2026-06-14 09:13:19 +02:00
parent 5fee51ec7d
commit 54b5850835
8 changed files with 188 additions and 1 deletions
@@ -0,0 +1,90 @@
package linter
import (
	"testing"
	"git.k3nny.fr/glint/internal/model"
)
func TestCheckDeadRules(t *testing.T) {
	cases := []struct {
		name     string
		rules    []model.Rule
		wantHit  bool // whether GL033 should fire
	}{
		{
			name:    "no rules — not dead",
			rules:   nil,
			wantHit: false,
		},
		{
			name:    "single bare when:never — dead",
			rules:   []model.Rule{{When: "never"}},
			wantHit: true,
		},
		{
			name: "all rules when:never with if — dead",
			rules: []model.Rule{
				{If: `$CI_COMMIT_BRANCH == "main"`, When: "never"},
				{If: `$CI_COMMIT_BRANCH == "develop"`, When: "never"},
				{When: "never"},
			},
			wantHit: true,
		},
		{
			name: "first rule on_success — not dead",
			rules: []model.Rule{
				{If: `$CI_COMMIT_BRANCH == "main"`, When: "on_success"},
				{When: "never"},
			},
			wantHit: false,
		},
		{
			name: "rule with empty when (defaults to on_success) — not dead",
			rules: []model.Rule{
				{If: `$CI_COMMIT_BRANCH == "main"`},
				{When: "never"},
			},
			wantHit: false,
		},
		{
			name:    "when:manual — not dead",
			rules:   []model.Rule{{When: "manual"}},
			wantHit: false,
		},
		{
			name:    "when:always — not dead",
			rules:   []model.Rule{{When: "always"}},
			wantHit: false,
		},
		{
			name:    "when:on_failure — not dead",
			rules:   []model.Rule{{When: "on_failure"}},
			wantHit: false,
		},
		{
			name: "mixed never and manual — not dead",
			rules: []model.Rule{
				{If: `$CI_COMMIT_BRANCH == "main"`, When: "never"},
				{When: "manual"},
			},
			wantHit: false,
		},
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			job := model.Job{Rules: tc.rules}
			findings := checkDeadRules("test-job", job)
			hit := false
			for _, f := range findings {
				if f.Rule == RuleDeadRules {
					hit = true
				}
			}
			if hit != tc.wantHit {
				t.Errorf("checkDeadRules: got hit=%v, want hit=%v; findings=%v", hit, tc.wantHit, findings)
			}
		})
	}
}
@@ -95,6 +95,7 @@ func checkJobKeywords(name string, job model.Job) []Finding {
	findings = append(findings, checkArtifacts(name, job)...)
	findings = append(findings, checkCache(name, job)...)
	findings = append(findings, checkRules(name, job)...)
	findings = append(findings, checkDeadRules(name, job)...)
	findings = append(findings, checkImage(name, job)...)
	findings = append(findings, checkInherit(name, job)...)
	return findings
@@ -476,6 +477,28 @@ func checkRules(name string, job model.Job) []Finding {
	return findings
}
// checkDeadRules reports when every rule in a job's rules: block has an
// explicit when: never, making the job permanently unreachable. This is a
// provably-correct static claim: no matter which if: condition matches, the
// outcome is always "never"; and if no rule matches, the implicit fallback is
// also skip. No if: evaluation is required.
func checkDeadRules(name string, job model.Job) []Finding {
	if len(job.Rules) == 0 {
		return nil
	}
	for _, r := range job.Rules {
		if r.When != "never" {
			return nil
		}
	}
	return []Finding{{
		Severity: Warning,
		Rule:     RuleDeadRules,
		Job:      name,
		Message:  "rules: block can never activate; every rule has 'when: never' — job is permanently excluded from the pipeline",
	}}
}
func checkImage(name string, job model.Job) []Finding {
	if job.Image == nil {
		return nil
 
@@ -114,4 +114,8 @@ const (
	// the job's own variables:, or any workflow:rules:variables: block.
	// May be a false positive for variables set in GitLab CI/CD project settings.
	RuleUndeclaredVariable = "GL032"
	// GL033: every rule in a job's rules: block has when: never, so the job
	// can never be included in any pipeline run.
	RuleDeadRules = "GL033"
)