Include transitive dependencies of local reusable workflows

This is necessary when the target is not a whole repository or when an
external reusable workflow uses a (for that workflow)-local workflow -
otherwise the reusable workflow would be included regardless. Hence,
this is also only tested in the suite for `ghasum verify` (because it
doesn't apply to `init` nor `update`).

Author: ericcornelissen

CHANGELOG.md

@@ -12,6 +12,16 @@ Versioning].
 
 ## [Unreleased]
 
+### Bugs
+
+- Cover the actions and workflows used in local actions and reusable workflows.
+
+### Security
+
+- Upgrade Go to `v1.25.0`.
+
+## [v0.6.0] - 2025-08-17
+
 ### Enhancements
 
 - Add the `ghasum list` subcommand to get a nested list of GitHub Actions

internal/gha/actions.go

@@ -22,6 +22,7 @@ import (
 	"maps"
 	"path"
 	"slices"
+	"strings"
 )
 
 type workflowFile struct {
@@ -50,13 +51,15 @@ func actionsInWorkflows(workflows []workflow) ([]GitHubAction, error) {
 
 			if job.Uses != "" {
 				action, err := parseUses(job.Uses)
-				if errors.Is(err, ErrLocalAction) {
-					continue
-				} else if err != nil {
+				switch {
+				case err == nil:
+					action.Kind = ReusableWorkflow
+				case errors.Is(err, ErrLocalAction):
+					action.Kind = LocalReusableWorkflow
+				default:
 					return nil, err
 				}
 
-				action.Kind = ReusableWorkflow
 				unique[actionId(action)] = action
 			}
 		}
@@ -134,7 +137,7 @@ func workflowsInRepo(repo fs.FS) ([]workflowFile, error) {
 }
 
 func workflowInRepo(repo fs.FS, path string) ([]byte, error) {
-	file, err := repo.Open(path)
+	file, err := repo.Open(strings.TrimPrefix(path, "./"))
 	if err != nil {
 		return nil, fmt.Errorf("could not open workflow at %q: %v", path, err)
 	}

internal/gha/actions_test.go

@@ -371,7 +371,7 @@ func TestActionsInWorkflows(t *testing.T) {
 						},
 					},
 				},
-				want: 0,
+				want: 1,
 			},
 			"job with external reusable workflow": {
 				in: []workflow{

internal/gha/gha.go

@@ -63,6 +63,14 @@ const (
 	// Dockerfile.
 	LocalAction
 
+	// LocalReusableWorkflow represent a GitHub Actions component local to the
+	// parent project that is a "reusable workflow".
+	//
+	// A local reusable workflow is a workflow in the parent repository with the
+	// appropriate workflow trigger. These are used in the `uses:` value of
+	// workflow jobs.
+	LocalReusableWorkflow
+
 	// ReusableWorkflow represent a GitHub Actions component that is a "reusable
 	// workflow".
 	//
@@ -187,13 +195,13 @@ func (k ActionKind) String() string {
 	switch k {
 	case Action, LocalAction:
 		return "action"
-	case ReusableWorkflow:
+	case ReusableWorkflow, LocalReusableWorkflow:
 		return "reusable workflow"
 	default:
 		panic("unknown action kind " + string(k))
 	}
 }
 
 func (k ActionKind) IsLocal() bool {
-	return k == LocalAction
+	return k == LocalAction || k == LocalReusableWorkflow
 }

internal/gha/parse_test.go

@@ -79,6 +79,7 @@ func TestParseUses(t *testing.T) {
 				want: GitHubAction{
 					Owner:   "foo",
 					Project: "bar",
+					Path:    "baz",
 					Ref:     "v2",
 				},
 			},
@@ -110,9 +111,17 @@ func TestParseUses(t *testing.T) {
 					t.Errorf("Incorrect project (got %q, want %q)", got, want)
 				}
 
+				if got, want := got.Path, tt.want.Path; got != want {
+					t.Errorf("Incorrect path (got %q, want %q)", got, want)
+				}
+
 				if got, want := got.Ref, tt.want.Ref; got != want {
 					t.Errorf("Incorrect ref (got %q, want %q)", got, want)
 				}
+
+				if got, want := got.Kind, tt.want.Kind; got != want {
+					t.Errorf("Incorrect kind (got %q, want %q)", got, want)
+				}
 			})
 		}
 	})

internal/ghasum/atoms.go

@@ -216,7 +216,7 @@ func find(cfg *Config) (tree, error) {
 				if err != nil {
 					return root, fmt.Errorf("action manifest parsing failed for %s: %v", action, err)
 				}
-			case gha.ReusableWorkflow:
+			case gha.ReusableWorkflow, gha.LocalReusableWorkflow:
 				transitive, err = gha.WorkflowActions(repo.FS(), action.Path)
 				if err != nil {
 					return root, fmt.Errorf("reusable workflow parsing failed for %s: %v", action, err)

testdata/verify/problems.txtar

@@ -1,20 +1,22 @@
 # Checksum mismatch - Repo
 ! exec ghasum verify -offline -cache .cache/ mismatch/
-stdout '4 problem\(s\) occurred during validation:'
+stdout '5 problem\(s\) occurred during validation:'
 stdout 'checksum mismatch for "actions/checkout@v4"'
 stdout 'checksum mismatch for "actions/github-script@v8"'
 stdout 'checksum mismatch for "actions/setup-go@v5"'
 stdout 'checksum mismatch for "actions/setup-java@v4"'
+stdout 'checksum mismatch for "actions/setup-python@v6"'
 ! stdout 'Ok'
 ! stderr .
 
 # Checksum mismatch - Workflow
 ! exec ghasum verify -offline -cache .cache/ mismatch/.github/workflows/workflow.yml
-stdout '4 problem\(s\) occurred during validation:'
+stdout '5 problem\(s\) occurred during validation:'
 stdout 'checksum mismatch for "actions/checkout@v4"'
 stdout 'checksum mismatch for "actions/github-script@v8"'
 stdout 'checksum mismatch for "actions/setup-go@v5"'
 stdout 'checksum mismatch for "actions/setup-java@v4"'
+stdout 'checksum mismatch for "actions/setup-python@v6"'
 ! stdout 'Ok'
 ! stderr .
 
@@ -33,6 +35,13 @@ stdout 'checksum mismatch for "actions/github-script@v8"'
 ! stdout 'Ok'
 ! stderr .
 
+# Checksum mismatch - Local reusable workflow
+! exec ghasum verify -offline -cache .cache/ mismatch/.github/workflows/workflow.yml:local-reusable-workflow
+stdout '1 problem\(s\) occurred during validation:'
+stdout 'checksum mismatch for "actions/setup-python@v6"'
+! stdout 'Ok'
+! stderr .
+
 # Checksum mismatch - Transitive, manifest
 ! exec ghasum verify -offline -cache .cache/ mismatch/.github/workflows/workflow.yml:transitive-manifest
 stdout '1 problem\(s\) occurred during validation:'
@@ -49,19 +58,21 @@ stdout 'checksum mismatch for "actions/setup-java@v4"'
 
 # Checksum missing - Repo
 ! exec ghasum verify -offline -cache .cache/ missing/
-stdout '3 problem\(s\) occurred during validation:'
+stdout '4 problem\(s\) occurred during validation:'
 stdout 'no checksum found for "actions/github-script@v8"'
 stdout 'no checksum found for "actions/setup-go@v5"'
 stdout 'no checksum found for "actions/setup-java@v4"'
+stdout 'no checksum found for "actions/setup-python@v6"'
 ! stdout 'Ok'
 ! stderr .
 
 # Checksum missing - Workflow
 ! exec ghasum verify -offline -cache .cache/ missing/.github/workflows/workflow.yml
-stdout '3 problem\(s\) occurred during validation:'
+stdout '4 problem\(s\) occurred during validation:'
 stdout 'no checksum found for "actions/github-script@v8"'
 stdout 'no checksum found for "actions/setup-go@v5"'
 stdout 'no checksum found for "actions/setup-java@v4"'
+stdout 'no checksum found for "actions/setup-python@v6"'
 ! stdout 'Ok'
 ! stderr .
 
@@ -79,6 +90,13 @@ stdout 'no checksum found for "actions/github-script@v8"'
 ! stdout 'Ok'
 ! stderr .
 
+# Checksum missing - Local reusable workflow
+! exec ghasum verify -offline -cache .cache/ missing/.github/workflows/workflow.yml:local-reusable-workflow
+stdout '1 problem\(s\) occurred during validation:'
+stdout 'no checksum found for "actions/setup-python@v6"'
+! stdout 'Ok'
+! stderr .
+
 # Checksum missing - Transitive, manifest
 ! exec ghasum verify -offline -cache .cache/ missing/.github/workflows/workflow.yml:transitive-manifest
 stdout '1 problem\(s\) occurred during validation:'
@@ -128,6 +146,18 @@ actions/github-script@v8 this-is-intentionally-incorrect
 actions/reusable@v2 /PcY8RI/utekzCyLUiLOEeL3FpJ96/FJVRbb5LBLmkU=
 actions/setup-go@v5 this-is-intentionally-incorrect
 actions/setup-java@v4 this-is-intentionally-incorrect
+actions/setup-python@v6 this-is-intentionally-incorrect
+-- mismatch/.github/workflows/reusable.yml --
+name: Reusable workflow
+on: [workflow_call]
+
+jobs:
+  example:
+    name: example
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Install Python
+      uses: actions/setup-python@v6
 -- mismatch/.github/workflows/workflow.yml --
 name: Example workflow
 on: [push]
@@ -151,6 +181,9 @@ jobs:
     steps:
     - name: This step uses a local action
       uses: ./.github/actions/hello-world-action
+  local-reusable-workflow:
+    name: example local reusable workflow
+    uses: ./.github/workflows/reusable.yml
   transitive-manifest:
     name: example transitive action
     runs-on: ubuntu-24.04
@@ -177,6 +210,17 @@ version 1
 actions/checkout@v4 +34igsJdK09ZFEkVNQ+ZoyZnIlg48X3bm4ZaGGlX5o8=
 actions/composite@v1 VHsmCNCNfU2qFyTntn14sMoZL1UOOyne/omuQUvzQfA=
 actions/reusable@v2 /PcY8RI/utekzCyLUiLOEeL3FpJ96/FJVRbb5LBLmkU=
+-- missing/.github/workflows/reusable.yml --
+name: Reusable workflow
+on: [workflow_call]
+
+jobs:
+  example:
+    name: example
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Install Python
+      uses: actions/setup-python@v6
 -- missing/.github/workflows/workflow.yml --
 name: Example workflow
 on: [push]
@@ -200,6 +244,9 @@ jobs:
     steps:
     - name: This step uses a local action
       uses: ./.github/actions/hello-world-action
+  local-reusable-workflow:
+    name: example local reusable workflow
+    uses: ./.github/workflows/reusable.yml
   transitive-manifest:
     name: example transitive action
     runs-on: ubuntu-24.04
@@ -254,3 +301,5 @@ jobs:
 name: actions/setup-go@v5
 -- .cache/actions/setup-java/v4/action.yml --
 name: actions/setup-java@v4
+-- .cache/actions/setup-python/v6/action.yml --
+name: actions/setup-python@v6