add check for empty github workflow uses

spencerschrock · spencerschrock · commit aefe44a615e0 · 2025-10-27T11:09:04.000-06:00
The value isn't actually empty in the testcase which triggered the panic, but our GitHub workflow library doesn't currently support parsing GitHub's new YAML anchors/aliases. https://github.blog/changelog/2025-09-18-actions-yaml-anchors-and-non-public-workflow-templates/ Signed-off-by: Spencer Schrock <sschrock@google.com>
diff --git a/checks/raw/pinned_dependencies.go b/checks/raw/pinned_dependencies.go
@@ -789,7 +789,7 @@ var validateGitHubActionWorkflow fileparser.DoWhileTrueOnFileContent = func(
 					fmt.Sprintf("unable to parse step '%v' for job '%v'", jobName, stepName))
 			}
 
-			if execAction == nil || execAction.Uses == nil {
+			if execAction == nil || execAction.Uses == nil || execAction.Uses.Value == "" {
 				// Cannot check further, continue.
 				continue
 			}
diff --git a/checks/raw/pinned_dependencies_test.go b/checks/raw/pinned_dependencies_test.go
@@ -77,6 +77,11 @@ func TestGithubWorkflowPinning(t *testing.T) {
 			filename: "./testdata/.github/workflows/github-workflow-unknown-os.yaml",
 			warns:    2, // 1 in job with unknown OS, 1 in job with known OS
 		},
+		{
+			name:     "YAML anchor usage doesn't panic",
+			filename: "./testdata/.github/workflows/workflow-anchor.yaml",
+			warns:    1, // anchor definition is unpinned, but alias isn't supported by actionlint
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/checks/raw/testdata/.github/workflows/workflow-anchor.yaml b/checks/raw/testdata/.github/workflows/workflow-anchor.yaml
@@ -0,0 +1,30 @@
+# Copyright 2025 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: CI
+
+on:
+  push:
+
+jobs:
+  yaml-anchor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Upload coverage artifact
+        uses: &actions-upload-artifact actions/upload-artifact@v4.6.2
+
+  yaml-alias:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Upload coverage artifact
+        uses: *actions-upload-artifact

Original file line number	Diff line number	Diff line change
`@@ -789,7 +789,7 @@ var validateGitHubActionWorkflow fileparser.DoWhileTrueOnFileContent = func(`
`789`	`789`	`fmt.Sprintf("unable to parse step '%v' for job '%v'", jobName, stepName))`
`790`	`790`	`}`
`791`	`791`
`792`		`- if execAction == nil \|\| execAction.Uses == nil {`
	`792`	`+ if execAction == nil \|\| execAction.Uses == nil \|\| execAction.Uses.Value == "" {`
`793`	`793`	`// Cannot check further, continue.`
`794`	`794`	`continue`
`795`	`795`	`}`