Include transitive dependencies of local actions

Update the dependency tree resolution mechanism to consider the
dependencies of a project's local actions. Such dependencies are
consider as direct dependencies as the project which contains the local
action. The result of this choice is that depenencies of a local action
of the target repository are not considered transitive (which is
desired)

Author: ericcornelissen

internal/gha/actions.go

@@ -73,13 +73,17 @@ func actionsInSteps(steps []step, m map[string]GitHubAction) error {
 		}
 
 		action, err := parseUses(uses)
-		if errors.Is(err, ErrLocalAction) || errors.Is(err, ErrDockerUses) {
+		switch {
+		case err == nil:
+			action.Kind = Action
+		case errors.Is(err, ErrLocalAction):
+			action.Kind = LocalAction
+		case errors.Is(err, ErrDockerUses):
 			continue
-		} else if err != nil {
+		default:
 			return err
 		}
 
-		action.Kind = Action
 		m[actionId(action)] = action
 	}
 

internal/gha/gha.go

@@ -55,6 +55,14 @@ const (
 	// in the `uses:` value of steps.
 	Action
 
+	// LocalAction represent a GitHub Action component local to the parent
+	// project that is an "action".
+	//
+	// A local action is a path that is part of the parent repository that has
+	// an Action manifest, i.e. a file named either action.yml, action.yaml, or
+	// Dockerfile.
+	LocalAction
+
 	// ReusableWorkflow represent a GitHub Actions component that is a "reusable
 	// workflow".
 	//
@@ -177,11 +185,15 @@ func (a GitHubAction) String() string {
 
 func (k ActionKind) String() string {
 	switch k {
-	case Action:
+	case Action, LocalAction:
 		return "action"
 	case ReusableWorkflow:
 		return "reusable workflow"
 	default:
 		panic("unknown action kind " + string(k))
 	}
 }
+
+func (k ActionKind) IsLocal() bool {
+	return k == LocalAction
+}

internal/gha/parse.go

@@ -68,6 +68,7 @@ func parseUses(uses string) (GitHubAction, error) {
 	// uses values that don't fit the [GitHubAction] model
 	switch {
 	case strings.HasPrefix(uses, "./"):
+		a.Path = uses
 		return a, ErrLocalAction
 	case strings.HasPrefix(uses, "docker://"):
 		return a, ErrDockerUses

internal/ghasum/atoms.go

@@ -187,18 +187,31 @@ func find(cfg *Config) (tree, error) {
 		action := actions[i]
 		parent := parents[i]
 
-		actionDir, err := clone(cfg, &action)
-		if err != nil {
-			return root, err
+		project := &action
+		if action.Kind.IsLocal() {
+			project = parent.value
 		}
 
-		subtree := tree{value: &action}
-		if cfg.Transitive {
-			repo, _ := os.OpenRoot(actionDir)
+		dir := cfg.Path
+		if project != nil {
+			dir, err = clone(cfg, project)
+			if err != nil {
+				return root, err
+			}
+		}
+
+		current := parent
+		if !action.Kind.IsLocal() {
+			current = &tree{value: &action}
+			parent.add(current)
+		}
+
+		if cfg.Transitive || action.Kind.IsLocal() {
+			repo, _ := os.OpenRoot(dir)
 
 			var transitive []gha.GitHubAction
 			switch action.Kind {
-			case gha.Action:
+			case gha.Action, gha.LocalAction:
 				transitive, err = gha.ManifestActions(repo.FS(), action.Path)
 				if err != nil {
 					return root, fmt.Errorf("action manifest parsing failed for %s: %v", action, err)
@@ -212,11 +225,9 @@ func find(cfg *Config) (tree, error) {
 
 			for _, action := range transitive {
 				actions = append(actions, action)
-				parents = append(parents, &subtree)
+				parents = append(parents, current)
 			}
 		}
-
-		parent.add(&subtree)
 	}
 
 	return root, nil

testdata/init/error.txtar

@@ -24,6 +24,13 @@ stderr 'an unexpected error occurred'
 stderr 'could not parse manifest'
 stderr 'action manifest parsing failed for actions/composite@v1'
 
+# Invalid local action manifest
+! exec ghasum init -cache .cache/ invalid-local-manifest/
+! stdout 'Ok'
+stderr 'an unexpected error occurred'
+stderr 'could not parse manifest'
+stderr 'action manifest parsing failed for //./.github/actions/hello-world-action'
+
 # Invalid reusable workflow
 ! exec ghasum init -cache .cache/ invalid-reusable-workflow/
 ! stdout 'Ok'
@@ -62,6 +69,28 @@ jobs:
       uses: golangci/golangci-lint-action@3a91952
     - name: This step does not use an action
       run: Echo 'hello world!'
+-- invalid-local-manifest/.github/actions/hello-world-action/action.yml --
+name: Hello world action
+description: Says 'Hello world!'
+
+runs:
+  using: composite
+  steps:
+- name: Say hello world
+  uses: actions/github-script@v8.0.0
+  with:
+    script: console.log("Hello world!");
+-- invalid-local-manifest/.github/workflows/workflow.yml --
+name: Example workflow
+on: [push]
+
+jobs:
+  example:
+    name: example
+    runs-on: ubuntu-24.04
+    steps:
+    - name: This step uses a local action
+      uses: ./.github/actions/hello-world-action
 -- invalid-manifest/.github/workflows/workflow.yml --
 name: Example workflow
 on: [push]

testdata/init/success.txtar

@@ -12,6 +12,17 @@ stdout 'Ok'
 ! stderr .
 cmp target/.github/workflows/gha.sum .want/gha-no-transitive.sum
 
+-- target/.github/actions/hello-world-action/action.yml --
+name: Hello world action
+description: Says 'Hello world!'
+
+runs:
+  using: composite
+  steps:
+  - name: Say hello world
+    uses: actions/github-script@v8.0.0
+    with:
+      script: console.log("Hello world!");
 -- target/.github/workflows/workflow.yml --
 name: Example workflow
 on: [push]
@@ -49,6 +60,8 @@ runs:
     uses: actions/setup-go@v5.0.0
   - name: Unique transitive dependency
     uses: actions/setup-node@v4.4.0
+-- .cache/actions/github-script/v8.0.0/action.yml --
+name: actions/github-script@v8.0.0
 -- .cache/actions/reusable/v2/.github/workflows/workflow.yml --
 name: Example reusable workflow
 on: [workflow_dispatch]
@@ -73,6 +86,7 @@ version 1
 
 actions/checkout@main JHipZi1UCvybC3fwi9RFLTK8vpI/gURTga/ColyHI4k=
 actions/composite@v1 a3ht0IImDEBC7NqbohfejBtv7W5GdKiGJgc4OtYkjEs=
+actions/github-script@v8.0.0 dogzpuS7aUONFkCn/ICEFTALznP9/Gi8A3rCCqTXDVk=
 actions/reusable@v2 zCF1tlA0Wi4rFqhOZMt4LgdAyga7EaZrs9VrawN0A4I=
 actions/setup-go@v5.0.0 NoW6+RttcHeApXsFxN2DfY/2Oc7t0g9mgq22uJ3rAbg=
 actions/setup-java@v4.7.1 ZcPr3aVvmk2yL8zkjqDUpH+YLqGwjtenFrjEk3OEZ3k=
@@ -83,6 +97,7 @@ version 1
 
 actions/checkout@main JHipZi1UCvybC3fwi9RFLTK8vpI/gURTga/ColyHI4k=
 actions/composite@v1 a3ht0IImDEBC7NqbohfejBtv7W5GdKiGJgc4OtYkjEs=
+actions/github-script@v8.0.0 dogzpuS7aUONFkCn/ICEFTALznP9/Gi8A3rCCqTXDVk=
 actions/reusable@v2 zCF1tlA0Wi4rFqhOZMt4LgdAyga7EaZrs9VrawN0A4I=
 actions/setup-go@v5.0.0 NoW6+RttcHeApXsFxN2DfY/2Oc7t0g9mgq22uJ3rAbg=
 golangci/golangci-lint-action@3a91952 QSLF4HoACNFwCWf5OL/NVMGTNTxX+RHrO/NaFzE9zAk=

testdata/list/error.txtar

@@ -18,6 +18,13 @@ stderr 'an unexpected error occurred'
 stderr 'could not parse manifest'
 stderr 'action manifest parsing failed for actions/composite@v1'
 
+# Invalid local action manifest
+! exec ghasum init -cache .cache/ invalid-local-manifest/
+! stdout 'Ok'
+stderr 'an unexpected error occurred'
+stderr 'could not parse manifest'
+stderr 'action manifest parsing failed for //./.github/actions/hello-world-action'
+
 # Invalid reusable workflow
 ! exec ghasum list -offline -cache .cache/ invalid-reusable-workflow/
 ! stdout 'Ok'
@@ -31,6 +38,28 @@ stderr 'reusable workflow parsing failed for actions/reusable/.github/workflows/
 stderr 'an unexpected error occurred'
 stderr 'no such file or directory'
 
+-- invalid-local-manifest/.github/actions/hello-world-action/action.yml --
+name: Hello world action
+description: Says 'Hello world!'
+
+runs:
+  using: composite
+  steps:
+- name: Say hello world
+  uses: actions/github-script@v8.0.0
+  with:
+    script: console.log("Hello world!");
+-- invalid-local-manifest/.github/workflows/workflow.yml --
+name: Example workflow
+on: [push]
+
+jobs:
+  example:
+    name: example
+    runs-on: ubuntu-24.04
+    steps:
+    - name: This step uses a local action
+      uses: ./.github/actions/hello-world-action
 -- invalid-manifest/.github/workflows/workflow.yml --
 name: Example workflow
 on: [push]

testdata/list/success.txtar

@@ -15,6 +15,17 @@ exec ghasum list -offline -cache .cache/ target/
 cmp stdout .want/all.txt
 ! stderr .
 
+-- target/.github/actions/hello-world-action/action.yml --
+name: Hello world action
+description: Says 'Hello world!'
+
+runs:
+  using: composite
+  steps:
+  - name: Say hello world
+    uses: actions/github-script@v8.0.0
+    with:
+      script: console.log("Hello world!");
 -- target/.github/workflows/gha.sum --
 version 1
 
@@ -62,6 +73,8 @@ runs:
     uses: actions/setup-go@v5.0.0
   - name: Unique transitive dependency
     uses: actions/setup-node@v4.4.0
+-- .cache/actions/github-script/v8.0.0/action.yml --
+name: actions/github-script@v8.0.0
 -- .cache/actions/reusable/v2/.github/workflows/workflow.yml --
 name: Example reusable workflow
 on: [workflow_dispatch]
@@ -86,13 +99,15 @@ actions/checkout@main (action)
 actions/composite@v1 (action)
   actions/setup-go@v5.0.0 (action)
   actions/setup-node@v4.4.0 (action)
+actions/github-script@v8.0.0 (action)
 actions/reusable/.github/workflows/workflow.yml@v2 (reusable workflow)
   actions/setup-java@v4.7.1 (action)
 actions/setup-go@v5.0.0 (action)
 golangci/golangci-lint-action@3a91952 (action)
 -- .want/no-transitive.txt --
 actions/checkout@main (action)
 actions/composite@v1 (action)
+actions/github-script@v8.0.0 (action)
 actions/reusable/.github/workflows/workflow.yml@v2 (reusable workflow)
 actions/setup-go@v5.0.0 (action)
 golangci/golangci-lint-action@3a91952 (action)

testdata/update/error.txtar

@@ -44,14 +44,21 @@ stderr 'an unexpected error occurred'
 stderr 'could not parse workflow'
 stderr '.github/workflows/workflow.yml'
 
-# Invalid manifest
+# Invalid action manifest
 ! exec ghasum verify -cache .cache/ invalid-manifest/
 ! stdout 'Ok'
 stderr 'an unexpected error occurred'
 stderr 'could not parse manifest'
 stderr 'action manifest parsing failed for actions/composite@v1'
 
-# Invalid reusable manifest
+# Invalid local action manifest
+! exec ghasum init -cache .cache/ invalid-local-manifest/
+! stdout 'Ok'
+stderr 'an unexpected error occurred'
+stderr 'could not parse manifest'
+stderr 'action manifest parsing failed for //./.github/actions/hello-world-action'
+
+# Invalid reusable workflow
 ! exec ghasum verify -cache .cache/ invalid-reusable-workflow/
 ! stdout 'Ok'
 stderr 'an unexpected error occurred'
@@ -64,6 +71,28 @@ stderr 'reusable workflow parsing failed for actions/reusable/.github/workflows/
 stderr 'an unexpected error occurred'
 stderr 'no such file or directory'
 
+-- invalid-local-manifest/.github/actions/hello-world-action/action.yml --
+name: Hello world action
+description: Says 'Hello world!'
+
+runs:
+  using: composite
+  steps:
+- name: Say hello world
+  uses: actions/github-script@v8.0.0
+  with:
+    script: console.log("Hello world!");
+-- invalid-local-manifest/.github/workflows/workflow.yml --
+name: Example workflow
+on: [push]
+
+jobs:
+  example:
+    name: example
+    runs-on: ubuntu-24.04
+    steps:
+    - name: This step uses a local action
+      uses: ./.github/actions/hello-world-action
 -- invalid-manifest/.github/workflows/gha.sum --
 version 1