From 8b7e126c1c099688530d37063239d1c999e4c9d4 Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Mon, 4 Aug 2025 13:20:22 +0000
Subject: [PATCH] fix: log the URL of the action when it fails schema
 validation (#810)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

```
$ go test -v -run='TestRunner_RunEvent$/local-action-fails-schema-validation' ./act/runner
...
[fails-schema-validation/test]   ❌  Failure - Main ./local-action-fails-schema-validation/action
[fails-schema-validation/test] failed to validate action.y*ml from action './local-action-fails-schema-validation/action' with path '': Line: 2 Column 3: Failed to match null: Line: 2 Column 3: Expected a scalar got mapping
Line: 2 Column 3: Failed to match inputs-mapping: Line: 3 Column 5: Failed to match null: Line: 3 Column 5: Expected a scalar got mapping
Line: 3 Column 5: Failed to match input-mapping: Line: 3 Column 14: Unknown Variable Access secrets
...
```

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/810): <!--number 810 --><!--line 0 --><!--description Zml4OiBsb2cgdGhlIFVSTCBvZiB0aGUgYWN0aW9uIHdoZW4gaXQgZmFpbHMgc2NoZW1hIHZhbGlkYXRpb24=-->fix: log the URL of the action when it fails schema validation<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/810
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
---
 act/runner/action.go                                  |  5 ++++-
 act/runner/job_executor_test.go                       |  4 ++--
 act/runner/runner_test.go                             | 11 +++++++----
 act/runner/step_action_remote.go                      |  3 +--
 .../action/action.yml                                 |  7 +++++++
 .../local-action-fails-schema-validation/push.yml     |  9 +++++++++
 6 files changed, 30 insertions(+), 9 deletions(-)
 create mode 100644 act/runner/testdata/local-action-fails-schema-validation/action/action.yml
 create mode 100644 act/runner/testdata/local-action-fails-schema-validation/push.yml

diff --git a/act/runner/action.go b/act/runner/action.go
index 16961cd3..c777573d 100644
--- a/act/runner/action.go
+++ b/act/runner/action.go
@@ -45,7 +45,7 @@ func readActionImpl(ctx context.Context, step *model.Step, actionDir, actionPath
 	allErrors := []error{}
 	addError := func(fileName string, err error) {
 		if err != nil {
-			allErrors = append(allErrors, fmt.Errorf("failed to read '%s' from action '%s' with path '%s' of step %w", fileName, step.String(), actionPath, err))
+			allErrors = append(allErrors, fmt.Errorf("failed to read '%s' from action '%s' with path '%s': %w", fileName, step.String(), actionPath, err))
 		} else {
 			// One successful read, clear error state
 			allErrors = nil
@@ -112,6 +112,9 @@ func readActionImpl(ctx context.Context, step *model.Step, actionDir, actionPath
 	defer closer.Close()
 
 	action, err := model.ReadAction(reader)
+	if err != nil {
+		err = fmt.Errorf("failed to validate action.y*ml from action '%s' with path '%s': %v", step.String(), actionPath, err)
+	}
 	logger.Debugf("Read action %v from '%s'", action, "Unknown")
 	return action, err
 }
diff --git a/act/runner/job_executor_test.go b/act/runner/job_executor_test.go
index cd940f8d..f5c6e110 100644
--- a/act/runner/job_executor_test.go
+++ b/act/runner/job_executor_test.go
@@ -16,13 +16,13 @@ import (
 func TestJobExecutor(t *testing.T) {
 	tables := []TestJobFileInfo{
 		{workdir, "uses-and-run-in-one-step", "push", "Invalid run/uses syntax for job:test step:Test", platforms, secrets},
-		{workdir, "uses-github-empty", "push", "Expected format {org}/{repo}[/path]@ref", platforms, secrets},
+		{workdir, "uses-github-empty", "push", "job:test step:empty", platforms, secrets},
 		{workdir, "uses-github-noref", "push", "Expected format {org}/{repo}[/path]@ref", platforms, secrets},
 		{workdir, "uses-github-root", "push", "", platforms, secrets},
 		{workdir, "uses-github-path", "push", "", platforms, secrets},
 		{workdir, "uses-docker-url", "push", "", platforms, secrets},
 		{workdir, "uses-github-full-sha", "push", "", platforms, secrets},
-		{workdir, "uses-github-short-sha", "push", "Unable to resolve action `actions/hello-world-docker-action@b136eb8`, the provided ref `b136eb8` is the shortened version of a commit SHA, which is not supported. Please use the full commit SHA `b136eb8894c5cb1dd5807da824be97ccdf9b5423` instead", platforms, secrets},
+		{workdir, "uses-github-short-sha", "push", "Please use the full commit SHA", platforms, secrets},
 		{workdir, "job-nil-step", "push", "invalid Step 0: missing run or uses key", platforms, secrets},
 	}
 	// These tests are sufficient to only check syntax.
diff --git a/act/runner/runner_test.go b/act/runner/runner_test.go
index 34045bd0..0a11a5ea 100644
--- a/act/runner/runner_test.go
+++ b/act/runner/runner_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/joho/godotenv"
 	log "github.com/sirupsen/logrus"
 	assert "github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"gopkg.in/yaml.v3"
 
 	"code.forgejo.org/forgejo/runner/v9/act/common"
@@ -209,7 +210,8 @@ func (j *TestJobFileInfo) runTest(ctx context.Context, t *testing.T, cfg *Config
 			if j.errorMessage == "" {
 				assert.NoError(t, err, fullWorkflowPath)
 			} else {
-				assert.Error(t, err, j.errorMessage)
+				require.Error(t, err, j.errorMessage)
+				assert.ErrorContains(t, err, j.errorMessage)
 			}
 		}
 	}
@@ -240,6 +242,7 @@ func TestRunner_RunEvent(t *testing.T) {
 		{workdir, "shells/pwsh", "push", "", platforms, secrets},
 
 		// Local action
+		{workdir, "local-action-fails-schema-validation", "push", "Job 'test' failed", platforms, secrets},
 		{workdir, "local-action-docker-url", "push", "", platforms, secrets},
 		{workdir, "local-action-dockerfile", "push", "", platforms, secrets},
 		{workdir, "local-action-via-composite-dockerfile", "push", "", platforms, secrets},
@@ -265,7 +268,7 @@ func TestRunner_RunEvent(t *testing.T) {
 		{workdir, "evalmatrix-merge-array", "push", "", platforms, secrets},
 
 		{workdir, "basic", "push", "", platforms, secrets},
-		{workdir, "fail", "push", "exit with `FAILURE`: 1", platforms, secrets},
+		{workdir, "fail", "push", "Job 'build' failed", platforms, secrets},
 		{workdir, "runs-on", "push", "", platforms, secrets},
 		{workdir, "checkout", "push", "", platforms, secrets},
 		{workdir, "job-container", "push", "", platforms, secrets},
@@ -294,7 +297,7 @@ func TestRunner_RunEvent(t *testing.T) {
 		{workdir, "networking", "push", "", platforms, secrets},
 		{workdir, "steps-context/conclusion", "push", "", platforms, secrets},
 		{workdir, "steps-context/outcome", "push", "", platforms, secrets},
-		{workdir, "job-status-check", "push", "job 'fail' failed", platforms, secrets},
+		{workdir, "job-status-check", "push", "Job 'fail' failed", platforms, secrets},
 		{workdir, "if-expressions", "push", "Job 'mytest' failed", platforms, secrets},
 		{workdir, "actions-environment-and-context-tests", "push", "", platforms, secrets},
 		{workdir, "uses-action-with-pre-and-post-step", "push", "", platforms, secrets},
@@ -313,7 +316,7 @@ func TestRunner_RunEvent(t *testing.T) {
 		{workdir, "do-not-leak-step-env-in-composite", "push", "", platforms, secrets},
 		{workdir, "set-env-step-env-override", "push", "", platforms, secrets},
 		{workdir, "set-env-new-env-file-per-step", "push", "", platforms, secrets},
-		{workdir, "no-panic-on-invalid-composite-action", "push", "jobs failed due to invalid action", platforms, secrets},
+		{workdir, "no-panic-on-invalid-composite-action", "push", "missing steps in composite action", platforms, secrets},
 		{workdir, "tool-cache", "push", "", platforms, secrets},
 
 		// services
diff --git a/act/runner/step_action_remote.go b/act/runner/step_action_remote.go
index 920960c5..fdbbf794 100644
--- a/act/runner/step_action_remote.go
+++ b/act/runner/step_action_remote.go
@@ -42,7 +42,6 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 			return nil
 		}
 
-		// For gitea:
 		// Since actions can specify the download source via a url prefix.
 		// The prefix may contain some sensitive information that needs to be stored in secrets,
 		// so we need to interpolate the expression value for uses first.
@@ -50,7 +49,7 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 
 		sar.remoteAction = newRemoteAction(sar.Step.Uses)
 		if sar.remoteAction == nil {
-			return fmt.Errorf("Expected format {org}/{repo}[/path]@ref. Actual '%s' Input string was not in a correct format", sar.Step.Uses)
+			return fmt.Errorf("Expected format {org}/{repo}[/path]@ref or https://example.com/{org}/{repo}[/path]@ref. Actual '%s' Input string was not in a correct format", sar.Step.Uses)
 		}
 
 		github := sar.getGithubContext(ctx)
diff --git a/act/runner/testdata/local-action-fails-schema-validation/action/action.yml b/act/runner/testdata/local-action-fails-schema-validation/action/action.yml
new file mode 100644
index 00000000..75b4bef4
--- /dev/null
+++ b/act/runner/testdata/local-action-fails-schema-validation/action/action.yml
@@ -0,0 +1,7 @@
+inputs:
+  leak:
+    default: '${{ secrets.SOMESECRET }}'
+runs:
+  using: composite
+  steps:
+  - run: echo OK
diff --git a/act/runner/testdata/local-action-fails-schema-validation/push.yml b/act/runner/testdata/local-action-fails-schema-validation/push.yml
new file mode 100644
index 00000000..1675478c
--- /dev/null
+++ b/act/runner/testdata/local-action-fails-schema-validation/push.yml
@@ -0,0 +1,9 @@
+name: fails-schema-validation
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: https://data.forgejo.org/actions/checkout@v4
+    - uses: ./local-action-fails-schema-validation/action