diff --git a/pkg/parser/schema_test.go b/pkg/parser/schema_test.go index 5bdc9eab3b3..240ccaefa63 100644 --- a/pkg/parser/schema_test.go +++ b/pkg/parser/schema_test.go @@ -1412,6 +1412,39 @@ func TestValidateMainWorkflowFrontmatterWithSchema(t *testing.T) { }, wantErr: false, }, + // id-token permission validation - id-token only supports "write" and "none", not "read" + // See: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#defining-access-for-the-github_token-scopes + { + name: "invalid: id-token: read is not allowed (only write and none)", + frontmatter: map[string]any{ + "on": "workflow_dispatch", + "permissions": map[string]any{ + "id-token": "read", + }, + }, + wantErr: true, + errContains: "id-token", + }, + { + name: "valid: id-token: write is allowed", + frontmatter: map[string]any{ + "on": "workflow_dispatch", + "permissions": map[string]any{ + "id-token": "write", + }, + }, + wantErr: false, + }, + { + name: "valid: id-token: none is allowed", + frontmatter: map[string]any{ + "on": "workflow_dispatch", + "permissions": map[string]any{ + "id-token": "none", + }, + }, + wantErr: false, + }, } for _, tt := range tests { diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index c2f6168f017..3f50865abbb 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -1534,8 +1534,8 @@ }, "id-token": { "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission level for OIDC token requests (read/write/none). Allows workflows to request JWT tokens for cloud provider authentication." + "enum": ["write", "none"], + "description": "Permission level for OIDC token requests (write/none only - read is not supported). Allows workflows to request JWT tokens for cloud provider authentication." }, "issues": { "type": "string", diff --git a/pkg/workflow/idtoken_write_warning_test.go b/pkg/workflow/idtoken_write_warning_test.go index e547ddb0fc8..0618618320b 100644 --- a/pkg/workflow/idtoken_write_warning_test.go +++ b/pkg/workflow/idtoken_write_warning_test.go @@ -16,9 +16,10 @@ import ( // TestIdTokenWriteWarning tests that id-token: write permission emits a warning func TestIdTokenWriteWarning(t *testing.T) { tests := []struct { - name string - content string - expectWarning bool + name string + content string + expectWarning bool + expectCompileFail bool }{ { name: "id-token write produces warning", @@ -35,7 +36,7 @@ permissions: expectWarning: true, }, { - name: "id-token read does not produce warning", + name: "id-token read is invalid and compilation fails", content: `--- on: workflow_dispatch engine: copilot @@ -46,7 +47,8 @@ permissions: # Test Workflow `, - expectWarning: false, + expectWarning: false, + expectCompileFail: true, }, { name: "no id-token does not produce warning", @@ -129,6 +131,14 @@ engine: copilot io.Copy(&buf, r) stderrOutput := buf.String() + // Handle cases where compilation is expected to fail + if tt.expectCompileFail { + if err == nil { + t.Errorf("Expected compilation to fail but it succeeded") + } + return + } + if err != nil { t.Errorf("Expected compilation to succeed but it failed: %v", err) return diff --git a/pkg/workflow/schemas/github-workflow.json b/pkg/workflow/schemas/github-workflow.json index 4587e33ccad..f43bac7de3d 100644 --- a/pkg/workflow/schemas/github-workflow.json +++ b/pkg/workflow/schemas/github-workflow.json @@ -181,7 +181,8 @@ "$ref": "#/definitions/permissions-level" }, "id-token": { - "$ref": "#/definitions/permissions-level" + "type": "string", + "enum": ["write", "none"] }, "issues": { "$ref": "#/definitions/permissions-level"