Mirrors/wrkflw
1
0
Fork 0
mirror of https://github.com/bahdotsh/wrkflw.git synced 2026-05-18 05:05:35 +02:00
Code Issues Packages Projects Releases Wiki Activity
241 Commits 60 Branches 60 Tags
e4752efa8e549a8ddcd4bf24eb387b9df85e22b1
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Gokul e4752efa8e feat(evaluator): make toJSON(secrets) return secrets object (#100) 
It turns out that toJSON(secrets) has been returning "null" this
whole time — same disease as env, steps, needs, and github before
it. The evaluator had no bare-`secrets` branch in
ExpressionContext::resolve, so resolving the identifier fell
through to the catch-all `_ => Null` and toJSON dutifully
serialised that. Fourth in a series after #96/#97/#98/#99.

The fix is the simplest of the bunch. secrets_context is already
a flat &HashMap<String, String> holding exactly the shape real
GHA exposes as the `secrets` context — no prefix strip, no
exclusion list (unlike #99's github arm), no nested outputs
sub-object (unlike steps/needs). Clone the entries into
ExprValue::String and wrap in ExprValue::Object. Done.

Values are returned in plaintext by design. That matches real
GHA — `toJSON(secrets)` there is not auto-redacted either, and
the common `fromJSON(toJSON(secrets))` pipe-through-an-action
pattern depends on the exact original values surviving the
round-trip. Masking stays where it belongs: the log boundary,
via wrkflw_secrets::SecretMasker, already wired up in engine.rs.

Pulling the masker into the evaluator would (a) break the
fromJSON round-trip, (b) diverge from GHA semantics, and (c)
duplicate a concern that already has one correct home. Please
don't do that.

Tests mirror the #96–#99 suites: populated secrets, empty
context, sorted keys, special-character values (quotes,
backslashes, PEM-style newlines), fromJSON(toJSON(secrets))
round-trip, bare-secrets truthiness, a regression guard that the
bare arm doesn't shadow the existing dotted-access arm, and a
plaintext-values test that pins the no-masking-here decision so
any future switch is deliberate rather than silent.

While at it, drop `secrets` from the lingering
`TODO: support other bare contexts` comment. Only `matrix`
remains.
2026-04-18 22:20:55 +05:30
.github
crates
feat(evaluator): make toJSON(secrets) return secrets object (#100)
2026-04-18 22:20:55 +05:30
examples/secrets-demo
docs: clean up READMEs, remove dead files and bloat (#84)
2026-04-02 23:58:51 +05:30
schemas
scripts
tests
docs: clean up READMEs, remove dead files and bloat (#84)
2026-04-02 23:58:51 +05:30
.gitignore
fix(executor): propagate composite action outputs back to caller (#94)
2026-04-13 15:06:43 +05:30
.gitlab-ci.yml
BREAKING_CHANGES.md
feat: add diff-aware selective execution and watch mode (#91)
2026-04-11 20:27:34 +05:30
Cargo.lock
feat: add diff-aware selective execution and watch mode (#91)
2026-04-11 20:27:34 +05:30
Cargo.toml
feat: add diff-aware selective execution and watch mode (#91)
2026-04-11 20:27:34 +05:30
CLAUDE.md
cliff.toml
demo.gif
INDEX.md
feat(executor): easy GHA emulation fixes for better compatibility (#82)
2026-04-02 18:00:41 +05:30
LICENSE
publish_crates.sh
README.md
docs: clean up READMEs, remove dead files and bloat (#84)
2026-04-02 23:58:51 +05:30

README.md

WRKFLW

Crates.io License Build Status Downloads

A command-line tool for validating and executing GitHub Actions workflows locally. Test your workflows on your machine before pushing to GitHub.

WRKFLW Demo

Features

  • TUI interface — interactive terminal UI for browsing, running, and monitoring workflows
  • Workflow validation — syntax checks, structural validation, and composite action input cross-checking with CI/CD-friendly exit codes
  • Local execution — run workflows using Docker, Podman, or emulation mode (no containers)
  • Job selection — run individual jobs with --job flag or via TUI job selection mode
  • Job dependency resolution — automatic ordering based on needs with parallel execution of independent jobs
  • Action support — Docker container actions, JavaScript actions, composite actions, and local actions
  • Reusable workflows — execute caller jobs via jobs.<id>.uses (local or owner/repo/path@ref)
  • GitHub context emulation — environment variables, GITHUB_OUTPUT, GITHUB_ENV, GITHUB_PATH, GITHUB_STEP_SUMMARY
  • Matrix builds — full support for include, exclude, max-parallel, and fail-fast
  • Secrets management — multiple providers (env, file, Vault, AWS, Azure, GCP) with masking and encryption
  • Remote triggering — trigger workflow_dispatch runs on GitHub or GitLab pipelines
  • GitLab support — validate and trigger GitLab CI pipelines

Installation

cargo install wrkflw

Or build from source:

git clone https://github.com/bahdotsh/wrkflw.git
cd wrkflw
cargo build --release

Quick Start

# Launch the TUI (auto-detects .github/workflows)
wrkflw

# Validate workflows
wrkflw validate

# Run a workflow
wrkflw run .github/workflows/ci.yml

Usage

Validation

# Validate all workflows in .github/workflows
wrkflw validate

# Validate specific files or directories
wrkflw validate path/to/workflow.yml
wrkflw validate path/to/workflows/

# Validate multiple paths
wrkflw validate flow-1.yml flow-2.yml path/to/workflows/

# GitLab pipelines
wrkflw validate .gitlab-ci.yml --gitlab

# Verbose output
wrkflw validate --verbose path/to/workflow.yml

Exit codes: 0 = all valid, 1 = validation failures, 2 = usage error. Use --no-exit-code to disable.

Execution

# Run with Docker (default)
wrkflw run .github/workflows/ci.yml

# Run with Podman
wrkflw run --runtime podman .github/workflows/ci.yml

# Run in emulation mode (no containers)
wrkflw run --runtime emulation .github/workflows/ci.yml

# Run a specific job
wrkflw run --job build .github/workflows/ci.yml

# List jobs in a workflow
wrkflw run --jobs .github/workflows/ci.yml

# Preserve failed containers for debugging
wrkflw run --preserve-containers-on-failure .github/workflows/ci.yml

TUI

# Open TUI with default directory
wrkflw tui

# Open with specific runtime
wrkflw tui --runtime podman

Controls:

Key Action
Tab / 1-4 Switch tabs (Workflows, Execution, Logs, Help)
Up/Down or j/k Navigate
Space Toggle selection
Enter Run / View details
r Run selected workflows
a / n Select all / Deselect all
e Cycle runtime (Docker / Podman / Emulation)
v Toggle Execution / Validation mode
t Trigger remote workflow
q / Esc Quit / Back

Remote Triggering

Trigger workflow_dispatch events on GitHub or GitLab.

# GitHub (requires GITHUB_TOKEN env var)
wrkflw trigger workflow-name --branch main --input key=value

# GitLab (requires GITLAB_TOKEN env var)
wrkflw trigger-gitlab --branch main --variable key=value

Runtime Modes

Mode Description Best for
Docker (default) Full container isolation, closest to GitHub runners Production, CI/CD
Podman Rootless containers, no daemon required Security-conscious environments
Emulation Runs directly on host, no containers needed Quick local testing

Reusable Workflows

jobs:
  call-local:
    uses: ./.github/workflows/shared.yml

  call-remote:
    uses: my-org/my-repo/.github/workflows/shared.yml@v1
    with:
      foo: bar
    secrets:
      token: ${{ secrets.MY_TOKEN }}
  • Local refs resolve relative to the working directory
  • Remote refs are shallow-cloned at the specified @ref
  • with: entries become INPUT_<KEY> env vars; secrets: become SECRET_<KEY>

Limitations: outputs from called workflows are not propagated back; secrets: inherit is not supported; private repos for remote uses: are not yet supported.

Secrets Management

WRKFLW supports GitHub Actions-compatible ${{ secrets.* }} syntax with multiple providers:

# Environment variables (simplest)
export GITHUB_TOKEN="ghp_..."
wrkflw run .github/workflows/ci.yml

# File-based secrets (JSON, YAML, or .env format)
# Configure in ~/.wrkflw/secrets.yml

Supported providers: environment variables, file-based, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager. See the secrets demo for detailed examples.

Limitations

Supported

  • Workflow syntax validation with exit codes
  • Job dependency resolution and parallel execution
  • Matrix builds, environment variables, GitHub context
  • Container, JavaScript, composite, and local actions
  • Reusable workflows (caller jobs)
  • Environment files (GITHUB_OUTPUT, GITHUB_ENV, GITHUB_PATH, GITHUB_STEP_SUMMARY)
  • TUI and CLI interfaces
  • Container cleanup (even on Ctrl+C)

Not Supported

  • GitHub encrypted secrets and fine-grained permissions
  • actions/cache (no persistent cache between runs)
  • Artifact upload/download between jobs
  • Event triggers other than workflow_dispatch
  • Windows and macOS runners
  • Job/step timeouts, concurrency, and cancellation
  • Service containers in emulation mode
  • Reusable workflow output propagation (needs.<id>.outputs.*)

Project Structure

WRKFLW is organized as a Cargo workspace with focused crates:

Crate Purpose
wrkflw CLI binary and library entry point
wrkflw-executor Workflow execution engine
wrkflw-parser Workflow file parsing and schema validation
wrkflw-evaluator Structural evaluation of workflow files
wrkflw-validators Validation rules for jobs, steps, triggers
wrkflw-runtime Container and emulation runtime abstractions
wrkflw-ui Terminal user interface
wrkflw-models Shared data structures
wrkflw-matrix Matrix expansion utilities
wrkflw-secrets Secrets management with multiple providers
wrkflw-github GitHub API integration
wrkflw-gitlab GitLab API integration
wrkflw-logging In-memory logging for TUI/CLI
wrkflw-utils Shared helpers

License

MIT License - see LICENSE for details.

Reference in New Issue View Git Blame Copy Permalink
Description
Validate and Run GitHub Actions locally.
ciclidevopsgithubgithub-actionshacktoberfestratatuirusttui
Readme MIT 29 MiB
Languages
Rust 98.6%
Shell 1.4%