Support shorthand forms for getRemoteConfig#3973
Conversation
mbg
force-pushed
the
mbg/repo-props/config-file-shorthands
branch
from
a2218f1 to
12821cf
Compare
There was a problem hiding this comment.
Warning
- Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.
Pull request overview
This PR extends remote configuration file support by enhancing getRemoteConfig to accept shorthand remote addresses (optional owner, path, and ref with sensible defaults), and refactors environment access to be more testable via an Env wrapper.
Changes:
- Added
parseRemoteFileAddress(and tests) to parse shorthand remote config references with defaults for owner/path/ref. - Moved
getRemoteConfigintosrc/config/file.tsand updated callers to use the new parsing logic. - Introduced
ActionsEnvVarsand anEnvabstraction to reduce raw string usage and improve testability.
Show a summary per file
| File | Description |
|---|---|
| src/util.ts | Adds Env accessor helpers and refactors env var getters. |
| src/testing-utils.ts | Adds getTestEnv() and tightens typing for default Actions env vars. |
| src/environment.ts | Introduces Env interface abstraction for environment access. |
| src/config/remote-file.ts | New parser for shorthand remote config references and defaults. |
| src/config/remote-file.test.ts | Unit tests for remote file address parsing and defaults. |
| src/config/file.ts | Adds getRemoteConfig() using parsed remote address components. |
| src/config-utils.ts | Switches to the new getRemoteConfig() implementation. |
| src/config-utils.test.ts | Removes a test that no longer matches the supported shorthand syntax. |
| src/api-client.ts | Replaces raw env var names with ActionsEnvVars. |
| src/actions-util.ts | Adds ActionsEnvVars enum and updates env var usages. |
| lib/entry-points.js | Changed but excluded from review (generated/contents unavailable). |
Copilot's findings
Files excluded by content exclusion policy (1)
- lib/entry-points.js
- Files reviewed: 10/11 changed files
- Comments generated: 6
mario-campos
left a comment
mario-campos
left a comment
There was a problem hiding this comment.
Looks solid! I left a few comments, but minor stuff.
| ref: DEFAULT_CONFIG_FILE_REF, | ||
| } satisfies RemoteFileAddress); | ||
|
|
||
| t.deepEqual(parseRemoteFileAddress(env, "owner/repo/path@"), { |
There was a problem hiding this comment.
I think this should be invalid, for the same reason that /repo@ref is invalid.
Edit: Also, I just noticed the expected format below does not seem to indicate that this should be a correct format:
Expected format [<owner>/]<repository>[/<file-path>][@<ref>]
There was a problem hiding this comment.
I have no strong feelings on this, but agree that we should be consistent. I can change this to also be invalid.
github-actions
Bot
added
size/XL
| t.throws(() => parseRemoteFileAddress(env, ":path"), { | ||
| instanceOf: ConfigurationError, | ||
| }); | ||
| t.throws(() => parseRemoteFileAddress(env, "@ref"), { | ||
| instanceOf: ConfigurationError, | ||
| }); | ||
| t.throws(() => parseRemoteFileAddress(env, "@ref:path"), { | ||
| instanceOf: ConfigurationError, | ||
| }); |
There was a problem hiding this comment.
Aren't all components optional? If so, then this should be a valid, supported format.
There was a problem hiding this comment.
All components except the repo are optional. These tests are a combination of "no repo" and the sort of thing you previously complained about in #3973 (comment)
| // Ensure that the path is a relative path. | ||
| if (path?.startsWith("/")) { | ||
| throw new ConfigurationError( | ||
| `The path component of '${configFile}' cannot be an absolute path.`, | ||
| ); | ||
| } |
There was a problem hiding this comment.
If you don't mind losing the clear error message, this could be implemented in the regular-expression pattern with a negative lookahead: (:(?!/)(?<path>.+))
There was a problem hiding this comment.
Personally, I don't like using regular expressions to perform complex parsing tasks. This approach is more readable/maintainable. I'd consider adding the regular error message on to this one if you think that's beneficial, but I am not sure it's necessary since the regex already matched (meaning the overall format was correct) and this error is more specific than the overall format.
There was a problem hiding this comment.
That's fair. It's not always the best trade-off.
| import { FeatureEnablement } from "./feature-flags"; | ||
| import { Logger } from "./logging"; | ||
|
|
||
| export interface ActionState { |
There was a problem hiding this comment.
A JSDoc explaining the purpose of ActionState would be helpful here.
There was a problem hiding this comment.
Done in the commit I pushed just after you posted your review, I think.
| { input: "owner/repo @ref:path", expected }, | ||
| { input: "owner/repo@ ref:path", expected }, | ||
| { input: "owner/repo@ref :path", expected }, | ||
| { input: "owner/repo@ref: path", expected }, |
There was a problem hiding this comment.
Whitespace is significant in a file path. How do you know that path is a typo, and that the user—for whatever reason—didn't actually intend path?
But, taking a step back, I don't think we should necessarily support (or expect) whitespace in the address. I think it's perfectly acceptable to treat a typo/mistake as an error, if it is, in fact, a mistake. That would allow us to treat owner , repo, ref literally and simplify the logic a bit.
There was a problem hiding this comment.
Whitespace is significant in a file path.
The path is used in getRemoteConfig as argument to the path parameter for the rest.repos.getContent call. I am not sure that leading or trailing whitespace would be meaningful there, or how happy git/GitHub is with repos containing whitespace at the start / end of file paths. If that is supported, then it would of course make sense to keep it.
There was a problem hiding this comment.
I am not sure that leading or trailing whitespace would be meaningful there, or how happy git/GitHub is with repos containing whitespace at the start / end of file paths.
I would expect git/GitHub to do its own input validation. And error appropriately if whitespace is invalid.
| const pieces = OLD_REMOTE_ADDRESS_FORMAT.exec(input); | ||
|
|
||
| // 5 = 4 groups + the whole expression | ||
| if (pieces?.groups === undefined || pieces.length < 5) { |
There was a problem hiding this comment.
pieces.length < 5 is a useless condition, because it will always be false. The regular expression pattern will either match with 4 groups + the whole expression, or it will not match at all.
In fact, pieces.length will also never be greater than 5.
There was a problem hiding this comment.
This is a check kept from the previous implementation and not new in this PR.
|
|
||
| // retrieve the various parts of the config location, and ensure they're present | ||
| const format = new RegExp( | ||
| "^((?<owner>[^:@/]+)/)?(?<repo>[^:@/]+)(@(?<ref>[^:]+))?(:(?<path>.+))?$", |
There was a problem hiding this comment.
- Since
/will always follow the owner, I think it would be simpler and less error-prone to make the character class[^/]. - Likewise, I think the character class for the
repogroup could be[^:@], since/is used in the old format, not this new one.
There was a problem hiding this comment.
Changing the regex as suggested leads to potentially incorrect results, because the groups end up being too eager in what they accept. For example, foo:some/path/to/a/file.yml should use foo as the repo and some/path/to/a/file.yml as the path. What would happen in practice (with your suggestion) is that foo:some ends up being the owner (owner reads until it finds a /) and path/to/a/file.yml ends up as the repo (repo reads until it finds a : or @, neither of which exist). That satisfies the regex, but is unlikely what was intended.
| const repo: string | undefined = pieces?.groups?.repo?.trim(); | ||
|
|
||
| // Check that the regular expression matched and that we have at least the repo name. | ||
| if (!pieces?.groups || !repo || repo.length === 0) { |
There was a problem hiding this comment.
Regarding !repo, I am not sure how the JS regular-expression engine works with regards to undefined, but since the quantifier is +, I expect repo to always be a one character string, at least. So, it seems unnecessary 🤷
Similarly, repo.length should always be at least 1 (because of the + quantifier). So, this seems like a useless condition.
There was a problem hiding this comment.
There are two separate things going on here:
- The
!repocheck is there to make TypeScript happy, since it does't know that!pieces?.groupsimplies thatrepo !== undefined. - The
repo.lengthcheck follows from the call to.trim()in the initial assignment ofrepo. Since, in theory, the regex could accept a whitespace-onlyrepovalue,.trim()may then reduce it to0length, which we check for here to reject it. That could be captured in the regex itself, but would then require us to specify which character ranges are acceptable (and maintain it).
| * All the components are required. Unchanged from the previous implementation. | ||
| */ | ||
| const OLD_REMOTE_ADDRESS_FORMAT = new RegExp( | ||
| "(?<owner>[^/]+)/(?<repo>[^/]+)/(?<path>[^@]+)@(?<ref>.*)", |
There was a problem hiding this comment.
- Since all components are required, the
refgroup should have the+quantifier. The*quantifier can consume zero characters, which can mean that therefgroup is the empty string, which would need to be handled in a special case. - This pattern should be anchored to match the whole string.
There was a problem hiding this comment.
What you wrote mirrors what Copilot complained about originally when I updated the regex to make parts of it optional. However, now that I have added a new regex for the new format, OLD_REMOTE_ADDRESS_FORMAT is just the regex from the existing code before any changes in this PR. In other words, making these adjustments (while perhaps reasonable) would alter the original behaviour. The old behaviour is not FF-gated, and so we'd be making a breaking change to existing code. That seems unnecessary to me.
This is a follow-up to #3963 which modifies
getRemoteConfigto accept shorthand addresses for remote files. Concretely, theowner,path, andrefcomponents are now optional and default to the owner of the current repo (as given byGITHUB_REPOSITORY),.github/codeql-action.yaml, andmainrespectively.Examples:
owner/reporesolves toowner/repo/.github/codeql-action.yaml@mainowner/repo@devresolves toowner/repo/.github/codeql-action.yaml@devowner/repo/.github/codeql/config.ymlresolves toowner/repo/.github/codeql/config.yml@mainNotes for reviewers
pathcomponentmainmay not always be the default branch for the target repo, but that's OK since it can be manually set to a different ref if needed.getRemoteConfigalready had a similar (but not equivalent) shorthand format. I then updated that instead so that the components other than the repo are optional. However, this isn't as nice, because/is used as a separator and can also appear in thepathcomponent. That means e.g. it is not possible with this format to specify a repo + path since it would be interpreted as owner + repo by the regex instead.Risk assessment
For internal use only. Please select the risk level of this change:
Which use cases does this change impact?
Workflow types:
dynamicworkflows (Default Setup, Code Quality, ...).Products:
analysis-kinds: code-scanning.analysis-kinds: code-quality.Environments:
github.comand/or GitHub Enterprise Cloud with Data Residency.How did/will you validate this change?
.test.tsfiles).pr-checks).If something goes wrong after this change is released, what are the mitigation and rollback strategies?
How will you know if something goes wrong after this change is released?
Are there any special considerations for merging or releasing this change?
Merge / deployment checklist