Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package act for openSUSE:Factory checked in at 2026-01-17 21:42:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/act (Old) and /work/SRC/openSUSE:Factory/.act.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "act" Sat Jan 17 21:42:41 2026 rev:14 rq:1327801 version:0.2.84 Changes: -------- --- /work/SRC/openSUSE:Factory/act/act.changes 2025-11-21 16:57:02.135263519 +0100 +++ /work/SRC/openSUSE:Factory/.act.new.1928/act.changes 2026-01-17 21:43:48.168509547 +0100 @@ -1,0 +2,11 @@ +Fri Jan 16 12:06:02 UTC 2026 - Alice Brooks <[email protected]> + +- Remove update-crypto-cve-2025-47913.patch: This was fixed upstream in v0.2.84 +- Update to version 0.2.84: + * chore: bump VERSION to 0.2.84 + * fix: explode yaml anchors (#5987) + * chore(deps): Security update December 2025 (#5984) + * chore: bump VERSION to 0.2.83 + * chore(mergify) Add merge queue configuration to .mergify.yml (#5944) + +------------------------------------------------------------------- Old: ---- act-0.2.82.tar.xz update-crypto-cve-2025-47913.patch New: ---- act-0.2.84.tar.xz ----------(Old B)---------- Old: - Remove update-crypto-cve-2025-47913.patch: This was fixed upstream in v0.2.84 - Update to version 0.2.84: ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ act.spec ++++++ --- /var/tmp/diff_new_pack.PqT364/_old 2026-01-17 21:43:48.852537567 +0100 +++ /var/tmp/diff_new_pack.PqT364/_new 2026-01-17 21:43:48.852537567 +0100 @@ -1,7 +1,7 @@ # # spec file for package act # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2021 Orville Q. Song <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -24,7 +24,7 @@ %global provider_prefix %{provider}.%{provider_tld}/%{project} %global import_path %{provider_prefix}/%{repo} Name: act -Version: 0.2.82 +Version: 0.2.84 Release: 0 Summary: Run your GitHub Actions locally License: MIT @@ -32,8 +32,6 @@ URL: https://github.com/nektos/act Source0: %{name}-%{version}.tar.xz Source1: vendor.tar.gz -# PATCH-FIX-UPSTREAM update-crypto-cve-2025-47913.patch bsc#1253608 [email protected] -- Update golang.org/x/crypto to v0.43.0 to fix CVE-2025-47913 (GO-2025-4116) -Patch0: update-crypto-cve-2025-47913.patch BuildRequires: golang-packaging BuildRequires: golang(API) >= 1.16 Requires: (docker or podman) @@ -46,7 +44,6 @@ %prep %setup -q %setup -q -a1 %{SOURCE1} -%patch -P 0 -p0 sed -i 's_var version = \"v0.2.27-dev\"_var version = "%{version}"_g' main.go %build ++++++ _service ++++++ --- /var/tmp/diff_new_pack.PqT364/_old 2026-01-17 21:43:48.888539041 +0100 +++ /var/tmp/diff_new_pack.PqT364/_new 2026-01-17 21:43:48.888539041 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/nektos/act.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.2.82</param> + <param name="revision">v0.2.84</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.PqT364/_old 2026-01-17 21:43:48.912540025 +0100 +++ /var/tmp/diff_new_pack.PqT364/_new 2026-01-17 21:43:48.916540189 +0100 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/nektos/act.git</param> - <param name="changesrevision">3d71542867d7cbdac6a75e540be6f64362e94de2</param> + <param name="changesrevision">d93106d194bba273d70d2ba604ea633c3f396b59</param> </service> </servicedata> (No newline at EOF) ++++++ act-0.2.82.tar.xz -> act-0.2.84.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/.mergify.yml new/act-0.2.84/.mergify.yml --- old/act-0.2.82/.mergify.yml 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/.mergify.yml 2026-01-01 03:51:14.000000000 +0100 @@ -1,3 +1,5 @@ +merge_queue: + max_parallel_checks: 1 pull_request_rules: - name: warn on conflicts @@ -49,6 +51,7 @@ queue: queue_rules: - name: default + batch_size: 1 queue_conditions: &queue_conditions - '#changes-requested-reviews-by=0' - or: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/Makefile new/act-0.2.84/Makefile --- old/act-0.2.82/Makefile 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/Makefile 2026-01-01 03:51:14.000000000 +0100 @@ -5,6 +5,7 @@ MINOR_VERSION = $(word 2, $(subst ., ,$(VERSION))) PATCH_VERSION = $(word 3, $(subst ., ,$(word 1,$(subst -, , $(VERSION))))) NEW_VERSION ?= $(MAJOR_VERSION).$(MINOR_VERSION).$(shell echo $$(( $(PATCH_VERSION) + 1)) ) +GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 fix = false ifeq (true,$(fix)) @@ -116,3 +117,13 @@ upgrade: go get -u go mod tidy + +# "$(shell go env GOROOT)/bin/go" allows us to use an outdated global go tool and use the build toolchain defined by the project +# go build auto upgrades to the same toolchain version as defined in the go.mod file +.PHONY: deps-tools +deps-tools: ## install tool dependencies + "$(shell go env GOROOT)/bin/go" install $(GOVULNCHECK_PACKAGE) + +.PHONY: security-check +security-check: deps-tools + GOEXPERIMENT= "$(shell go env GOROOT)/bin/go" run $(GOVULNCHECK_PACKAGE) -show color ./... diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/VERSION new/act-0.2.84/VERSION --- old/act-0.2.82/VERSION 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/VERSION 2026-01-01 03:51:14.000000000 +0100 @@ -1 +1 @@ -0.2.82 \ No newline at end of file +0.2.84 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/go.mod new/act-0.2.84/go.mod --- old/act-0.2.82/go.mod 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/go.mod 2026-01-01 03:51:14.000000000 +0100 @@ -19,7 +19,7 @@ github.com/mattn/go-isatty v0.0.20 github.com/moby/patternmatcher v0.6.0 github.com/opencontainers/image-spec v1.1.1 - github.com/opencontainers/selinux v1.12.0 + github.com/opencontainers/selinux v1.13.1 github.com/pkg/errors v0.9.1 github.com/rhysd/actionlint v1.7.7 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 @@ -29,7 +29,7 @@ github.com/stretchr/testify v1.11.1 github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928 go.etcd.io/bbolt v1.4.3 - golang.org/x/term v0.35.0 + golang.org/x/term v0.38.0 gopkg.in/yaml.v3 v3.0.1 gotest.tools/v3 v3.5.2 ) @@ -51,7 +51,7 @@ github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/cyphar/filepath-securejoin v0.5.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -61,7 +61,7 @@ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-viper/mapstructure/v2 v2.3.0 // indirect + github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/go-cmp v0.7.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect @@ -100,12 +100,12 @@ go.opentelemetry.io/otel/metric v1.33.0 // indirect go.opentelemetry.io/otel/sdk v1.28.0 // indirect go.opentelemetry.io/otel/trace v1.33.0 // indirect - golang.org/x/crypto v0.37.0 // indirect + golang.org/x/crypto v0.46.0 // indirect golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect - golang.org/x/net v0.39.0 // indirect - golang.org/x/sync v0.13.0 // indirect - golang.org/x/sys v0.36.0 // indirect - golang.org/x/text v0.24.0 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/sync v0.19.0 // indirect + golang.org/x/sys v0.39.0 // indirect + golang.org/x/text v0.32.0 // indirect golang.org/x/time v0.6.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/go.sum new/act-0.2.84/go.sum --- old/act-0.2.82/go.sum 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/go.sum 2026-01-01 03:51:14.000000000 +0100 @@ -40,8 +40,8 @@ github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48= +github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -80,8 +80,8 @@ github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk= -github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= +github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= @@ -154,8 +154,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= -github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8= -github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U= +github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE= +github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg= github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4= github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -238,8 +238,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE= -golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= +golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= +golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -247,12 +247,12 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY= -golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610= -golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= +golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -266,19 +266,19 @@ golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= -golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= -golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= +golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q= +golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0= -golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/pkg/model/action.go new/act-0.2.84/pkg/model/action.go --- old/act-0.2.82/pkg/model/action.go 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/pkg/model/action.go 2026-01-01 03:51:14.000000000 +0100 @@ -100,6 +100,11 @@ } func (a *Action) UnmarshalYAML(node *yaml.Node) error { + // TODO enable after verifying that this runner side feature has rolled out in actions/runner + // // Resolve yaml anchor aliases first + // if err := resolveAliases(node); err != nil { + // return err + // } // Validate the schema before deserializing it into our model if err := (&schema.Node{ Definition: "action-root", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/pkg/model/anchors.go new/act-0.2.84/pkg/model/anchors.go --- old/act-0.2.82/pkg/model/anchors.go 1970-01-01 01:00:00.000000000 +0100 +++ new/act-0.2.84/pkg/model/anchors.go 2026-01-01 03:51:14.000000000 +0100 @@ -0,0 +1,38 @@ +package model + +import ( + "errors" + + "gopkg.in/yaml.v3" +) + +func resolveAliasesExt(node *yaml.Node, path map[*yaml.Node]bool, skipCheck bool) error { + if !skipCheck && path[node] { + return errors.New("circular alias") + } + switch node.Kind { + case yaml.AliasNode: + aliasTarget := node.Alias + if aliasTarget == nil { + return errors.New("unresolved alias node") + } + path[node] = true + *node = *aliasTarget + if err := resolveAliasesExt(node, path, true); err != nil { + return err + } + delete(path, node) + + case yaml.DocumentNode, yaml.MappingNode, yaml.SequenceNode: + for _, child := range node.Content { + if err := resolveAliasesExt(child, path, false); err != nil { + return err + } + } + } + return nil +} + +func resolveAliases(node *yaml.Node) error { + return resolveAliasesExt(node, map[*yaml.Node]bool{}, false) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/pkg/model/anchors_test.go new/act-0.2.84/pkg/model/anchors_test.go --- old/act-0.2.82/pkg/model/anchors_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/act-0.2.84/pkg/model/anchors_test.go 2026-01-01 03:51:14.000000000 +0100 @@ -0,0 +1,114 @@ +package model + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "gopkg.in/yaml.v3" +) + +func TestVerifyNilAliasError(t *testing.T) { + var node yaml.Node + err := yaml.Unmarshal([]byte(` +test: +- a +- b +- c`), &node) + *node.Content[0].Content[1].Content[1] = yaml.Node{ + Kind: yaml.AliasNode, + } + assert.NoError(t, err) + err = resolveAliases(&node) + assert.Error(t, err) +} + +func TestVerifyNoRecursion(t *testing.T) { + table := []struct { + name string + yaml string + yamlErr bool + anchorErr bool + }{ + { + name: "no anchors", + yaml: ` +a: x +b: y +c: z +`, + yamlErr: false, + anchorErr: false, + }, + { + name: "simple anchors", + yaml: ` +a: &a x +b: &b y +c: *a +`, + yamlErr: false, + anchorErr: false, + }, + { + name: "nested anchors", + yaml: ` +a: &a + val: x +b: &b + val: y +c: *a +`, + yamlErr: false, + anchorErr: false, + }, + { + name: "circular anchors", + yaml: ` +a: &b + ref: *c +b: &c + ref: *b +`, + yamlErr: true, + anchorErr: false, + }, + { + name: "self-referencing anchor", + yaml: ` +a: &a + ref: *a +`, + yamlErr: false, + anchorErr: true, + }, + { + name: "reuse snippet with anchors", + yaml: ` +a: &b x +b: &a + ref: *b +c: *a +`, + yamlErr: false, + anchorErr: false, + }, + } + + for _, tt := range table { + t.Run(tt.name, func(t *testing.T) { + var node yaml.Node + err := yaml.Unmarshal([]byte(tt.yaml), &node) + if tt.yamlErr { + assert.Error(t, err) + return + } + assert.NoError(t, err) + err = resolveAliases(&node) + if tt.anchorErr { + assert.Error(t, err) + } else { + assert.NoError(t, err) + } + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/pkg/model/workflow.go new/act-0.2.84/pkg/model/workflow.go --- old/act-0.2.82/pkg/model/workflow.go 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/pkg/model/workflow.go 2026-01-01 03:51:14.000000000 +0100 @@ -69,6 +69,10 @@ } func (w *Workflow) UnmarshalYAML(node *yaml.Node) error { + // Resolve yaml anchor aliases first + if err := resolveAliases(node); err != nil { + return err + } // Validate the schema before deserializing it into our model if err := (&schema.Node{ Definition: "workflow-root", @@ -83,6 +87,10 @@ type WorkflowStrict Workflow func (w *WorkflowStrict) UnmarshalYAML(node *yaml.Node) error { + // Resolve yaml anchor aliases first + if err := resolveAliases(node); err != nil { + return err + } // Validate the schema before deserializing it into our model if err := (&schema.Node{ Definition: "workflow-root-strict", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/act-0.2.82/pkg/model/workflow_test.go new/act-0.2.84/pkg/model/workflow_test.go --- old/act-0.2.82/pkg/model/workflow_test.go 2025-10-01 04:36:13.000000000 +0200 +++ new/act-0.2.84/pkg/model/workflow_test.go 2026-01-01 03:51:14.000000000 +0100 @@ -560,3 +560,55 @@ _, err := ReadWorkflow(strings.NewReader(yaml), true) assert.Error(t, err, "read workflow should succeed") } + +func TestReadWorkflow_AnchorStrict(t *testing.T) { + yaml := ` +on: push + +jobs: + test: + runs-on: &runner ubuntu-latest + steps: + - uses: &checkout actions/checkout@v5 + test2: + runs-on: *runner + steps: + - uses: *checkout +` + + w, err := ReadWorkflow(strings.NewReader(yaml), true) + assert.NoError(t, err, "read workflow should succeed") + + for _, job := range w.Jobs { + assert.Equal(t, []string{"ubuntu-latest"}, job.RunsOn()) + assert.Equal(t, "actions/checkout@v5", job.Steps[0].Uses) + } +} + +func TestReadWorkflow_Anchor(t *testing.T) { + yaml := ` + +jobs: + test: + runs-on: &runner ubuntu-latest + steps: + - uses: &checkout actions/checkout@v5 + test2: &job + runs-on: *runner + steps: + - uses: *checkout + - run: echo $TRIGGER + env: + TRIGGER: &trigger push + test3: *job +on: push #*trigger +` + + w, err := ReadWorkflow(strings.NewReader(yaml), false) + assert.NoError(t, err, "read workflow should succeed") + + for _, job := range w.Jobs { + assert.Equal(t, []string{"ubuntu-latest"}, job.RunsOn()) + assert.Equal(t, "actions/checkout@v5", job.Steps[0].Uses) + } +} ++++++ vendor.tar.gz ++++++ ++++ 16861 lines of diff (skipped)
