unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

fix(ci): cve-watch fails to load — empty template in a comment #12

Merged
zach merged 1 commit from fix/cve-watch-empty-template into main 2026-06-06 05:50:27 +00:00
Conversation 0 Commits 1 Files changed 2 +36 -3
zach commented 2026-06-06 05:49:04 +00:00
Owner
Copy link

cve-watch has been failing at load since #8 merged — every scheduled run errored before any step executed, with a cryptic unexpected end of input ... expecting IDENT schema error.

Root cause: Forgejo's expression preprocessor scans the entire run: script — shell # comments included — for double-curly templates. The comment added in #8 explaining why we expand $cve_block as a shell variable (rather than a runner template) literally contained an empty double-curly template. The parser rejects that, so the whole workflow failed schema validation and never ran.

It slipped through because yamllint sees valid YAML and the dev box can't run Forgejo's act parser.

Two changes:

  • cve-watch.yml: reword the comment to describe the template without writing its literal syntax. Verified: 0 empty templates, 0 ${{ in comments, all 8 remaining expressions valid, yamllint clean.
  • validate.yml: new workflow-expressions job that fails on (a) any empty double-curly template and (b) a template inside a shell comment, across all workflows — the exact class yamllint can't catch. Its own comments/messages avoid the literal syntax so it never self-trips (verified).

Once merged, cve-watch loads and runs hourly again, and the CVE-listing feature from #8 will exercise on the next real upstream tag (it never has — the workflow's been broken at load since #8).

**cve-watch has been failing at load since #8 merged** — every scheduled run errored before any step executed, with a cryptic `unexpected end of input ... expecting IDENT` schema error. **Root cause:** Forgejo's expression preprocessor scans the *entire* `run:` script — shell `#` comments included — for double-curly templates. The comment added in #8 explaining why we expand `$cve_block` as a shell variable (rather than a runner template) literally contained an *empty* double-curly template. The parser rejects that, so the whole workflow failed schema validation and never ran. It slipped through because yamllint sees valid YAML and the dev box can't run Forgejo's `act` parser. **Two changes:** - `cve-watch.yml`: reword the comment to describe the template without writing its literal syntax. Verified: 0 empty templates, 0 `${{` in comments, all 8 remaining expressions valid, yamllint clean. - `validate.yml`: new `workflow-expressions` job that fails on (a) any empty double-curly template and (b) a template inside a shell comment, across all workflows — the exact class yamllint can't catch. Its own comments/messages avoid the literal syntax so it never self-trips (verified). Once merged, cve-watch loads and runs hourly again, and the CVE-listing feature from #8 will exercise on the next real upstream tag (it never has — the workflow's been broken at load since #8).
fix(ci): cve-watch fails to load — empty double-curly template in a comment
All checks were successful
validate / shellcheck (pull_request) Successful in 12s
Details
validate / yamllint (pull_request) Successful in 13s
Details
validate / workflow-expressions (pull_request) Successful in 4s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
508058e1b8 
Forgejo's expression preprocessor scans the entire run: script, shell
comments included, for double-curly templates. The comment added in #8 to
explain why we expand $cve_block as a shell variable (rather than a runner
template) literally contained an EMPTY double-curly template. The parser
rejects that with "unexpected end of input ... expecting IDENT", so the
whole workflow failed schema validation and never ran — every scheduled
cve-watch since #8 errored at load.

yamllint passed it (the file is valid YAML) and the macOS dev box can't run
Forgejo's act parser, so it slipped through. Two changes:

- cve-watch.yml: reword the comment to describe the template without
  writing its literal double-curly syntax.
- validate.yml: new `workflow-expressions` job failing on (a) any empty
  double-curly template and (b) a template inside a shell comment, across
  all workflows — the exact class yamllint can't catch. Its own comments
  and messages avoid the literal syntax so it never flags itself.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zach merged commit 644012cf71 into main 2026-06-06 05:50:27 +00:00
zach deleted branch fix/cve-watch-empty-template 2026-06-06 05:50:30 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!12
No description provided.