Documentation
¶
Overview ¶
Package validation provides shared pipeline configuration validation utilities that are used by both the workflow engine (at startup) and the wfctl CLI tool (as static analysis). This avoids duplicating logic between the two consumers.
Index ¶
- func ExtractSQLColumns(query string) []string
- func GenerateChallenge(adminSecret, rejectionHash string, t time.Time) string
- func ParseAPIHeaderOverride(r *http.Request) (string, bool)
- func ParsePRCommentOverride(comment string) (string, bool)
- func ParseWorkflowDispatchOverride(inputs map[string]string) (string, bool)
- func TokenFromParts(words []string) string
- func VerifyChallenge(adminSecret, rejectionHash, token string, t time.Time) bool
- type RefValidationResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractSQLColumns ¶
ExtractSQLColumns parses a SQL SELECT statement and returns the column names (or aliases) from the SELECT clause.
func GenerateChallenge ¶ added in v0.10.1
GenerateChallenge generates a 3-word HMAC challenge token for the given rejection hash using the admin secret, anchored to the 1-hour bucket of t. Pass time.Now() for normal use; pass a fixed time in tests for determinism.
adminSecret should come from an environment variable (e.g. WFCTL_ADMIN_SECRET).
func ParseAPIHeaderOverride ¶ added in v0.10.1
ParseAPIHeaderOverride extracts an override token from the X-Workflow-Override HTTP request header. Returns (token, true) if present, ("", false) otherwise.
func ParsePRCommentOverride ¶ added in v0.10.1
ParsePRCommentOverride extracts an override token from a GitHub PR comment. The expected format is "/wfctl-override <token>". Returns (token, true) if found, ("", false) otherwise.
func ParseWorkflowDispatchOverride ¶ added in v0.10.1
ParseWorkflowDispatchOverride extracts an override token from GitHub Actions workflow_dispatch inputs. Looks for the key "override_token" in the inputs map. Returns (token, true) if present, ("", false) otherwise.
func TokenFromParts ¶ added in v0.10.1
TokenFromParts joins three BIP-39 words with hyphens (inverse of parsing).
func VerifyChallenge ¶ added in v0.10.1
VerifyChallenge returns true if token matches the expected challenge for the given rejection hash at time t. It checks both the current and previous 1-hour buckets to provide a grace period across bucket boundaries. Comparison is constant-time to prevent timing side-channel attacks.
Types ¶
type RefValidationResult ¶
RefValidationResult holds the outcome of pipeline template reference validation. Warnings are suspicious but non-fatal references; Errors are definitively wrong.
func ValidatePipelineTemplateRefs ¶
func ValidatePipelineTemplateRefs(pipelines map[string]any, reg ...*schema.StepSchemaRegistry) *RefValidationResult
ValidatePipelineTemplateRefs validates all pipeline step template expressions in the given pipelines map for dangling step references and output field mismatches. It performs the same checks as `wfctl template validate` at the pipeline template level.
The pipelines parameter is expected to be a map[string]any where each value is a pipeline config map containing a "steps" field (as parsed from YAML).
An optional *schema.StepSchemaRegistry may be provided to supply plugin-registered step schemas. When absent, a default built-in registry is created once and reused across all pipelines.
func (*RefValidationResult) HasIssues ¶
func (r *RefValidationResult) HasIssues() bool
HasIssues returns true when there are any warnings or errors.
Source Files