feat: Validate GitHub Actions schema (#2416)

* feat: Validate GitHub Actions schema

**BREAKING** previously accepted workflows are now invalid

* update code

* fix tests

* Bump docker / fix lint

* fix test action due to moving the file

* remove unused function

* fix parsing additional functions

* fix allow int

* update docker dep, due to linter

(cherry picked from commit 64219df0f2155d75ffc4423dc93c1e80bb4740bc)

Conflicts:
	go.mod
	go.sum
	pkg/model/workflow.go

	trivial context conflict & go.mod upgrades

act/model/action.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"strings"
 
+	"github.com/nektos/act/pkg/schema"
 	"gopkg.in/yaml.v3"
 )
 
@@ -82,6 +83,18 @@ type Action struct {
 	} `yaml:"branding"`
 }
 
+func (a *Action) UnmarshalYAML(node *yaml.Node) error {
+	// Validate the schema before deserializing it into our model
+	if err := (&schema.Node{
+		Definition: "action-root",
+		Schema:     schema.GetActionSchema(),
+	}).UnmarshalYAML(node); err != nil {
+		return err
+	}
+	type ActionDefault Action
+	return node.Decode((*ActionDefault)(a))
+}
+
 // Input parameters allow you to specify data that the action expects to use during runtime. GitHub stores input parameters as environment variables. Input ids with uppercase letters are converted to lowercase during runtime. We recommended using lowercase input ids.
 type Input struct {
 	Description string `yaml:"description"`

act/model/workflow.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/schema"
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 )
@@ -92,6 +93,18 @@ func (w *Workflow) OnSchedule() []string {
 	return []string{}
 }
 
+func (w *Workflow) UnmarshalYAML(node *yaml.Node) error {
+	// Validate the schema before deserializing it into our model
+	if err := (&schema.Node{
+		Definition: "workflow-root-strict",
+		Schema:     schema.GetWorkflowSchema(),
+	}).UnmarshalYAML(node); err != nil {
+		return err
+	}
+	type WorkflowDefault Workflow
+	return node.Decode((*WorkflowDefault)(w))
+}
+
 type WorkflowDispatchInput struct {
 	Description string   `yaml:"description"`
 	Required    bool     `yaml:"required"`
@@ -488,7 +501,7 @@ func (j *Job) GetMatrixes() ([]map[string]interface{}, error) {
 	return matrixes, nil
 }
 
-func commonKeysMatch(a map[string]interface{}, b map[string]interface{}) bool {
+func commonKeysMatch(a, b map[string]interface{}) bool {
 	for aKey, aVal := range a {
 		if bVal, ok := b[aKey]; ok && !reflect.DeepEqual(aVal, bVal) {
 			return false
@@ -497,7 +510,7 @@ func commonKeysMatch(a map[string]interface{}, b map[string]interface{}) bool {
 	return true
 }
 
-func commonKeysMatch2(a map[string]interface{}, b map[string]interface{}, m map[string][]interface{}) bool {
+func commonKeysMatch2(a, b map[string]interface{}, m map[string][]interface{}) bool {
 	for aKey, aVal := range a {
 		_, useKey := m[aKey]
 		if bVal, ok := b[aKey]; useKey && ok && !reflect.DeepEqual(aVal, bVal) {

act/model/workflow_test.go

@@ -440,15 +440,8 @@ jobs:
         uses: ./local-action
 `
 
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed")
-	assert.Len(t, workflow.Jobs, 1)
-	assert.Len(t, workflow.Jobs["test"].Steps, 5)
-	assert.Equal(t, workflow.Jobs["test"].Steps[0].Type(), StepTypeInvalid)
-	assert.Equal(t, workflow.Jobs["test"].Steps[1].Type(), StepTypeRun)
-	assert.Equal(t, workflow.Jobs["test"].Steps[2].Type(), StepTypeUsesActionRemote)
-	assert.Equal(t, workflow.Jobs["test"].Steps[3].Type(), StepTypeUsesDockerURL)
-	assert.Equal(t, workflow.Jobs["test"].Steps[4].Type(), StepTypeUsesActionLocal)
+	_, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.Error(t, err, "read workflow should fail")
 }
 
 // See: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idoutputs