@intentius/chant-lexicon-github 0.0.18 → 0.0.24

package/src/composites/upload-artifact.ts

@@ -1,13 +1,18 @@
-import { Composite } from "@intentius/chant";
+import { Composite, mergeDefaults } from "@intentius/chant";
+import type { Step } from "../generated/index";
 
 export interface UploadArtifactProps {
   name: string;
   path: string;
   retentionDays?: number;
   compressionLevel?: number;
+  defaults?: {
+    step?: Partial<ConstructorParameters<typeof Step>[0]>;
+  };
 }
 
 export const UploadArtifact = Composite<UploadArtifactProps>((props) => {
+  const { defaults } = props;
   const withObj: Record<string, string> = {
     name: props.name,
     path: props.path,
@@ -17,11 +22,11 @@ export const UploadArtifact = Composite<UploadArtifactProps>((props) => {
 
   const { createProperty } = require("@intentius/chant/runtime");
   const StepClass = createProperty("GitHub::Actions::Step", "github");
-  const step = new StepClass({
+  const step = new StepClass(mergeDefaults({
     name: "Upload Artifact",
     uses: "actions/upload-artifact@v4",
     with: withObj,
-  });
+  }, defaults?.step));
 
   return { step };
 }, "UploadArtifact");

package/src/coverage.test.ts

@@ -0,0 +1,23 @@
+import { describe, test, expect } from "bun:test";
+import {
+  analyzeGitHubCoverage,
+  computeCoverage,
+  overallPct,
+  formatSummary,
+  formatVerbose,
+  checkThresholds,
+} from "./coverage";
+
+describe("coverage module", () => {
+  test("analyzeGitHubCoverage is exported and callable", () => {
+    expect(typeof analyzeGitHubCoverage).toBe("function");
+  });
+
+  test("re-exports from core are functions", () => {
+    expect(typeof computeCoverage).toBe("function");
+    expect(typeof overallPct).toBe("function");
+    expect(typeof formatSummary).toBe("function");
+    expect(typeof formatVerbose).toBe("function");
+    expect(typeof checkThresholds).toBe("function");
+  });
+});

package/src/import/roundtrip.test.ts

@@ -0,0 +1,206 @@
+import { describe, test, expect } from "bun:test";
+import { GitHubActionsParser } from "./parser";
+import { GitHubActionsGenerator } from "./generator";
+
+const parser = new GitHubActionsParser();
+const generator = new GitHubActionsGenerator();
+
+describe("roundtrip: parse → generate", () => {
+  test("simple CI workflow roundtrip", () => {
+    const yaml = `
+name: CI
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm ci
+      - run: npm test
+`;
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+
+    expect(files).toHaveLength(1);
+    const content = files[0].content;
+
+    expect(content).toContain("import");
+    expect(content).toContain("export const");
+    expect(content).toContain("new Workflow(");
+    expect(content).toContain("new Job(");
+    expect(content).toContain("CI");
+    expect(content).toContain("npm ci");
+    expect(content).toContain("npm test");
+  });
+
+  test("multi-job workflow roundtrip", () => {
+    const yaml = `
+name: Build and Deploy
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+permissions:
+  contents: read
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+      - run: npm ci
+      - run: npm run build
+  test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm test
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [test]
+    steps:
+      - run: echo "deploy"
+`;
+    const ir = parser.parse(yaml);
+    expect(ir.resources.length).toBeGreaterThanOrEqual(3);
+
+    const files = generator.generate(ir);
+    const content = files[0].content;
+
+    expect(content).toContain("new Workflow(");
+    expect(content).toContain("new Job(");
+    expect(content).toContain("build");
+    expect(content).toContain("test");
+    expect(content).toContain("deploy");
+    expect(content).toContain("needs");
+  });
+
+  test("matrix strategy roundtrip", () => {
+    const yaml = `
+name: Matrix
+on:
+  push:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18, 20, 22]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm test
+`;
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+    const content = files[0].content;
+
+    expect(content).toContain("matrix");
+    expect(content).toContain("node-version");
+  });
+
+  test("concurrency and permissions roundtrip", () => {
+    const yaml = `
+name: Deploy
+on:
+  push:
+    branches: [main]
+permissions:
+  contents: read
+  pages: write
+concurrency:
+  group: deploy
+  cancel-in-progress: true
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo deploy
+`;
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+    const content = files[0].content;
+
+    expect(content).toContain("concurrency");
+    expect(content).toContain("permissions");
+    expect(content).toContain("deploy");
+  });
+
+  test("reusable workflow call roundtrip", () => {
+    const yaml = `
+name: Caller
+on:
+  push:
+jobs:
+  call-deploy:
+    uses: ./.github/workflows/deploy.yml
+    with:
+      environment: production
+    secrets: inherit
+`;
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+    const content = files[0].content;
+
+    expect(content).toContain("Workflow");
+    expect(content).toContain("export const");
+  });
+
+  test("workflow dispatch with inputs roundtrip", () => {
+    const yaml = `
+name: Manual Deploy
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Target environment"
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo deploying
+`;
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+    const content = files[0].content;
+
+    expect(content).toContain("import");
+    expect(content).toContain("export const");
+    expect(content).toContain("Manual Deploy");
+    expect(content).toContain("workflow_dispatch");
+  });
+
+  test("environment protection roundtrip", () => {
+    const yaml = `
+name: Production Deploy
+on:
+  push:
+    branches: [main]
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: https://example.com
+    steps:
+      - run: deploy.sh
+`;
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+    const content = files[0].content;
+
+    expect(content).toContain("environment");
+    expect(content).toContain("production");
+  });
+});

package/src/lint/post-synth/gha006.test.ts

@@ -0,0 +1,56 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { gha006 } from "./gha006";
+
+function makeMultiCtx(files: Record<string, string>): PostSynthContext {
+  const result = {
+    primary: Object.values(files)[0] ?? "",
+    files,
+  };
+  return {
+    outputs: new Map([["github", result as unknown as string]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", result as unknown as string]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA006: duplicate workflow name", () => {
+  test("flags duplicate workflow names across files", () => {
+    const ctx = makeMultiCtx({
+      "ci.yml": `name: CI\non:\n  push:\njobs:\n  build:\n    runs-on: ubuntu-latest\n`,
+      "deploy.yml": `name: CI\non:\n  push:\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n`,
+    });
+    const diags = gha006.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA006");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("CI");
+  });
+
+  test("does not flag unique workflow names", () => {
+    const ctx = makeMultiCtx({
+      "ci.yml": `name: CI\non:\n  push:\njobs:\n  build:\n    runs-on: ubuntu-latest\n`,
+      "deploy.yml": `name: Deploy\non:\n  push:\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n`,
+    });
+    const diags = gha006.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags three files with same name", () => {
+    const ctx = makeMultiCtx({
+      "a.yml": `name: Build\non:\n  push:\njobs:\n  a:\n    runs-on: ubuntu-latest\n`,
+      "b.yml": `name: Build\non:\n  push:\njobs:\n  b:\n    runs-on: ubuntu-latest\n`,
+      "c.yml": `name: Build\non:\n  push:\njobs:\n  c:\n    runs-on: ubuntu-latest\n`,
+    });
+    const diags = gha006.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("Build");
+  });
+});

package/src/lint/post-synth/gha009.test.ts

@@ -0,0 +1,56 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha009 } from "./gha009";
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA009: empty matrix dimension", () => {
+  test("flags empty matrix array", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: []
+    steps:
+      - run: echo test
+`;
+    const diags = gha009.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA009");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("node-version");
+  });
+
+  test("does not flag non-empty matrix", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18, 20, 22]
+    steps:
+      - run: echo test
+`;
+    const diags = gha009.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/gha011.test.ts

@@ -0,0 +1,61 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha011 } from "./gha011";
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA011: invalid needs reference", () => {
+  test("flags needs referencing non-existent job", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build, test]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha011.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA011");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("test");
+    expect(diags[0].message).toContain("deploy");
+  });
+
+  test("does not flag valid needs", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha011.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/gha017.test.ts

@@ -0,0 +1,51 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha017 } from "./gha017";
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA017: missing permissions", () => {
+  test("flags workflow without permissions", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo test
+`;
+    const diags = gha017.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA017");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("does not flag workflow with permissions", () => {
+    const yaml = `name: CI
+on:
+  push:
+permissions:
+  contents: read
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo test
+`;
+    const diags = gha017.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/gha018.test.ts

@@ -0,0 +1,66 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha018 } from "./gha018";
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA018: pull_request_target + checkout", () => {
+  test("flags pull_request_target with checkout", () => {
+    const yaml = `name: CI
+on:
+  pull_request_target:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm test
+`;
+    const diags = gha018.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA018");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("checkout");
+  });
+
+  test("does not flag pull_request_target without checkout", () => {
+    const yaml = `name: CI
+on:
+  pull_request_target:
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "label"
+`;
+    const diags = gha018.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag push trigger with checkout", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm test
+`;
+    const diags = gha018.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/gha019.test.ts

@@ -0,0 +1,66 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha019 } from "./gha019";
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA019: circular needs chain", () => {
+  test("detects simple cycle", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    needs: [deploy]
+    steps:
+      - run: echo build
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha019.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("GHA019");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("\u2192");
+  });
+
+  test("does not flag acyclic graph", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+  test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - run: echo test
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [test]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha019.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/gha020.test.ts

@@ -0,0 +1,66 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha020 } from "./gha020";
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA020: missing job-level permissions for sensitive triggers", () => {
+  test("flags job without permissions when using pull_request_target", () => {
+    const yaml = `name: Review
+on:
+  pull_request_target:
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo review
+`;
+    const diags = gha020.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA020");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("review");
+  });
+
+  test("flags job without permissions when using workflow_dispatch", () => {
+    const yaml = `name: Manual
+on:
+  workflow_dispatch:
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha020.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA020");
+    expect(diags[0].message).toContain("deploy");
+  });
+
+  test("does not flag when trigger is not sensitive", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+`;
+    const diags = gha020.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});