fix: omit job-level environment on reusable-workflow deploy jobs#138
Merged
Conversation
GitHub Actions forbids a job-level environment: key on a job that calls a reusable workflow with uses:; actionlint rejects it with "environment is not available". When gha_environment was configured and a deploy used an external workflow:, the orchestrate and promote generators emitted both environment: and uses: on the same caller job, producing an invalid workflow GitHub refuses to run. Gate the job-level environment: key on the deploy being an inline run: (steps) job in all three emission sites: the orchestrate deploy job and the promote single-deploy and prod-deploy jobs. External deploys keep passing the environment name via the with: environment input; protection must be declared inside the reusable workflow. Warn at generate time when gha_environment is set for an environment whose deploys are external, and document the contract. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a manifest sets
gha_environmentand a deploy uses an external reusableworkflow:, the generator emitted a job-levelenvironment:key on the same caller job asuses:. GitHub Actions forbidsenvironment:on a reusable-workflow caller job. actionlint confirms:The generated orchestrate/promote workflows were invalid and GitHub refused to run them. The env-gate path for external deploys was effectively broken.
Fix
A job-level
environment:key is valid on a steps job (inlinerun:deploy) but invalid on auses:job. The fix gates the job-levelenvironment:emission on the deploy being inline-run:at all three sites:internal/generate/generator.goorchestrate deploy job (now requiresinfo.Run != "").internal/generate/promote.gosingle-deploy job (theelseexternal branch no longer emits it).internal/generate/promote.goprod-deploy job (gated underd.Run != "").External (
uses:) deploys keep passing the environment name via the existingwith: environment:input. GitHub Environment protection must be declared on the job inside the reusable workflow; cascade cannot set it on the caller.A generate-time note now fires when
gha_environmentis configured for an environment whose deploys are external reusable workflows, explaining where to declare protection.Docs
docs/src/content/docs/callback-contract.mdanddocs/src/content/docs/workflows.mdnow document the contract: job-level environment gating applies to inline-run deploys; for external reusable-workflow deploys, declareenvironment:inside the reusable workflow (cascade passes the env name as theenvironmentinput).Verification
gha_environmentdeploy jobs carryuses:andwith: environment:but no job-levelenvironment:, while inline-run deploys keep it; a warning test; and an actionlint check that the generated orchestrate and promote workflows no longer trigger the "environment is not available" error.go build ./...,go test ./...(1186 passed),golangci-lint run ./internal/generate/..., and actionlint over generated samples all green.environment:on external deploys were switched to inline-run deploys (the only case where the job-level key is valid); the external case is covered by the new tests.Closes #137