Skip to content

[Code Quality] Add maxItems constraints to workflow schema arrays #13440

New issue
New issue
Open
Open
[Code Quality] Add maxItems constraints to workflow schema arrays#13440
Labels
automationcode-qualitycookieIssue Monster Loves Cookies!schemasecuritytask-mining
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 3, 2026

Description

The workflow schema defines 18 minItems constraints but zero maxItems constraints, allowing unbounded array sizes that could cause performance issues or abuse.

Current State

Schema validation enforces minimum array sizes but no maximum limits:

  • ✅ 18 fields have minItems constraints
  • ❌ 0 fields have maxItems constraints

Impact

Performance Risks:

  • Unbounded arrays could cause memory issues during parsing
  • Large arrays slow down workflow compilation
  • No protection against accidental or malicious oversized configurations

Examples of unbounded arrays:

  • tools.github.toolsets - no limit on toolsets
  • safe-outputs.types - no limit on output types
  • bots, roles, network.allowed - no size limits

Suggested Changes

1. Analyze Production Usage

Determine reasonable upper bounds by analyzing actual workflows:

# Find maximum array sizes in production
find .github/workflows -name "*.md" -exec grep -A 20 "toolsets:\|bots:\|roles:" {} \;

2. Add maxItems to Schema

Based on analysis, add practical limits:

{
  "bots": {
    "type": "array",
    "minItems": 1,
    "maxItems": 20,  // NEW: Reasonable limit for bot filtering
    "items": { "type": "string" }
  },
  "tools.github.toolsets": {
    "type": "array",
    "maxItems": 15,  // NEW: Limit to prevent excessive toolset loading
    "items": { "type": "string" }
  },
  "safe-outputs.types": {
    "type": "array",
    "maxItems": 50,  // NEW: Reasonable limit for output types
    "items": { "type": "string" }
  }
}

3. Document Limits

Add size limit documentation to frontmatter reference:

### Size Limits

To maintain performance, the following array fields have maximum size limits:
- `bots`: 20 bot accounts
- `roles`: 10 roles
- `toolsets`: 15 toolsets per tool
- `safe-outputs.types`: 50 output types

Files Affected

  • pkg/parser/schemas/main_workflow_schema.json (add maxItems constraints)
  • docs/src/content/docs/reference/frontmatter.md (document limits)
  • pkg/parser/schema_validation_test.go (test maxItems validation)

Success Criteria

  • All arrays with minItems also have reasonable maxItems
  • Limits are based on production usage analysis
  • Schema validation rejects oversized arrays
  • Documentation explains size limits
  • Tests verify maxItems enforcement

Source

Extracted from Copilot Agent Analysis discussion #11998 - PR #11959 added maxItems constraints showing this pattern improves schema quality.

Priority

Medium - Security/performance improvement preventing unbounded arrays

Implementation Notes

  • Non-breaking: Set maxItems high enough to accommodate all existing workflows
  • Phased approach: Add limits gradually, starting with clearly bounded arrays
  • Validation: Ensure existing workflows still pass schema validation

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 17, 2026, 9:12 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationcode-qualitycookieIssue Monster Loves Cookies!schemasecuritytask-mining

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions