cue.dev/x/githubactions@v0.4.0

Workflow.cue raw

  1package githubactions
  2
  3import (
  4	"struct"
  5	"strings"
  6)
  7
  8#Workflow: {
  9	@jsonschema(schema="http://json-schema.org/draft-07/schema#")
 10	@jsonschema(id="https://json.schemastore.org/github-workflow.json")
 11	close({
 12		// The name of your workflow. GitHub displays the names of your
 13		// workflows on your repository's actions page. If you omit this
 14		// field, GitHub sets the name to the workflow's filename.
 15		"name"?: string
 16
 17		// The name of the GitHub event that triggers the workflow. You
 18		// can provide a single event string, array of events, array of
 19		// event types, or an event configuration map that schedules a
 20		// workflow or restricts the execution of a workflow to specific
 21		// files, tags, or branch changes. For a list of available
 22		// events, see
 23		// https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.
 24		"on"!: matchN(1, [#event, [...#event] & [_, ...], close({
 25			"branch_protection_rule"?: #eventObject
 26			"check_run"?:              #eventObject
 27			"check_suite"?:            #eventObject
 28			"create"?:                 #eventObject
 29			"delete"?:                 #eventObject
 30			"deployment"?:             #eventObject
 31			"deployment_status"?:      #eventObject
 32			"discussion"?:             #eventObject
 33			"discussion_comment"?:     #eventObject
 34			"fork"?:                   #eventObject
 35			"gollum"?:                 #eventObject
 36			"issue_comment"?:          #eventObject
 37			"issues"?:                 #eventObject
 38			"label"?:                  #eventObject
 39			"merge_group"?:            #eventObject
 40			"milestone"?:              #eventObject
 41			"page_build"?:             #eventObject
 42			"project"?:                #eventObject
 43			"project_card"?:           #eventObject
 44			"project_column"?:         #eventObject
 45			"public"?:                 #eventObject
 46
 47			// Runs your workflow anytime the pull_request event occurs. More
 48			// than one activity type triggers this event. For information
 49			// about the REST API, see https://developer.github.com/v3/pulls.
 50			// Note: Workflows do not run on private base repositories when
 51			// you open a pull request from a forked repository.
 52			// When you create a pull request from a forked repository to the
 53			// base repository, GitHub sends the pull_request event to the
 54			// base repository and no pull request events occur on the forked
 55			// repository.
 56			// Workflows don't run on forked repositories by default. You must
 57			// enable GitHub Actions in the Actions tab of the forked
 58			// repository.
 59			// The permissions for the GITHUB_TOKEN in forked repositories is
 60			// read-only. For more information about the GITHUB_TOKEN, see
 61			// https://help.github.com/en/articles/virtual-environments-for-github-actions.
 62			"pull_request"?: matchN(1, [null, matchN(4, [close({
 63				"types"?:           #types
 64				"branches"?:        #branch
 65				"branches-ignore"?: #branch
 66				"tags"?:            #branch
 67				"tags-ignore"?:     #branch
 68				"paths"?:           #path
 69				"paths-ignore"?:    #path
 70			}), matchN(0, [null | bool | number | string | [...] | {
 71				"branches"!:        _
 72				"branches-ignore"!: _
 73				...
 74			}]) & {
 75				...
 76			}, matchN(0, [null | bool | number | string | [...] | {
 77				"tags"!:        _
 78				"tags-ignore"!: _
 79				...
 80			}]) & {
 81				...
 82			}, matchN(0, [null | bool | number | string | [...] | {
 83				"paths"!:        _
 84				"paths-ignore"!: _
 85				...
 86			}]) & {
 87				...
 88			}])])
 89			"pull_request_review"?:         #eventObject
 90			"pull_request_review_comment"?: #eventObject
 91
 92			// This event is similar to pull_request, except that it runs in
 93			// the context of the base repository of the pull request, rather
 94			// than in the merge commit. This means that you can more safely
 95			// make your secrets available to the workflows triggered by the
 96			// pull request, because only workflows defined in the commit on
 97			// the base repository are run. For example, this event allows
 98			// you to create workflows that label and comment on pull
 99			// requests, based on the contents of the event payload.
100			"pull_request_target"?: matchN(1, [null, matchN(4, [close({
101				"types"?:           #types
102				"branches"?:        #branch
103				"branches-ignore"?: #branch
104				"tags"?:            #branch
105				"tags-ignore"?:     #branch
106				"paths"?:           #path
107				"paths-ignore"?:    #path
108			}), matchN(0, [null | bool | number | string | [...] | {
109				"branches"!:        _
110				"branches-ignore"!: _
111				...
112			}]) & {
113				...
114			}, matchN(0, [null | bool | number | string | [...] | {
115				"tags"!:        _
116				"tags-ignore"!: _
117				...
118			}]) & {
119				...
120			}, matchN(0, [null | bool | number | string | [...] | {
121				"paths"!:        _
122				"paths-ignore"!: _
123				...
124			}]) & {
125				...
126			}])])
127
128			// Runs your workflow when someone pushes to a repository branch,
129			// which triggers the push event.
130			// Note: The webhook payload available to GitHub Actions does not
131			// include the added, removed, and modified attributes in the
132			// commit object. You can retrieve the full commit object using
133			// the REST API. For more information, see
134			// https://developer.github.com/v3/repos/commits/#get-a-single-commit.
135			"push"?: matchN(1, [null, matchN(4, [close({
136				"branches"?:        #branch
137				"branches-ignore"?: #branch
138				"tags"?:            #branch
139				"tags-ignore"?:     #branch
140				"paths"?:           #path
141				"paths-ignore"?:    #path
142			}), matchN(0, [null | bool | number | string | [...] | {
143				"branches"!:        _
144				"branches-ignore"!: _
145				...
146			}]) & {
147				...
148			}, matchN(0, [null | bool | number | string | [...] | {
149				"tags"!:        _
150				"tags-ignore"!: _
151				...
152			}]) & {
153				...
154			}, matchN(0, [null | bool | number | string | [...] | {
155				"paths"!:        _
156				"paths-ignore"!: _
157				...
158			}]) & {
159				...
160			}])])
161			"registry_package"?: #eventObject
162			"release"?:          #eventObject
163			"status"?:           #eventObject
164			"watch"?:            #eventObject
165
166			// Allows workflows to be reused by other workflows.
167			"workflow_call"?: null | bool | number | string | [...] | {
168				// When using the workflow_call keyword, you can optionally
169				// specify inputs that are passed to the called workflow from the
170				// caller workflow.
171				"inputs"?: close({
172					{[=~"^[_a-zA-Z][a-zA-Z0-9_-]*$"]: close({
173						// A string description of the input parameter.
174						"description"?: string
175
176						// A boolean to indicate whether the action requires the input
177						// parameter. Set to true when the parameter is required.
178						"required"?: bool
179
180						// Required if input is defined for the on.workflow_call keyword.
181						// The value of this parameter is a string specifying the data
182						// type of the input. This must be one of: boolean, number, or
183						// string.
184						"type"!: "boolean" | "number" | "string"
185
186						// The default value is used when an input parameter isn't
187						// specified in a workflow file.
188						"default"?: bool | number | string
189					})
190					}
191				})
192
193				// When using the workflow_call keyword, you can optionally
194				// specify inputs that are passed to the called workflow from the
195				// caller workflow.
196				"outputs"?: close({
197					{[=~"^[_a-zA-Z][a-zA-Z0-9_-]*$"]: close({
198						// A string description of the output parameter.
199						"description"?: string
200
201						// The value that the output parameter will be mapped to. You can
202						// set this to a string or an expression with context. For
203						// example, you can use the steps context to set the value of an
204						// output to the output value of a step.
205						"value"!: string
206					})
207					}
208				})
209
210				// A map of the secrets that can be used in the called workflow.
211				// Within the called workflow, you can use the secrets context to
212				// refer to a secret.
213				"secrets"?: null | bool | number | string | [...] | close({
214					{[=~"^[_a-zA-Z][a-zA-Z0-9_-]*$"]: null | bool | number | string | [...] | close({
215						// A string description of the secret parameter.
216						"description"?: string
217
218						// A boolean specifying whether the secret must be supplied.
219						"required"?: bool
220					})
221					}
222				})
223				...
224			}
225
226			// You can now create workflows that are manually triggered with
227			// the new workflow_dispatch event. You will then see a 'Run
228			// workflow' button on the Actions tab, enabling you to easily
229			// trigger a run.
230			"workflow_dispatch"?: null | bool | number | string | [...] | close({
231				// Input parameters allow you to specify data that the action
232				// expects to use during runtime. GitHub stores input parameters
233				// as environment variables. Input ids with uppercase letters are
234				// converted to lowercase during runtime. We recommended using
235				// lowercase input ids.
236				"inputs"?: close({
237					{[=~"^[_a-zA-Z][a-zA-Z0-9_-]*$"]: #workflowDispatchInput}
238				})
239			})
240			"workflow_run"?:        #eventObject
241			"repository_dispatch"?: #eventObject
242
243			// You can schedule a workflow to run at specific UTC times using
244			// POSIX cron syntax
245			// (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07).
246			// You can optionally specify a timezone using an IANA timezone
247			// string
248			// (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
249			// for timezone-aware scheduling. Scheduled workflows run on the
250			// latest commit on the default or base branch. The shortest
251			// interval you can run scheduled workflows is once every 5
252			// minutes.
253			// Note: GitHub Actions does not support the non-standard syntax
254			// @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.
255			// You can use crontab guru (https://crontab.guru/) to help
256			// generate your cron syntax and confirm what time it will run.
257			// To help you get started, there is also a list of crontab guru
258			// examples (https://crontab.guru/examples.html).
259			"schedule"?: [...close({
260				// A cron expression that represents a schedule. A scheduled
261				// workflow will run at most once every 5 minutes.
262				"cron"!: string
263
264				// A string that represents the time zone a scheduled workflow
265				// will run relative to in IANA format (e.g. 'America/New_York'
266				// or 'Europe/London'). If omitted, the workflow will run
267				// relative to midnight UTC.
268				"timezone"?: string
269			})] & [_, ...]
270		})])
271		"env"?:      #env
272		"defaults"?: #defaults
273
274		// Concurrency ensures that only a single job or workflow using
275		// the same concurrency group will run at a time. A concurrency
276		// group can be any string or expression. The expression can use
277		// any context except for the secrets context.
278		// You can also specify concurrency at the workflow level.
279		// When a concurrent job or workflow is queued, if another job or
280		// workflow using the same concurrency group in the repository is
281		// in progress, the queued job or workflow will be pending. Any
282		// previously pending job or workflow in the concurrency group
283		// will be canceled. To also cancel any currently running job or
284		// workflow in the same concurrency group, specify
285		// cancel-in-progress: true.
286		"concurrency"?: matchN(1, [string, #concurrency])
287
288		// A workflow run is made up of one or more jobs. Jobs run in
289		// parallel by default. To run jobs sequentially, you can define
290		// dependencies on other jobs using the jobs.<job_id>.needs
291		// keyword.
292		// Each job runs in a fresh instance of the virtual environment
293		// specified by runs-on.
294		// You can run an unlimited number of jobs as long as you are
295		// within the workflow usage limits. For more information, see
296		// https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.
297		"jobs"!: struct.MinFields(1) & close({
298			{[=~"^[_a-zA-Z][a-zA-Z0-9_-]*$"]: matchN(1, [#normalJob, #reusableWorkflowCallJob])}
299		})
300
301		// The name for workflow runs generated from the workflow. GitHub
302		// displays the workflow run name in the list of workflow runs on
303		// your repository's 'Actions' tab.
304		"run-name"?:    string
305		"permissions"?: #permissions
306	})
307
308	#: "permissions-event": close({
309		"actions"?:             #."permissions-level"
310		"artifact-metadata"?:   #."permissions-level"
311		"attestations"?:        #."permissions-level"
312		"checks"?:              #."permissions-level"
313		"contents"?:            #."permissions-level"
314		"deployments"?:         #."permissions-level"
315		"discussions"?:         #."permissions-level"
316		"id-token"?:            #."permissions-level"
317		"issues"?:              #."permissions-level"
318		"models"?:              "read" | "none"
319		"packages"?:            #."permissions-level"
320		"pages"?:               #."permissions-level"
321		"pull-requests"?:       #."permissions-level"
322		"repository-projects"?: #."permissions-level"
323		"security-events"?:     #."permissions-level"
324		"statuses"?:            #."permissions-level"
325	})
326
327	#: "permissions-level": "read" | "write" | "none"
328
329	// Using the working-directory keyword, you can specify the
330	// working directory of where to run the command.
331	#: "working-directory": string
332
333	#architecture: "ARM32" | "x64" | "x86"
334
335	#branch: #globs
336
337	#concurrency: close({
338		// When a concurrent job or workflow is queued, if another job or
339		// workflow using the same concurrency group in the repository is
340		// in progress, the queued job or workflow will be pending. Any
341		// previously pending job or workflow in the concurrency group
342		// will be canceled.
343		"group"!: string
344
345		// To cancel any currently running job or workflow in the same
346		// concurrency group, specify cancel-in-progress: true.
347		"cancel-in-progress"?: matchN(1, [bool, #expressionSyntax])
348	})
349
350	#configuration: matchN(1, [string, number, bool, {
351		[string]: #configuration
352	}, [...#configuration]])
353
354	#container: close({
355		// The Docker image to use as the container to run the action. The
356		// value can be the Docker Hub image name or a registry name.
357		"image"!: string
358
359		// If the image's container registry requires authentication to
360		// pull the image, you can use credentials to set a map of the
361		// username and password. The credentials are the same values
362		// that you would provide to the `docker login` command.
363		"credentials"?: {
364			"username"?: string
365			"password"?: string
366			...
367		}
368		"env"?: #env
369
370		// Sets an array of ports to expose on the container.
371		"ports"?: [...number | string] & [_, ...]
372
373		// Sets an array of volumes for the container to use. You can use
374		// volumes to share data between services or other steps in a
375		// job. You can specify named Docker volumes, anonymous Docker
376		// volumes, or bind mounts on the host.
377		// To specify a volume, you specify the source and destination
378		// path: <source>:<destinationPath>
379		// The <source> is a volume name or an absolute path on the host
380		// machine, and <destinationPath> is an absolute path in the
381		// container.
382		"volumes"?: [...string] & [_, ...]
383
384		// Additional Docker container resource options. For a list of
385		// options, see
386		// https://docs.docker.com/engine/reference/commandline/create/#options.
387		"options"?: string
388	})
389
390	#defaults: struct.MinFields(1) & close({
391		"run"?: struct.MinFields(1) & close({
392			"shell"?:             #shell
393			"working-directory"?: #."working-directory"
394		})
395	})
396
397	// To set custom environment variables, you need to specify the
398	// variables in the workflow file. You can define environment
399	// variables for a step, job, or entire workflow using the
400	// jobs.<job_id>.steps[*].env, jobs.<job_id>.env, and env
401	// keywords. For more information, see
402	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv
403	#env: matchN(1, [{
404		[string]: bool | number | string
405	}, #stringContainingExpressionSyntax])
406
407	// The environment that the job references
408	#environment: close({
409		// The name of the environment configured in the repo.
410		"name"!: string
411
412		// A deployment URL
413		"url"?: string
414
415		// Whether to create a deployment for this job. Setting to false
416		// lets the job use environment secrets and variables without
417		// creating a deployment record. Wait timers and required
418		// reviewers still apply.
419		"deployment"?: matchN(1, [bool, #expressionSyntax])
420	})
421
422	#event: "branch_protection_rule" | "check_run" | "check_suite" | "create" | "delete" | "deployment" | "deployment_status" | "discussion" | "discussion_comment" | "fork" | "gollum" | "issue_comment" | "issues" | "label" | "merge_group" | "milestone" | "page_build" | "project" | "project_card" | "project_column" | "public" | "pull_request" | "pull_request_review" | "pull_request_review_comment" | "pull_request_target" | "push" | "registry_package" | "release" | "status" | "watch" | "workflow_call" | "workflow_dispatch" | "workflow_run" | "repository_dispatch"
423
424	#eventObject: null | {
425		...
426	}
427
428	#expressionSyntax: =~"""
429		^\\$\\{\\{(.|[\r
430		])*\\}\\}$
431		"""
432
433	#globs: [...strings.MinRunes(1)] & [_, ...]
434
435	// Identifies any jobs that must complete successfully before this
436	// job will run. It can be a string or array of strings. If a job
437	// fails, all jobs that need it are skipped unless the jobs use a
438	// conditional statement that causes the job to continue.
439	#jobNeeds: matchN(1, [[...#name] & [_, ...], #name])
440
441	#machine: "linux" | "macos" | "windows"
442
443	// A build matrix is a set of different configurations of the
444	// virtual environment. For example you might run a job against
445	// more than one supported version of a language, operating
446	// system, or tool. Each configuration is a copy of the job that
447	// runs and reports a status.
448	// You can specify a matrix by supplying an array for the
449	// configuration options. For example, if the GitHub virtual
450	// environment supports Node.js versions 6, 8, and 10 you could
451	// specify an array of those versions in the matrix.
452	// When you define a matrix of operating systems, you must set the
453	// required runs-on keyword to the operating system of the
454	// current job, rather than hard-coding the operating system
455	// name. To access the operating system name, you can use the
456	// matrix.os context parameter to set runs-on. For more
457	// information, see
458	// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
459	#matrix: matchN(1, [struct.MinFields(1) & {
460		{[=~"^(in|ex)clude$"]: matchN(1, [#expressionSyntax, [...{
461			[string]: #configuration
462		}] & [_, ...]])
463		}
464		{[!~"^(in|ex)clude$" & !~"^()$"]: matchN(1, [[...#configuration] & [_, ...], #expressionSyntax])}
465	}, #expressionSyntax])
466
467	#name: =~"^[_a-zA-Z][a-zA-Z0-9_-]*$"
468
469	// Each job must have an id to associate with the job. The key
470	// job_id is a string and its value is a map of the job's
471	// configuration data. You must replace <job_id> with a string
472	// that is unique to the jobs object. The <job_id> must start
473	// with a letter or _ and contain only alphanumeric characters,
474	// -, or _.
475	#normalJob: close({
476		// The name of the job displayed on GitHub.
477		"name"?:        string
478		"needs"?:       #jobNeeds
479		"snapshot"?:    #snapshot
480		"permissions"?: #permissions
481
482		// The type of machine to run the job on. The machine can be
483		// either a GitHub-hosted runner, or a self-hosted runner.
484		"runs-on"!: matchN(>=1, [string, [string, ...string] & [_, ...] & [...], {
485			"group"?: string
486			"labels"?: matchN(1, [string, [...string]])
487			...
488		}, #stringContainingExpressionSyntax, #expressionSyntax])
489
490		// The environment that the job references.
491		"environment"?: matchN(1, [string, #environment])
492
493		// A map of outputs for a job. Job outputs are available to all
494		// downstream jobs that depend on this job.
495		"outputs"?: struct.MinFields(1) & {
496			[string]: string
497		}
498		"env"?:      #env
499		"defaults"?: #defaults
500
501		// You can use the if conditional to prevent a job from running
502		// unless a condition is met. You can use any supported context
503		// and expression to create a conditional.
504		// Expressions in an if conditional do not require the ${{ }}
505		// syntax. For more information, see
506		// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
507		"if"?: bool | number | string
508
509		// A job contains a sequence of tasks called steps. Steps can run
510		// commands, run setup tasks, or run an action in your
511		// repository, a public repository, or an action published in a
512		// Docker registry. Not all steps run actions, but all actions
513		// run as a step. Each step runs in its own process in the
514		// virtual environment and has access to the workspace and
515		// filesystem. Because steps run in their own process, changes to
516		// environment variables are not preserved between steps. GitHub
517		// provides built-in steps to set up and complete a job.
518		// Must contain either `uses` or `run`
519		"steps"?: [...#step] & [_, ...]
520
521		// The maximum number of minutes to let a workflow run before
522		// GitHub automatically cancels it. Default: 360
523		"timeout-minutes"?: matchN(1, [number, #expressionSyntax])
524
525		// A strategy creates a build matrix for your jobs. You can define
526		// different variations of an environment to run each job in.
527		"strategy"?: close({
528			"matrix"!: #matrix
529
530			// When set to true, GitHub cancels all in-progress jobs if any
531			// matrix job fails. Default: true
532			"fail-fast"?: bool | string
533
534			// The maximum number of jobs that can run simultaneously when
535			// using a matrix job strategy. By default, GitHub will maximize
536			// the number of jobs run in parallel depending on the available
537			// runners on GitHub-hosted virtual machines.
538			"max-parallel"?: number | string
539		})
540
541		// Prevents a workflow run from failing when a job fails. Set to
542		// true to allow a workflow run to pass when this job fails.
543		"continue-on-error"?: matchN(1, [bool, #expressionSyntax])
544
545		// A container to run any steps in a job that don't already
546		// specify a container. If you have steps that use both script
547		// and container actions, the container actions will run as
548		// sibling containers on the same network with the same volume
549		// mounts.
550		// If you do not set a container, all steps will run directly on
551		// the host specified by runs-on unless a step refers to an
552		// action configured to run in a container.
553		"container"?: matchN(1, [string, #container])
554
555		// Additional containers to host services for a job in a workflow.
556		// These are useful for creating databases or cache services like
557		// redis. The runner on the virtual machine will automatically
558		// create a network and manage the life cycle of the service
559		// containers.
560		// When you use a service container for a job or your step uses
561		// container actions, you don't need to set port information to
562		// access the service. Docker automatically exposes all ports
563		// between containers on the same network.
564		// When both the job and the action run in a container, you can
565		// directly reference the container by its hostname. The hostname
566		// is automatically mapped to the service name.
567		// When a step does not use a container action, you must access
568		// the service using localhost and bind the ports.
569		"services"?: {
570			[string]: #container
571		}
572
573		// Concurrency ensures that only a single job or workflow using
574		// the same concurrency group will run at a time. A concurrency
575		// group can be any string or expression. The expression can use
576		// any context except for the secrets context.
577		// You can also specify concurrency at the workflow level.
578		// When a concurrent job or workflow is queued, if another job or
579		// workflow using the same concurrency group in the repository is
580		// in progress, the queued job or workflow will be pending. Any
581		// previously pending job or workflow in the concurrency group
582		// will be canceled. To also cancel any currently running job or
583		// workflow in the same concurrency group, specify
584		// cancel-in-progress: true.
585		"concurrency"?: matchN(1, [string, #concurrency])
586	})
587
588	#path: #globs
589
590	// You can modify the default permissions granted to the
591	// GITHUB_TOKEN, adding or removing access as required, so that
592	// you only allow the minimum required access.
593	#permissions: matchN(1, ["read-all" | "write-all", #."permissions-event"])
594
595	// Each job must have an id to associate with the job. The key
596	// job_id is a string and its value is a map of the job's
597	// configuration data. You must replace <job_id> with a string
598	// that is unique to the jobs object. The <job_id> must start
599	// with a letter or _ and contain only alphanumeric characters,
600	// -, or _.
601	#reusableWorkflowCallJob: close({
602		// The name of the job displayed on GitHub.
603		"name"?:        string
604		"needs"?:       #jobNeeds
605		"permissions"?: #permissions
606
607		// You can use the if conditional to prevent a job from running
608		// unless a condition is met. You can use any supported context
609		// and expression to create a conditional.
610		// Expressions in an if conditional do not require the ${{ }}
611		// syntax. For more information, see
612		// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
613		"if"?: bool | number | string
614
615		// The location and version of a reusable workflow file to run as
616		// a job, of the form './{path/to}/{localfile}.yml' or
617		// '{owner}/{repo}/{path}/{filename}@{ref}'. {ref} can be a SHA,
618		// a release tag, or a branch name. Using the commit SHA is the
619		// safest for stability and security.
620		"uses"!: =~"^(.+\\/)+(.+)\\.(ya?ml)(@.+)?$"
621		"with"?: #env
622
623		// When a job is used to call a reusable workflow, you can use
624		// 'secrets' to provide a map of secrets that are passed to the
625		// called workflow. Any secrets that you pass must match the
626		// names defined in the called workflow.
627		"secrets"?: matchN(1, [#env, "inherit"])
628
629		// A strategy creates a build matrix for your jobs. You can define
630		// different variations of an environment to run each job in.
631		"strategy"?: close({
632			"matrix"!: #matrix
633
634			// When set to true, GitHub cancels all in-progress jobs if any
635			// matrix job fails. Default: true
636			"fail-fast"?: bool | string
637
638			// The maximum number of jobs that can run simultaneously when
639			// using a matrix job strategy. By default, GitHub will maximize
640			// the number of jobs run in parallel depending on the available
641			// runners on GitHub-hosted virtual machines.
642			"max-parallel"?: number | string
643		})
644
645		// Concurrency ensures that only a single job or workflow using
646		// the same concurrency group will run at a time. A concurrency
647		// group can be any string or expression. The expression can use
648		// any context except for the secrets context.
649		// You can also specify concurrency at the workflow level.
650		// When a concurrent job or workflow is queued, if another job or
651		// workflow using the same concurrency group in the repository is
652		// in progress, the queued job or workflow will be pending. Any
653		// previously pending job or workflow in the concurrency group
654		// will be canceled. To also cancel any currently running job or
655		// workflow in the same concurrency group, specify
656		// cancel-in-progress: true.
657		"concurrency"?: matchN(1, [string, #concurrency])
658	})
659
660	// You can override the default shell settings in the runner's
661	// operating system using the shell keyword. You can use built-in
662	// shell keywords, or you can define a custom set of shell
663	// options.
664	#shell: matchN(>=1, [string, "bash" | "pwsh" | "python" | "sh" | "cmd" | "powershell"])
665
666	// You can use `jobs.<job_id>.snapshot` to generate a custom
667	// image.
668	// Add the snapshot keyword to the job, using either the string
669	// syntax or mapping syntax as shown in
670	// https://docs.github.com/en/actions/how-tos/manage-runners/larger-runners/use-custom-images#generating-a-custom-image.
671	// Each job that includes the snapshot keyword creates a separate
672	// image. To generate only one image or image version, include
673	// all workflow steps in a single job. Each successful run of a
674	// job that includes the snapshot keyword creates a new version
675	// of that image.
676	// For more information, see
677	// https://docs.github.com/en/actions/how-tos/manage-runners/larger-runners/use-custom-images.
678	#snapshot: matchN(1, [string, close({
679		"image-name"!: string
680		"version"?:    =~"^\\d+(\\.\\d+|\\*)?$"
681	})])
682
683	#step: matchN(1, [{
684		"uses"!: _
685		...
686	}, {
687		"run"!: _
688		...
689	}]) & close({
690		_t0="working-directory"?: _
691		if _t0 != _|_ {
692			"run"!: _
693		}
694		shell?: _
695		if shell != _|_ {
696			"run"!: _
697		}
698		{}
699
700		// A unique identifier for the step. You can use the id to
701		// reference the step in contexts. For more information, see
702		// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
703		"id"?: string
704
705		// You can use the if conditional to prevent a step from running
706		// unless a condition is met. You can use any supported context
707		// and expression to create a conditional.
708		// Expressions in an if conditional do not require the ${{ }}
709		// syntax. For more information, see
710		// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
711		"if"?: bool | number | string
712
713		// A name for your step to display on GitHub.
714		"name"?: string
715
716		// Selects an action to run as part of a step in your job. An
717		// action is a reusable unit of code. You can use an action
718		// defined in the same repository as the workflow, a public
719		// repository, or in a published Docker container image
720		// (https://hub.docker.com/).
721		// We strongly recommend that you include the version of the
722		// action you are using by specifying a Git ref, SHA, or Docker
723		// tag number. If you don't specify a version, it could break
724		// your workflows or cause unexpected behavior when the action
725		// owner publishes an update.
726		// - Using the commit SHA of a released action version is the
727		// safest for stability and security.
728		// - Using the specific major action version allows you to receive
729		// critical fixes and security patches while still maintaining
730		// compatibility. It also assures that your workflow should still
731		// work.
732		// - Using the master branch of an action may be convenient, but
733		// if someone releases a new major version with a breaking
734		// change, your workflow could break.
735		// Some actions require inputs that you must set using the with
736		// keyword. Review the action's README file to determine the
737		// inputs required.
738		// Actions are either JavaScript files or Docker containers. If
739		// the action you're using is a Docker container you must run the
740		// job in a Linux virtual environment. For more details, see
741		// https://help.github.com/en/articles/virtual-environments-for-github-actions.
742		"uses"?: string
743
744		// Runs command-line programs using the operating system's shell.
745		// If you do not provide a name, the step name will default to
746		// the text specified in the run command.
747		// Commands run using non-login shells by default. You can choose
748		// a different shell and customize the shell used to run
749		// commands. For more information, see
750		// https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.
751		// Each run keyword represents a new process and shell in the
752		// virtual environment. When you provide multi-line commands,
753		// each line runs in the same shell.
754		"run"?:               string
755		"working-directory"?: #."working-directory"
756		"shell"?:             #shell
757		"with"?:              #env
758		"env"?:               #env
759
760		// Prevents a job from failing when a step fails. Set to true to
761		// allow a job to pass when this step fails.
762		"continue-on-error"?: matchN(1, [bool, #expressionSyntax])
763
764		// The maximum number of minutes to run the step before killing
765		// the process.
766		"timeout-minutes"?: matchN(1, [number, #expressionSyntax])
767	})
768
769	#stringContainingExpressionSyntax: =~"""
770		^.*\\$\\{\\{(.|[\r
771		])*\\}\\}.*$
772		"""
773
774	// Selects the types of activity that will trigger a workflow run.
775	// Most GitHub events are triggered by more than one type of
776	// activity. For example, the event for the release resource is
777	// triggered when a release is published, unpublished, created,
778	// edited, deleted, or prereleased. The types keyword enables you
779	// to narrow down activity that causes the workflow to run. When
780	// only one activity type triggers a webhook event, the types
781	// keyword is unnecessary.
782	// You can use an array of event types. For more information about
783	// each event and their activity types, see
784	// https://help.github.com/en/articles/events-that-trigger-workflows#webhook-events.
785	#types: matchN(1, [[_, ...], string])
786
787	// A string identifier to associate with the input. The value of
788	// <input_id> is a map of the input's metadata. The <input_id>
789	// must be a unique identifier within the inputs object. The
790	// <input_id> must start with a letter or _ and contain only
791	// alphanumeric characters, -, or _.
792	#workflowDispatchInput: matchN(5, [matchIf({
793		"type"!: "string"
794		...
795	}, {
796		"default"?: string
797		...
798	}, _) & {
799		...
800	}, matchIf({
801		"type"!: "boolean"
802		...
803	}, {
804		"default"?: bool
805		...
806	}, _) & {
807		...
808	}, matchIf({
809		"type"!: "number"
810		...
811	}, {
812		"default"?: number
813		...
814	}, _) & {
815		...
816	}, matchIf({
817		"type"!: "environment"
818		...
819	}, {
820		"default"?: string
821		...
822	}, _) & {
823		...
824	}, matchIf({
825		"type"!: "choice"
826		...
827	}, {
828		"options"!: _
829		...
830	}, _) & {
831		...
832	}]) & close({
833		// A string description of the input parameter.
834		"description"?: string
835
836		// A string shown to users using the deprecated input.
837		"deprecationMessage"?: string
838
839		// A boolean to indicate whether the action requires the input
840		// parameter. Set to true when the parameter is required.
841		"required"?: bool
842
843		// A string representing the default value. The default value is
844		// used when an input parameter isn't specified in a workflow
845		// file.
846		"default"?: _
847
848		// A string representing the type of the input.
849		"type"?: "string" | "choice" | "boolean" | "number" | "environment"
850
851		// The options of the dropdown list, if the type is a choice.
852		"options"?: [...string] & [_, ...]
853	})
854}