Merge branch 'main' into refactor/nested-api/worker

.github/workflows/codeql-analysis.yml

@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+      uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+      uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+      uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7

.github/workflows/reviewdog.yml

@@ -23,7 +23,7 @@ jobs:
         check-latest: true
 
     - name: golangci-lint
-      uses: reviewdog/action-golangci-lint@8e1117c7d327bbfb1eb7ec8dc2d895d13e6e17c3 # v2.6.0
+      uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2.6.1
       with:
         github_token: ${{ secrets.github_token }}
         golangci_lint_flags: "--config=.golangci.yml --timeout=5m"
@@ -47,7 +47,7 @@ jobs:
         check-latest: true
 
     - name: golangci-lint
-      uses: reviewdog/action-golangci-lint@8e1117c7d327bbfb1eb7ec8dc2d895d13e6e17c3 # v2.6.0
+      uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2.6.1
       with:
         github_token: ${{ secrets.github_token }}
         golangci_lint_flags: "--config=.golangci.yml --timeout=5m"

.github/workflows/test.yml

@@ -28,7 +28,7 @@ jobs:
         make test
 
     - name: coverage
-      uses: codecov/codecov-action@0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1 # v4.0.2
+      uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         file: coverage.out

api/secret/create.go

@@ -234,6 +234,14 @@ func CreateSecret(c *gin.Context) {
 		input.SetAllowCommand(true)
 	}
 
+	// default to not allow substitution for shared secrets
+	if strings.EqualFold(input.GetType(), constants.SecretShared) && input.AllowSubstitution == nil {
+		input.SetAllowSubstitution(false)
+		input.SetAllowCommand(false)
+	} else if input.AllowSubstitution == nil {
+		input.SetAllowSubstitution(true)
+	}
+
 	// check if secret is a shared secret
 	if strings.EqualFold(t, constants.SecretShared) {
 		// update the team instead of repo

api/secret/update.go

@@ -152,6 +152,10 @@ func UpdateSecret(c *gin.Context) {
 		input.SetAllowCommand(input.GetAllowCommand())
 	}
 
+	if input.AllowSubstitution != nil {
+		input.SetAllowSubstitution(input.GetAllowSubstitution())
+	}
+
 	// check if secret is a shared secret
 	if strings.EqualFold(t, constants.SecretShared) {
 		// update the team instead of repo

database/integration_test.go

@@ -2315,6 +2315,7 @@ func newResources() *Resources {
 	secretOrg.SetEvents([]string{"push", "tag", "deployment"})
 	secretOrg.SetAllowEvents(library.NewEventsFromMask(1))
 	secretOrg.SetAllowCommand(true)
+	secretOrg.SetAllowSubstitution(true)
 	secretOrg.SetCreatedAt(time.Now().UTC().Unix())
 	secretOrg.SetCreatedBy("octocat")
 	secretOrg.SetUpdatedAt(time.Now().Add(time.Hour * 1).UTC().Unix())
@@ -2332,6 +2333,7 @@ func newResources() *Resources {
 	secretRepo.SetEvents([]string{"push", "tag", "deployment"})
 	secretRepo.SetAllowEvents(library.NewEventsFromMask(1))
 	secretRepo.SetAllowCommand(true)
+	secretRepo.SetAllowSubstitution(true)
 	secretRepo.SetCreatedAt(time.Now().UTC().Unix())
 	secretRepo.SetCreatedBy("octocat")
 	secretRepo.SetUpdatedAt(time.Now().Add(time.Hour * 1).UTC().Unix())
@@ -2348,6 +2350,7 @@ func newResources() *Resources {
 	secretShared.SetImages([]string{"alpine"})
 	secretShared.SetEvents([]string{"push", "tag", "deployment"})
 	secretShared.SetAllowCommand(true)
+	secretShared.SetAllowSubstitution(true)
 	secretShared.SetAllowEvents(library.NewEventsFromMask(1))
 	secretShared.SetCreatedAt(time.Now().UTC().Unix())
 	secretShared.SetCreatedBy("octocat")

database/secret/create_test.go

@@ -60,23 +60,23 @@ func TestSecret_Engine_CreateSecret(t *testing.T) {
 
 	// ensure the mock expects the repo secrets query
 	_mock.ExpectQuery(`INSERT INTO "secrets"
-("org","repo","team","name","value","type","images","events","allow_events","allow_command","created_at","created_by","updated_at","updated_by","id")
-VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15) RETURNING "id"`).
-		WithArgs("foo", "bar", nil, "baz", AnyArgument{}, "repo", nil, nil, 1, false, 1, "user", 1, "user2", 1).
+("org","repo","team","name","value","type","images","events","allow_events","allow_command","allow_substitution","created_at","created_by","updated_at","updated_by","id")
+VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16) RETURNING "id"`).
+		WithArgs("foo", "bar", nil, "baz", AnyArgument{}, "repo", nil, nil, 1, false, false, 1, "user", 1, "user2", 1).
 		WillReturnRows(_rows)
 
 	// ensure the mock expects the org secrets query
 	_mock.ExpectQuery(`INSERT INTO "secrets"
-("org","repo","team","name","value","type","images","events","allow_events","allow_command","created_at","created_by","updated_at","updated_by","id")
-VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15) RETURNING "id"`).
-		WithArgs("foo", "*", nil, "bar", AnyArgument{}, "org", nil, nil, 3, false, 1, "user", 1, "user2", 2).
+("org","repo","team","name","value","type","images","events","allow_events","allow_command","allow_substitution","created_at","created_by","updated_at","updated_by","id")
+VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16) RETURNING "id"`).
+		WithArgs("foo", "*", nil, "bar", AnyArgument{}, "org", nil, nil, 3, false, false, 1, "user", 1, "user2", 2).
 		WillReturnRows(_rows)
 
 	// ensure the mock expects the shared secrets query
 	_mock.ExpectQuery(`INSERT INTO "secrets"
-("org","repo","team","name","value","type","images","events","allow_events","allow_command","created_at","created_by","updated_at","updated_by","id")
-VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15) RETURNING "id"`).
-		WithArgs("foo", nil, "bar", "baz", AnyArgument{}, "shared", nil, nil, 1, false, 1, "user", 1, "user2", 3).
+("org","repo","team","name","value","type","images","events","allow_events","allow_command","allow_substitution","created_at","created_by","updated_at","updated_by","id")
+VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16) RETURNING "id"`).
+		WithArgs("foo", nil, "bar", "baz", AnyArgument{}, "shared", nil, nil, 1, false, false, 1, "user", 1, "user2", 3).
 		WillReturnRows(_rows)
 
 	_sqlite := testSqlite(t)

database/secret/get_org_test.go

@@ -32,8 +32,8 @@ func TestSecret_Engine_GetSecretForOrg(t *testing.T) {
 
 	// create expected result in mock
 	_rows := sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(1, "org", "foo", "*", "", "baz", "bar", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(1, "org", "foo", "*", "", "baz", "bar", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the query
 	_mock.ExpectQuery(`SELECT * FROM "secrets" WHERE type = $1 AND org = $2 AND name = $3 LIMIT $4`).

database/secret/get_repo_test.go

@@ -42,8 +42,8 @@ func TestSecret_Engine_GetSecretForRepo(t *testing.T) {
 
 	// create expected result in mock
 	_rows := sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the query
 	_mock.ExpectQuery(`SELECT * FROM "secrets" WHERE type = $1 AND org = $2 AND repo = $3 AND name = $4 LIMIT $5`).

database/secret/get_team_test.go

@@ -32,8 +32,8 @@ func TestSecret_Engine_GetSecretForTeam(t *testing.T) {
 
 	// create expected result in mock
 	_rows := sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(1, "shared", "foo", "", "bar", "baz", "foob", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(1, "shared", "foo", "", "bar", "baz", "foob", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the query
 	_mock.ExpectQuery(`SELECT * FROM "secrets" WHERE type = $1 AND org = $2 AND team = $3 AND name = $4 LIMIT $5`).

database/secret/get_test.go

@@ -31,8 +31,8 @@ func TestSecret_Engine_GetSecret(t *testing.T) {
 
 	// create expected result in mock
 	_rows := sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the query
 	_mock.ExpectQuery(`SELECT * FROM "secrets" WHERE id = $1 LIMIT $2`).WithArgs(1, 1).WillReturnRows(_rows)

database/secret/list_org_test.go

@@ -52,9 +52,9 @@ func TestSecret_Engine_ListSecretsForOrg(t *testing.T) {
 
 	// create expected name query result in mock
 	_rows = sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(2, "org", "foo", "*", "", "bar", "baz", nil, nil, 1, false, 1, "user", 1, "user2").
-		AddRow(1, "org", "foo", "*", "", "baz", "bar", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(2, "org", "foo", "*", "", "bar", "baz", nil, nil, 1, false, false, 1, "user", 1, "user2").
+		AddRow(1, "org", "foo", "*", "", "baz", "bar", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the name query
 	_mock.ExpectQuery(`SELECT * FROM "secrets" WHERE type = $1 AND org = $2 ORDER BY id DESC LIMIT $3`).

database/secret/list_repo_test.go

@@ -63,9 +63,9 @@ func TestSecret_Engine_ListSecretsForRepo(t *testing.T) {
 
 	// create expected name query result in mock
 	_rows = sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(2, "repo", "foo", "bar", "", "foob", "baz", nil, nil, 1, false, 1, "user", 1, "user2").
-		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(2, "repo", "foo", "bar", "", "foob", "baz", nil, nil, 1, false, false, 1, "user", 1, "user2").
+		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the name query
 	_mock.ExpectQuery(`SELECT * FROM "secrets" WHERE type = $1 AND org = $2 AND repo = $3 ORDER BY id DESC LIMIT $4`).

database/secret/list_team_test.go

@@ -53,9 +53,9 @@ func TestSecret_Engine_ListSecretsForTeam(t *testing.T) {
 
 	// create expected name query result in mock
 	_rows = sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(2, "shared", "foo", "", "bar", "foob", "baz", nil, nil, 1, false, 1, "user", 1, "user2").
-		AddRow(1, "shared", "foo", "", "bar", "baz", "foob", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(2, "shared", "foo", "", "bar", "foob", "baz", nil, nil, 1, false, false, 1, "user", 1, "user2").
+		AddRow(1, "shared", "foo", "", "bar", "baz", "foob", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the name query
 	_mock.ExpectQuery(`SELECT * FROM "secrets" WHERE type = $1 AND org = $2 AND team = $3 ORDER BY id DESC LIMIT $4`).

database/secret/list_test.go

@@ -50,9 +50,9 @@ func TestSecret_Engine_ListSecrets(t *testing.T) {
 
 	// create expected result in mock
 	_rows = sqlmock.NewRows(
-		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "created_at", "created_by", "updated_at", "updated_by"}).
-		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, 1, "user", 1, "user2").
-		AddRow(2, "repo", "foo", "bar", "", "foob", "baz", nil, nil, 1, false, 1, "user", 1, "user2")
+		[]string{"id", "type", "org", "repo", "team", "name", "value", "images", "events", "allow_events", "allow_command", "allow_substitution", "created_at", "created_by", "updated_at", "updated_by"}).
+		AddRow(1, "repo", "foo", "bar", "", "baz", "foob", nil, nil, 1, false, false, 1, "user", 1, "user2").
+		AddRow(2, "repo", "foo", "bar", "", "foob", "baz", nil, nil, 1, false, false, 1, "user", 1, "user2")
 
 	// ensure the mock expects the query
 	_mock.ExpectQuery(`SELECT * FROM "secrets"`).WillReturnRows(_rows)

database/secret/secret_test.go

@@ -210,21 +210,22 @@ func testRepo() *library.Repo {
 // Secret type with all fields set to their zero values.
 func testSecret() *library.Secret {
 	return &library.Secret{
-		ID:           new(int64),
-		Org:          new(string),
-		Repo:         new(string),
-		Team:         new(string),
-		Name:         new(string),
-		Value:        new(string),
-		Type:         new(string),
-		Images:       new([]string),
-		Events:       new([]string),
-		AllowEvents:  testEvents(),
-		AllowCommand: new(bool),
-		CreatedAt:    new(int64),
-		CreatedBy:    new(string),
-		UpdatedAt:    new(int64),
-		UpdatedBy:    new(string),
+		ID:                new(int64),
+		Org:               new(string),
+		Repo:              new(string),
+		Team:              new(string),
+		Name:              new(string),
+		Value:             new(string),
+		Type:              new(string),
+		Images:            new([]string),
+		Events:            new([]string),
+		AllowEvents:       testEvents(),
+		AllowCommand:      new(bool),
+		AllowSubstitution: new(bool),
+		CreatedAt:         new(int64),
+		CreatedBy:         new(string),
+		UpdatedAt:         new(int64),
+		UpdatedBy:         new(string),
 	}
 }
 

database/secret/table.go

@@ -14,21 +14,22 @@ const (
 CREATE TABLE
 IF NOT EXISTS
 secrets (
-	id            SERIAL PRIMARY KEY,
-	type          VARCHAR(100),
-	org           VARCHAR(250),
-	repo          VARCHAR(250),
-	team          VARCHAR(250),
-	name          VARCHAR(250),
-	value         BYTEA,
-	images        VARCHAR(1000),
-	events        VARCHAR(1000),
-	allow_events  INTEGER,
-	allow_command BOOLEAN,
-	created_at    INTEGER,
-	created_by    VARCHAR(250),
-	updated_at    INTEGER,
-	updated_by    VARCHAR(250),
+	id                 SERIAL PRIMARY KEY,
+	type               VARCHAR(100),
+	org                VARCHAR(250),
+	repo               VARCHAR(250),
+	team               VARCHAR(250),
+	name               VARCHAR(250),
+	value              BYTEA,
+	images             VARCHAR(1000),
+	events             VARCHAR(1000),
+	allow_events       INTEGER,
+	allow_command      BOOLEAN,
+	allow_substitution BOOLEAN,
+	created_at         INTEGER,
+	created_by         VARCHAR(250),
+	updated_at         INTEGER,
+	updated_by         VARCHAR(250),
 	UNIQUE(type, org, repo, name),
 	UNIQUE(type, org, team, name)
 );
@@ -39,21 +40,22 @@ secrets (
 CREATE TABLE
 IF NOT EXISTS
 secrets (
-	id            INTEGER PRIMARY KEY AUTOINCREMENT,
-	type          TEXT,
-	org           TEXT,
-	repo          TEXT,
-	team          TEXT,
-	name          TEXT,
-	value         TEXT,
-	images        TEXT,
-	events        TEXT,
-	allow_events  INTEGER,
-	allow_command BOOLEAN,
-	created_at    INTEGER,
-	created_by	  TEXT,
-	updated_at    INTEGER,
-	updated_by    TEXT,
+	id                 INTEGER PRIMARY KEY AUTOINCREMENT,
+	type               TEXT,
+	org                TEXT,
+	repo               TEXT,
+	team               TEXT,
+	name               TEXT,
+	value              TEXT,
+	images             TEXT,
+	events             TEXT,
+	allow_events       INTEGER,
+	allow_command      BOOLEAN,
+	allow_substitution BOOLEAN,
+	created_at         INTEGER,
+	created_by	       TEXT,
+	updated_at         INTEGER,
+	updated_by         TEXT,
 	UNIQUE(type, org, repo, name),
 	UNIQUE(type, org, team, name)
 );