reminding me 🙂
Also, regarding your suggestion "valid action but invalid YAML", this unreachable snippet is only reached when there is a discrepancy between the schema validation and the unmarshaling logic (which in theory shouldn't happen), I'm not sure if the YAML is guaranteed to be invalid in those cases? 🤔
There was a problem hiding this comment.
Also, regarding your suggestion "valid action but invalid YAML", this unreachable snippet is only reached when there is a discrepancy between the schema validation and the unmarshaling logic (which in theory shouldn't happen), I'm not sure if the YAML is guaranteed to be invalid in those cases? 🤔
Oh yeah, I see what you mean (and I misunderstood the context for this error) -- yeah, this should probably instead indicate to the user that the bug is on zizmor's modeling side, rather than an invalid workflow/action definition per the schema. Sorry for the confusion!
(This also undoes the need for the panic handling, so sorry for the wild goose chase there.)
|
Thanks @reandreev! I went ahead and landed this with #719, and credited you in the release notes. |
2 participants
Addresses #646
This PR adds a workflow validation step after a failed unmarshaling attempt in order to find what the concrete issues with the workflows are. Running zizmor on the following workflow:
will produce the following output:
An interesting thing I've noticed is that running zizmor on the following workflow:
will succeed. Even though it has that additional
boomproperty at the top level, zizmor still managed to unmarshal all of the expected properties correctly since those were properly defined and simply ignored the invalid one. Not sure if this is an expected behavior, but thought I'd mention it.Regarding the validator instantiation, another approach would be to keep the GitHub Workflow schema as a dependency of the tool and instead do something like:
Considering how seldom the schema itself gets updated that could also be an approach to consider. Pros: the tool would be more self-contained, cons: the tool would need to be recompiled each time the schema gets updated.
Some other things to consider: