Skip to content

fix(ci): tolerate services:/container: so real workflows trigger#382

Merged
zoetaka38 merged 1 commit into
mainfrom
fix/ci-parser-tolerate-services
Jul 7, 2026
Merged

fix(ci): tolerate services:/container: so real workflows trigger#382
zoetaka38 merged 1 commit into
mainfrom
fix/ci-parser-tolerate-services

Conversation

@zoetaka38

Copy link
Copy Markdown
Contributor

Found by pushing the real Corevice/open-git repo to a self-hosted instance: its ci.yml (and any workflow using services:) never triggered.

The parser declared Job.Services as map[string]string and Job.Container as string, but GitHub's services.<id> is always a mapping (image/env/ports/options) and container may be a mapping too. Decoding failed with cannot unmarshal !!map into string, so ParseWorkflow errored and the trigger silently skipped the whole workflow — it never ran.

These fields aren't executed by our simplified runner, so capture them as raw yaml.Node instead of rejecting them. All eight real open-git workflows now parse (previously ci.yml and any with services did not). Regression test added.

Found by pushing the real Corevice/open-git repo to a self-hosted instance:
its ci.yml (and any workflow using `services:`) never triggered. The workflow
parser declared `Job.Services` as map[string]string and `Job.Container` as
string, but GitHub's `services.<id>` is always a mapping (image/env/ports/
options) and `container` may be a mapping too. Decoding failed with
"cannot unmarshal !!map into string", so ParseWorkflow returned an error and
the trigger silently skipped the whole workflow.

These fields aren't executed by our simplified runner, so capture them as raw
yaml.Node instead of rejecting them. All eight real open-git workflows now
parse (previously ci.yml, and any with services, did not).

Regression test covers a workflow with a map-form container and a postgres
service parsing via both ParseWorkflow and ParseWorkflowFull.
@orange-codens

orange-codens Bot commented Jul 7, 2026

Copy link
Copy Markdown

🍊 Orange Codens レビュー

サービス/コンテナフィールドを yaml.Node に変更してパース失敗を解消する修正は、本件の根幹として適切。ただしテストが container: のマッピング形式のみをカバーしており、PR 本文が示すスカラー形式 (container: ubuntu:20.04) へのテストが不足しているのが主な指摘点。

🔒 セキュリティ: 本 PR はワークフローパーサーの堅牢性を改善する修正です。Container および Services フィールドの型を yaml.Node に変更している箇所は、該当フィールドが「実行されないため raw capture するだけ」と明示されており、攻撃 surface は増加しません。入力検証・暗号・認可・SSRF 等に起因する脆弱性は見当たりません。

🟡 medium: 1 / ⚪ info: 1

その他の指摘 (2 件)
  • 🟡 [medium] backend/internal/infrastructure/workflow/parser_test.go:53TestParseWorkflowWithServicesAndContainercontainer: のスカラー形式をテストしていない (confidence: 0.75, maintain.test_coverage.incomplete)
  • [info] backend/internal/infrastructure/workflow/parser.go:40Job.Container / Job.Services の型変更が他ファイルへの波及影響を diff だけでは検証不能 (confidence: 0.40, code.type_breaking_change.unverified_consumers)

head: 45d523c | 🍊 Reviewed by Orange Codens — AI code review & security audit

@zoetaka38
zoetaka38 merged commit 4d8a64d into main Jul 7, 2026
20 checks passed
@zoetaka38
zoetaka38 deleted the fix/ci-parser-tolerate-services branch July 7, 2026 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant