Skip to content

Restrict frontmatter schema with additionalProperties: false and align with GitHub Actions schema #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 20, 2025
Merged

Restrict frontmatter schema with additionalProperties: false and align with GitHub Actions schema #132

merged 4 commits into from
Aug 20, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 20, 2025
edited
Loading

This PR strengthens the validation of frontmatter schemas by setting additionalProperties: false at all object levels and aligning allowed keys with the official GitHub Actions schema. Previously, several types allowed additional properties, resulting in weak validation and acceptance of unexpected keys.

Key Changes

Enhanced Schema Validation

  • Set additionalProperties: false at all object levels in main_workflow_schema.json
  • Added comprehensive validation that rejects any properties not explicitly listed
  • Improved error messages with precise location information for invalid properties

GitHub Actions Schema Alignment

  • Added missing standard properties: defaults, jobs
  • Enhanced permissions with all official GitHub Actions permissions: attestations, id-token, packages, pages, repository-projects
  • Added missing trigger types like pull_request_review_comment
  • Updated permissions enum values to match official schema (read-all, write-all)

Project-Specific Extensions

  • Maintained support for agentic workflow features: engine, tools, claude, cache, output, etc.
  • Enhanced GitHub tools configuration with MCP properties (use_docker_mcp, docker_image_version)
  • Improved claude configuration to support allowed property structure
  • Fixed steps and post-steps to support both object and array formats

Comprehensive Test Coverage

  • Added 15+ new test cases validating additional properties rejection
  • Tests cover all nesting levels: permissions, triggers, tools, concurrency, etc.
  • Enhanced location-based error reporting tests
  • Validates both positive (valid) and negative (invalid) scenarios

Example

Before this change, invalid frontmatter like this would pass validation:

---
on: push
permissions:
  contents: read
  invalid_permission: write  # This would be accepted
tools:
  github:
    allowed: [create_issue]
    invalid_property: value   # This would be accepted
---

After this change, the schema properly rejects these invalid properties with clear error messages:

error: additional properties 'invalid_permission' not allowed
error: additional properties 'invalid_property' not allowed

Backwards Compatibility

All existing workflows continue to work without changes. The enhanced validation only rejects truly invalid configurations while maintaining full support for:

  • All standard GitHub Actions properties
  • All project-specific agentic workflow features
  • Existing workflow files and test cases

Fixes #131.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.contoso.com
    • Triggering command: /tmp/go-build1090515667/b278/cli.test -test.testlogfile=/tmp/go-build1090515667/b278/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
    • Triggering command: /tmp/go-build988858831/b278/cli.test -test.testlogfile=/tmp/go-build988858831/b278/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
    • Triggering command: /tmp/go-build3175447768/b278/cli.test -test.testlogfile=/tmp/go-build3175447768/b278/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • www.schemastore.org
    • Triggering command: curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot @pelikhan
Implement comprehensive schema validation with additionalProperties: …
8c5fe6c 
…false

- Updated main_workflow_schema.json to set additionalProperties: false at all object levels
- Added missing standard GitHub Actions properties (defaults, jobs, new permissions)
- Enhanced permissions schema to match official GitHub Actions specification
- Added missing trigger types (pull_request_review_comment)
- Fixed tools configuration to support MCP-specific properties
- Expanded test coverage with comprehensive validation tests for additional properties
- All existing functionality preserved with improved validation

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Restrict frontmatter schema with additionalProperties: false, align with GitHub Actions schema, and add tests Restrict frontmatter schema with additionalProperties: false and align with GitHub Actions schema Aug 20, 2025
@Copilot Copilot AI requested a review from pelikhan August 20, 2025 07:16
Copilot finished work on behalf of pelikhan August 20, 2025 07:16
@pelikhan pelikhan marked this pull request as ready for review August 20, 2025 11:24
@dsyme dsyme merged commit 4723bfd into main Aug 20, 2025
6 checks passed
@dsyme dsyme deleted the copilot/fix-131 branch August 20, 2025 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsyme dsyme dsyme approved these changes

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[copilot] Restrict frontmatter schema with additionalProperties: false, align with GitHub Actions schema, and add tests
3 participants
@Copilot @dsyme @pelikhan