7497d4c80b
test(wfe-yaml): add deno E2E integration tests
...
29 tests covering full YAML-to-execution round trips:
- Basic deno workflows (arithmetic, string output, inputs, multi-step)
- Fetch with wiremock (GET JSON, POST, permission-denied)
- Mixed shell + deno workflows (both orderings)
- File-based deno steps and module imports
- Error propagation with terminate behavior and on_failure hooks
- Compiler verification (factories, permissions, timeout, env, modules)
- Validation (reject missing config/script, accept valid configs)
162 total deno tests, 326 total workspace tests.
2026-03-26 00:14:12 +00:00
1a84da40bf
feat(wfe-yaml): add HTTP ops, module loader, and npm support via esm.sh
...
Phase 4 — Permission-gated HTTP fetch op:
- op_fetch with net permission check on every request
- globalThis.fetch() wrapper with .json()/.text() methods
- Supports GET/POST/PUT/DELETE with headers and body
Phase 5 — Module loader:
- WfeModuleLoader resolving npm: → esm.sh, https://, file://, relative paths
- All resolution paths permission-checked
- Bare path resolution (/) for esm.sh sub-module redirects
- Dynamic import rejection unless permissions.dynamic_import: true
- esm.sh auto-added to net allowlist when modules declared
Mandatory npm integration test (is-number via esm.sh).
25 new tests. 133 total deno tests, 326 total workspace tests.
2026-03-25 23:02:51 +00:00
6fec7dbab5
feat(wfe-yaml): add deno_core JS/TS executor with sandboxed permissions
...
Secure JavaScript/TypeScript execution in workflow steps via deno_core,
behind the `deno` feature flag.
Security features:
- Per-step permission system: net host allowlist, filesystem read/write
path restrictions, env var allowlist, subprocess spawn control
- V8 heap limits (64MB default) prevent memory exhaustion
- Execution timeout with V8 isolate termination for sync infinite loops
- Path traversal detection blocks ../ escape attempts
- Dynamic import rejection unless explicitly enabled
Workflow I/O ops:
- inputs() — read workflow data as JSON
- output(key, value) — set step outputs
- log(message) — structured tracing
Architecture:
- JsRuntime runs on dedicated thread (V8 is !Send)
- PermissionChecker enforced on every I/O op via OpState
- DenoStep implements StepBody, integrates with existing compiler
- Step type dispatch: "shell" or "deno" in YAML
34 new tests (12 permission unit, 3 config, 2 runtime, 18 integration).
2026-03-25 22:32:07 +00:00
ce68e4beed
test(wfe-yaml): coverage pass to 90%+ and fix duration parsing bug
...
Added 51 tests: compiler hooks/parallel/error behavior (20),
validation error paths (15), shell integration tests (7),
lib.rs file loading (5), interpolation edge cases (4).
Fixed parse_duration_ms: "ms" suffix was unreachable because
strip_suffix('s') matched first. Now checks "ms" before "s".
Coverage: 40% → 90.3%. 326 total workspace tests.
2026-03-25 21:42:26 +00:00
b89563af63
feat(wfe-yaml): add YAML workflow definitions with shell executor
...
Concourse-CI-inspired YAML format for defining workflows. Compiles
to standard WorkflowDefinition + step factories.
Features:
- Schema parsing with serde_yaml (YamlWorkflow, YamlStep, StepConfig)
- ((var.path)) interpolation from config maps at load time
- YAML anchors (&anchor/*alias) fully supported
- Validation at load time (no runtime surprises)
- Shell executor: runs commands via tokio::process, captures stdout,
parses ##wfe[output name=value] annotations for structured outputs
- Compiler: sequential wiring, parallel blocks, on_failure/on_success/
ensure hooks, error behavior mapping
- Public API: load_workflow(), load_workflow_from_str()
- 23 tests (schema, interpolation, compiler, e2e)
2026-03-25 21:32:00 +00:00
