feat: add the runner validate subcommand (#757)

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/757): <!--number 757 --><!--line 0 --><!--description ZmVhdDogdGhlIG5ldyBgZm9yZ2Vqby1ydW5uZXIgdmFsaWRhdGVgIGNvbW1hbmQgY2FuIGJlIHVzZWQgdG8gdmVyaWZ5IGlmIGFuIGFjdGlvbiBvciBhIHdvcmtmbG93IGlzIGNvbmZvcm1hbnQgd2l0aCB0aGUgZXhwZWN0ZWQgc2NoZW1hLiBgZm9yZ2Vqby1ydW5uZXIgdmFsaWRhdGUgLS1yZXBvc2l0b3J5IGh0dHBzOi8vZXhhbXBsZS5jb20vbXkvcmVwb3NpdG9yeWAgd2lsbCB2YWxpZGF0ZSBhbGwgdGhlIHdvcmtmbG93cyBhbmQgYWN0aW9ucyBhIEdpdCByZXBvc2l0b3J5IGNvbnRhaW5zLiBBbHRlcm5hdGl2ZWx5ICBgZm9yZ2Vqby1ydW5uZXIgdmFsaWRhdGUgLS1wYXRoIG15YWN0aW9uL2FjdGlvbi55bWwgLS1hY3Rpb25gIG9yIGBmb3JnZWpvLXJ1bm5lciB2YWxpZGF0ZSAtLXBhdGggLmZvcmdlam8vd29ya2Zsb3dzL3Rlc3QueW1sIC0td29ya2Zsb3dgIGNhbiBiZSB1c2VkIHRvIHZhbGlkYXRlIGEgc2luZ2xlIGZpbGUuIEl0IGlzIHJlY29tbWVuZGVkIHRvIHVzZSB0aGVzZSBjb21tYW5kcyB0byB2ZXJpZnkgZXhpc3RpbmcgYWN0aW9ucyBhbmQgd29ya2Zsb3dzIHBhc3MgYmVmb3JlIHVwZ3JhZGluZyB0byBbRm9yZ2VqbyBydW5uZXIgdjguMC4wXShodHRwczovL2NvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9ydW5uZXIvc3JjL2JyYW5jaC9tYWluL1JFTEVBU0UtTk9URVMubWQjOC0wLTApIG9yIGFib3ZlIHRvIG5vdCBkaXNydXB0IGV4aXN0aW5nIHdvcmtmbG93cy4=-->feat: the new `forgejo-runner validate` command can be used to verify if an action or a workflow is conformant with the expected schema. `forgejo-runner validate --repository https://example.com/my/repository` will validate all the workflows and actions a Git repository contains. Alternatively  `forgejo-runner validate --path myaction/action.yml --action` or `forgejo-runner validate --path .forgejo/workflows/test.yml --workflow` can be used to validate a single file. It is recommended to use these commands to verify existing actions and workflows pass before upgrading to [Forgejo runner v8.0.0](https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#8-0-0) or above to not disrupt existing workflows.<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/757
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>

internal/app/cmd/testdata/validate/README.txt

@@ -0,0 +1 @@
+Use make-repositories.sh to change good-repository and bad-repository

internal/app/cmd/testdata/validate/bad-action.yml

@@ -0,0 +1,67 @@
+name: 'Forgejo release download and upload'
+author: 'Forgejo authors'
+description: |
+  Upload or download the assets of a release to a Forgejo instance.
+inputs:
+  badinput: scalarinsteadofmap
+  url:
+    description: 'URL of the Forgejo instance'
+    default: '${{ env.FORGEJO_SERVER_URL }}'
+  repo:
+    description: 'owner/project relative to the URL'
+    default: '${{ forge.repository }}'
+  tag:
+    description: 'Tag of the release'
+    default: '${{ forge.ref_name }}'
+  title:
+    description: 'Title of the release (defaults to tag)'
+  sha:
+    description: 'SHA of the release'
+    default: '${{ forge.sha }}'
+  token:
+    description: 'Forgejo application token'
+    default: '${{ forge.token }}'
+  release-dir:
+    description: 'Directory in whichs release assets are uploaded or downloaded'
+    required: true
+  release-notes:
+    description: 'Release notes'
+  direction:
+    description: 'Can either be `download` or `upload`'
+    required: true
+  gpg-private-key:
+    description: 'GPG Private Key to sign the release artifacts'
+  gpg-passphrase:
+    description: 'Passphrase of the GPG Private Key'
+  download-retry:
+    description: 'Number of times to retry if the release is not ready (default 1)'
+  download-latest:
+    description: 'Download the latest release'
+    default: false
+  verbose:
+    description: 'Increase the verbosity level'
+    default: false
+  override:
+    description: 'Override an existing release by the same `{tag}`'
+    default: false
+  prerelease:
+    description: 'Mark Release as Pre-Release'
+    default: false
+  release-notes-assistant:
+    description: 'Generate release notes with Release Notes Assistant'
+    default: false
+  hide-archive-link:
+    description: 'Hide the archive links'
+    default: false
+
+runs:
+  using: "composite"
+  steps:
+    - if: ${{ inputs.release-notes-assistant }}
+      uses: https://data.forgejo.org/actions/cache@v4
+      with:
+        key: rna-${{ inputs.repo }}
+        path: ${{ forge.action_path }}/rna
+
+    - run: echo "${{ forge.action_path }}" >> $FORGEJO_PATH
+      shell: bash

internal/app/cmd/testdata/validate/bad-repository/HEAD

@@ -0,0 +1 @@
+ref: refs/heads/master

internal/app/cmd/testdata/validate/bad-repository/config

@@ -0,0 +1,6 @@
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = true
+[remote "origin"]
+	url = /tmp/tmp.jyjE6tqWGS/bad

internal/app/cmd/testdata/validate/bad-repository/description

@@ -0,0 +1 @@
+Unnamed repository; edit this file 'description' to name the repository.

internal/app/cmd/testdata/validate/bad-repository/info/exclude

@@ -0,0 +1,6 @@
+# git ls-files --others --exclude-from=.git/info/exclude
+# Lines that start with '#' are comments.
+# For a project mostly in C, the following would be a good set of
+# exclude patterns (uncomment them if you want to use them):
+# *.[oa]
+# *~

internal/app/cmd/testdata/validate/bad-repository/packed-refs

@@ -0,0 +1,2 @@
+# pack-refs with: peeled fully-peeled sorted 
+99a66b16c83472b94e5e275ae6bf85ba89a8e201 refs/heads/master

internal/app/cmd/testdata/validate/bad-workflow.yml

@@ -0,0 +1,6 @@
+on: [push]
+jobs:
+  test:
+    ruins-on: docker
+    steps:
+      - run: echo All good!

internal/app/cmd/testdata/validate/good-action.yml

@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: MIT
+name: 'Forgejo release download and upload'
+author: 'Forgejo authors'
+description: |
+  Upload or download the assets of a release to a Forgejo instance.
+inputs:
+  url:
+    description: 'URL of the Forgejo instance'
+    default: '${{ env.FORGEJO_SERVER_URL }}'
+  repo:
+    description: 'owner/project relative to the URL'
+    default: '${{ forge.repository }}'
+  tag:
+    description: 'Tag of the release'
+    default: '${{ forge.ref_name }}'
+  title:
+    description: 'Title of the release (defaults to tag)'
+  sha:
+    description: 'SHA of the release'
+    default: '${{ forge.sha }}'
+  token:
+    description: 'Forgejo application token'
+    default: '${{ forge.token }}'
+  release-dir:
+    description: 'Directory in whichs release assets are uploaded or downloaded'
+    required: true
+  release-notes:
+    description: 'Release notes'
+  direction:
+    description: 'Can either be `download` or `upload`'
+    required: true
+  gpg-private-key:
+    description: 'GPG Private Key to sign the release artifacts'
+  gpg-passphrase:
+    description: 'Passphrase of the GPG Private Key'
+  download-retry:
+    description: 'Number of times to retry if the release is not ready (default 1)'
+  download-latest:
+    description: 'Download the latest release'
+    default: false
+  verbose:
+    description: 'Increase the verbosity level'
+    default: false
+  override:
+    description: 'Override an existing release by the same `{tag}`'
+    default: false
+  prerelease:
+    description: 'Mark Release as Pre-Release'
+    default: false
+  release-notes-assistant:
+    description: 'Generate release notes with Release Notes Assistant'
+    default: false
+  hide-archive-link:
+    description: 'Hide the archive links'
+    default: false
+
+runs:
+  using: "composite"
+  steps:
+    - if: ${{ inputs.release-notes-assistant }}
+      uses: https://data.forgejo.org/actions/cache@v4
+      with:
+        key: rna-${{ inputs.repo }}
+        path: ${{ forge.action_path }}/rna
+
+    - run: echo "${{ forge.action_path }}" >> $FORGEJO_PATH
+      shell: bash

internal/app/cmd/testdata/validate/good-repository/HEAD

@@ -0,0 +1 @@
+ref: refs/heads/master

internal/app/cmd/testdata/validate/good-repository/config

@@ -0,0 +1,6 @@
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = true
+[remote "origin"]
+	url = /tmp/tmp.jyjE6tqWGS/good

internal/app/cmd/testdata/validate/good-repository/description

@@ -0,0 +1 @@
+Unnamed repository; edit this file 'description' to name the repository.

internal/app/cmd/testdata/validate/good-repository/info/exclude

@@ -0,0 +1,6 @@
+# git ls-files --others --exclude-from=.git/info/exclude
+# Lines that start with '#' are comments.
+# For a project mostly in C, the following would be a good set of
+# exclude patterns (uncomment them if you want to use them):
+# *.[oa]
+# *~

internal/app/cmd/testdata/validate/good-repository/packed-refs

@@ -0,0 +1,2 @@
+# pack-refs with: peeled fully-peeled sorted 
+f09a73e2ddef7b7834661e4c7b388a22f654f164 refs/heads/master

internal/app/cmd/testdata/validate/good-workflow.yml

@@ -0,0 +1,6 @@
+on: [push]
+jobs:
+  test:
+    runs-on: docker
+    steps:
+      - run: echo All good!

internal/app/cmd/testdata/validate/make-repositories.sh

@@ -0,0 +1,56 @@
+#!/bin/bash -ex
+
+tmpdir=$(mktemp -d)
+
+trap "rm -fr $tmpdir" EXIT
+
+# good
+
+mkdir $tmpdir/good
+git -C $tmpdir/good init --quiet
+
+cp good-action.yml $tmpdir/good/action.yml
+mkdir -p $tmpdir/good/subaction
+cp good-action.yml $tmpdir/good/subaction/action.yaml
+
+mkdir -p $tmpdir/good/.forgejo/workflows
+cp good-workflow.yml $tmpdir/good/.forgejo/workflows/action.yml
+cp good-workflow.yml $tmpdir/good/.forgejo/workflows/workflow1.yml
+cp good-workflow.yml $tmpdir/good/.forgejo/workflows/workflow2.yaml
+
+# add workflows / actions that won't be good but it does not matter
+# because they must be ignored
+for i in .github .gitea; do
+  mkdir -p $tmpdir/good/$i/workflows
+  cp bad-workflow.yml $tmpdir/good/$i/workflows/bad.yml
+done
+
+git -C $tmpdir/good config user.email root@example.com
+git -C $tmpdir/good config user.name username
+git -C $tmpdir/good add .
+git -C $tmpdir/good commit -m 'initial'
+
+rm -fr good-repository
+git clone --bare $tmpdir/good good-repository
+rm -fr good-repository/hooks
+touch good-repository/refs/placeholder
+
+# bad
+
+mkdir $tmpdir/bad
+git -C $tmpdir/bad init --quiet
+
+cp bad-action.yml $tmpdir/bad/action.yml
+
+mkdir -p $tmpdir/bad/.forgejo/workflows
+cp bad-workflow.yml $tmpdir/bad/.forgejo/workflows/workflow1.yml
+
+git -C $tmpdir/bad config user.email root@example.com
+git -C $tmpdir/bad config user.name username
+git -C $tmpdir/bad add .
+git -C $tmpdir/bad commit -m 'initial'
+
+rm -fr bad-repository
+git clone --bare $tmpdir/bad bad-repository
+rm -fr bad-repository/hooks
+touch bad-repository/refs/placeholder