[Code Quality] Add maxItems constraints to schema array fields for resource safety

[github-actions]

Description

The workflow schema defines 18 minItems constraints but 0 maxItems constraints, allowing unbounded array sizes. This creates potential security and resource management issues as workflows can specify arbitrarily large arrays without validation.

Current State

From schema analysis (2026-01-25):

• 18 array fields have minItems constraints (minimum size enforced)
• 0 array fields have maxItems constraints (no maximum size limits)
• All array fields are unbounded and accept unlimited elements

Impact

Security Risks:

• Potential for denial-of-service through extremely large arrays
• Unbounded memory usage during schema validation
• No protection against maliciously crafted workflows

Resource Management:

• CI/CD workflows could consume excessive memory processing large arrays
• GitHub Actions runners could be overwhelmed
• Workflow compilation could timeout on massive arrays

Suggested Changes

Step 1: Audit array field usage to determine reasonable maximums

# Find all array fields with minItems in schema
grep -A 2 '"minItems"' pkg/parser/schemas/main_workflow_schema.json

# Review real-world workflows for typical array sizes
grep -r 'branches:' .github/workflows/*.md | wc -l

Step 2: Add maxItems constraints based on real usage patterns

Example fields likely needing limits:

• branches / branches-ignore arrays → reasonable max: 50
• paths / paths-ignore arrays → reasonable max: 100
• types arrays (issue/PR triggers) → reasonable max: 20
• Tool configuration arrays → reasonable max: 25

Step 3: Update schema with constraints

{
  "branches": {
    "type": "array",
    "minItems": 1,
    "maxItems": 50,  // NEW
    "items": { "type": "string" }
  }
}

Step 4: Test schema changes

make build          # Rebuild with updated schema
make test           # Verify existing workflows still validate
make recompile      # Recompile all workflows

Files Affected

• pkg/parser/schemas/main_workflow_schema.json (add maxItems constraints)
• Potentially workflow validation error messages if new limits trigger

Success Criteria

• ✅ All 18 array fields with minItems now have reasonable maxItems constraints
• ✅ Constraints based on analysis of real workflow usage patterns (not arbitrary)
• ✅ All existing workflows continue to validate successfully
• ✅ Schema documentation updated with rationale for chosen limits
• ✅ Tests pass with new constraints

Source

Extracted from Schema Validation Complexity Analysis discussion #11802

Relevant excerpt:

Zero maxItems Constraints:

• Schema has 18 minItems but 0 maxItems
• All array fields are unbounded
• Potential for unbounded memory usage
• No protection against extremely large arrays

Priority

High - Addresses both security (DoS protection) and resource management. Should be completed before next security audit.

Implementation Estimate

Effort: 1-2 days

• Day 1: Audit real workflow usage, determine reasonable limits, update schema
• Day 2: Test changes, recompile workflows, verify all tests pass

AI generated by Discussion Task Miner - Code Quality Improvement Agent

• expires on Feb 9, 2026, 9:07 PM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster