Compute checksums for reusable workflows

Expand the initialization, updating, and verification to cover reusable
workflows in the checksums, including the transitive actions used in
those reusable workflows. A reusable workflow is a workflow that is
referenced in the `uses:` value of a job and is simply some other
workflow that will run when that job would [1].

Also, correct a typo in the output when there verification detected
problems.

--
1. https://docs.github.com/en/actions/sharing-automations/reusing-workflows

Author: ericcornelissen

CHANGELOG.md

@@ -15,8 +15,11 @@ Versioning].
 ### Enhancements
 
 - Correct typo in the `ghasum help verify` output.
+- Correct typo in the `ghasum verify` output.
 - Enable cache eviction on `ghasum init`.
 - Ensure `ghasum verify` outcome is linked to `gha.sum` content.
+- Include reusable workflows in `gha.sum`, including transitive actions used in
+  reusable workflows.
 
 ## [v0.4.0] - 2025-04-27
 

SPECIFICATION.md

@@ -90,14 +90,25 @@ Redundant checksums are ignored by this process.
 ### Collecting Actions
 
 To determine the set of actions a target depends on, first find all `uses:`
-entries in the target. For a repository this covers all workflows in the
-workflows directory, otherwise it covers only the target.
+entries in the target, both at the step- and job-level. For a repository this,
+covers all workflows in the workflows directory, otherwise it covers only the
+target.
 
 For each `uses:` value, excluding the list below, it is added to the set. If the
-`-no-transitive` option is NOT set the repository declared by the `uses:` value
-is fetched. The action manifest at the path specified in the `uses:` value is
-parsed for additional `uses:` values. For each of these transitive `uses:`
-values, this process is repeated.
+`-no-transitive` option is set this constitutes the set of actions. Otherwise,
+transitive actions must be collected too.
+
+For step-level `uses:` values, the action manifest of the declared action is
+parsed for (transitive) actions. This concerns the manifest at the path declared
+in the `uses:` value. If multiple actions from the same repository are used,
+each action's manifest must be handled.
+
+For job-level `uses:` values, the workflow of the declared reusable workflow is
+parsed for (transitive) actions. This concerns only the workflow at the path
+declared in the `uses:` value. If multiple reusable workflow from the same
+repository are used, each workflow must be handled.
+
+This process is repeated or each transitive `uses:` value.
 
 The following `uses:` values are to be excluded from the set of actions a
 repository depends on.
@@ -109,6 +120,14 @@ repository depends on.
   - uses: ./.github/actions/hello-world-action
   ```
 
+- Reusable workflows in the same repository as the workflow. Example:
+
+  ```yaml
+  jobs:
+    example:
+      uses: ./.github/workflows/reusable.yml
+  ```
+
 - Docker Hub Actions ([#216]). Examples:
 
   ```yaml
@@ -118,19 +137,6 @@ repository depends on.
   - uses: docker://gcr.io/cloud-builders/gradle
   ```
 
-- Reusable workflows ([#215]). Examples:
-
-  ```yaml
-  jobs:
-    call-workflow-1-in-local-repo:
-      uses: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89
-    call-workflow-2-in-local-repo:
-      uses: ./.github/workflows/workflow-2.yml
-    call-workflow-in-another-repo:
-      uses: octo-org/another-repo/.github/workflows/workflow.yml@v1
-  ```
-
-[#215]: https://github.com/chains-project/ghasum/issues/215
 [#216]: https://github.com/chains-project/ghasum/issues/216
 
 ### Computing Checksums

cmd/ghasum/verify.go

@@ -103,7 +103,7 @@ func cmdVerify(argv []string) error {
 
 	if cnt := len(problems); cnt > 0 {
 		var sb strings.Builder
-		sb.WriteString(fmt.Sprintf("%d problems(s) occurred during validation:\n", cnt))
+		sb.WriteString(fmt.Sprintf("%d problem(s) occurred during validation:\n", cnt))
 		for _, problem := range problems {
 			sb.WriteString(fmt.Sprintf("  %s\n", problem))
 		}

internal/gha/actions.go

@@ -48,6 +48,18 @@ func actionsInWorkflows(workflows []workflow) ([]GitHubAction, error) {
 			if err != nil {
 				return nil, err
 			}
+
+			if job.Uses != "" {
+				action, err := parseUses(job.Uses)
+				if errors.Is(err, ErrLocalAction) {
+					continue
+				} else if err != nil {
+					return nil, err
+				}
+
+				action.Kind = ReusableWorkflow
+				unique[actionId(action)] = action
+			}
 		}
 	}
 
@@ -68,13 +80,17 @@ func actionsInSteps(steps []step, m map[string]GitHubAction) error {
 			return err
 		}
 
-		id := fmt.Sprintf("%s%s%s%s", action.Owner, action.Project, action.Path, action.Ref)
-		m[id] = action
+		action.Kind = Action
+		m[actionId(action)] = action
 	}
 
 	return nil
 }
 
+func actionId(action GitHubAction) string {
+	return fmt.Sprintf("%s%s%s%s", action.Owner, action.Project, action.Path, action.Ref)
+}
+
 func workflowsInRepo(repo fs.FS) ([]workflowFile, error) {
 	workflows := make([]workflowFile, 0)
 	walk := func(entryPath string, entry fs.DirEntry, err error) error {

internal/gha/actions_test.go

@@ -360,6 +360,30 @@ func TestActionsInWorkflows(t *testing.T) {
 				},
 				want: 1,
 			},
+			"job with local reusable workflow": {
+				in: []workflow{
+					{
+						Jobs: map[string]job{
+							"example": {
+								Uses: "./.github/workflows/workflow-2.yml",
+							},
+						},
+					},
+				},
+				want: 0,
+			},
+			"job with external reusable workflow": {
+				in: []workflow{
+					{
+						Jobs: map[string]job{
+							"example": {
+								Uses: "octo-org/another-repo/.github/workflows/workflow.yml@v1",
+							},
+						},
+					},
+				},
+				want: 1,
+			},
 		}
 
 		for name, tt := range testCases {
@@ -386,7 +410,18 @@ func TestActionsInWorkflows(t *testing.T) {
 		}
 
 		testCases := map[string]TestCase{
-			"invalid uses value": {
+			"invalid job uses value": {
+				in: []workflow{
+					{
+						Jobs: map[string]job{
+							"example": {
+								Uses: "this isn't a reusable workflow",
+							},
+						},
+					},
+				},
+			},
+			"invalid step uses value": {
 				in: []workflow{
 					{
 						Jobs: map[string]job{

internal/gha/gha.go

@@ -36,8 +36,32 @@ type GitHubAction struct {
 	// Ref is the git ref (branch, tag, commit SHA), also known as version, of the
 	// GitHub Action.
 	Ref string
+
+	// Kind is the [ActionKind] of the GitHub Action.
+	Kind ActionKind
 }
 
+// ActionKind identifies the type of reusable component in GitHub Action.
+type ActionKind uint8
+
+const (
+	_ ActionKind = iota
+
+	// Action represent a GitHub Actions component that is an "action".
+	//
+	// An action is a path in a repository that has an Action manifest, i.e. a
+	// file named either action.yml, action.yaml, or Dockerfile. These are used
+	// in the `uses:` value of steps.
+	Action
+
+	// ReusableWorkflow represent a GitHub Actions component that is a "reusable
+	// workflow".
+	//
+	// A reusable workflow is a workflow in a repository with the appropriate
+	// workflow trigger. These are used in the `uses:` value of workflow jobs.
+	ReusableWorkflow
+)
+
 // WorkflowsPath is the relative path to the GitHub Actions workflow directory.
 var WorkflowsPath = filepath.Join(".github", "workflows")
 
@@ -139,3 +163,11 @@ func ManifestActions(repo fs.FS, path string) ([]GitHubAction, error) {
 
 	return actions, nil
 }
+
+func (a GitHubAction) String() string {
+	if a.Path == "" {
+		return fmt.Sprintf("%s/%s@%s", a.Owner, a.Project, a.Ref)
+	} else {
+		return fmt.Sprintf("%s/%s/%s@%s", a.Owner, a.Project, a.Path, a.Ref)
+	}
+}