feat(cli): output formats, GL034-GL041 lint rules, include inputs and cache
Bundles three patch releases (v0.2.16–v0.2.18): v0.2.18 — output formats (--format flag on glint check): - json: stable JSON report (schema_version: 1, findings array, summary) - sarif: SARIF 2.1.0 for GitHub Code Scanning / GitLab SAST - junit: JUnit XML for CI test-report artifacts (artifacts:reports:junit) - github: GitHub Actions ::error:: / ::warning:: annotation lines - Unknown --format value exits 2 with a helpful error message - Summary line routed to stderr in structured formats; context suppressed v0.2.17 — include resolution improvements: - Recursive include depth capped at 100 (matches GitLab's own limit) - project: and component: includes tracked in visited set (cycle detection) - $[[ inputs.KEY ]] / $[[ inputs.KEY | default(…) ]] substituted from with: - --cache-dir: persist fetched remote templates to disk (SHA-256 keyed) - --offline: serve from cache only; defaults to ~/.cache/glint v0.2.16 — new lint rules (GL034–GL041): - GL034: services map form requires name; alias must be valid DNS label - GL035: rules:changes / rules:exists absolute path detection - GL036: timeout format validation (job-level + default.timeout) - GL037: id_tokens entries must have an aud key - GL038: secrets entries must declare a provider (vault / gcp / azure) - GL039: pages: keyword + artifacts.paths consistency - GL040: duplicate stage names in stages: list - GL041: cache.key.files must be exact paths, not globs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,41 @@
|
||||
package fetcher
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
)
|
||||
|
||||
// cacheRead returns the cached bytes for the given cache key, or (nil, false)
|
||||
// on a miss (key not present, dir empty, or any read error).
|
||||
func cacheRead(dir, key string) ([]byte, bool) {
|
||||
if dir == "" {
|
||||
return nil, false
|
||||
}
|
||||
data, err := os.ReadFile(cachePath(dir, key))
|
||||
if err != nil {
|
||||
return nil, false
|
||||
}
|
||||
return data, true
|
||||
}
|
||||
|
||||
// cacheWrite stores bytes in the cache for the given key. Write errors are
|
||||
// silently ignored so cache failures never block the normal fetch path.
|
||||
func cacheWrite(dir, key string, data []byte) {
|
||||
if dir == "" {
|
||||
return
|
||||
}
|
||||
if err := os.MkdirAll(dir, 0o755); err != nil {
|
||||
return
|
||||
}
|
||||
_ = os.WriteFile(cachePath(dir, key), data, 0o644)
|
||||
}
|
||||
|
||||
// cachePath returns the filesystem path for a cache entry.
|
||||
// The filename is the SHA-256 hex digest of the key so arbitrary keys (URLs,
|
||||
// "project:file@ref" strings) map to safe, stable filenames.
|
||||
func cachePath(dir, key string) string {
|
||||
h := sha256.Sum256([]byte(key))
|
||||
return filepath.Join(dir, fmt.Sprintf("%x.yml", h))
|
||||
}
|
||||
+35
-10
@@ -22,9 +22,11 @@ const (
|
||||
|
||||
// GitLabConfig holds everything needed to reach a GitLab instance.
|
||||
type GitLabConfig struct {
|
||||
BaseURL string
|
||||
Token string
|
||||
Source TokenSource
|
||||
BaseURL string
|
||||
Token string
|
||||
Source TokenSource
|
||||
CacheDir string // local cache directory; empty = caching disabled
|
||||
Offline bool // when true, return an error instead of making network calls
|
||||
}
|
||||
|
||||
// AutoConfig builds a GitLabConfig from environment variables.
|
||||
@@ -54,8 +56,11 @@ func AutoConfig() GitLabConfig {
|
||||
return cfg
|
||||
}
|
||||
|
||||
// WithOverrides returns a copy of cfg with non-empty overrides applied.
|
||||
func (cfg GitLabConfig) WithOverrides(baseURL, token string) GitLabConfig {
|
||||
// WithOverrides returns a copy of cfg with the provided overrides applied.
|
||||
// Non-empty strings overwrite the corresponding field; booleans are always
|
||||
// applied (so offline: false explicitly clears offline mode).
|
||||
// cacheDir: empty string disables caching.
|
||||
func (cfg GitLabConfig) WithOverrides(baseURL, token, cacheDir string, offline bool) GitLabConfig {
|
||||
if baseURL != "" {
|
||||
cfg.BaseURL = strings.TrimRight(baseURL, "/")
|
||||
}
|
||||
@@ -63,6 +68,8 @@ func (cfg GitLabConfig) WithOverrides(baseURL, token string) GitLabConfig {
|
||||
cfg.Token = token
|
||||
cfg.Source = TokenPrivate
|
||||
}
|
||||
cfg.CacheDir = cacheDir
|
||||
cfg.Offline = offline
|
||||
return cfg
|
||||
}
|
||||
|
||||
@@ -84,16 +91,24 @@ func (cfg GitLabConfig) HasToken() bool { return cfg.Token != "" }
|
||||
// - filePath — repository file path, e.g. "/templates/ci.yml"
|
||||
// - ref — branch, tag, or commit SHA; empty string defaults to HEAD
|
||||
func (cfg GitLabConfig) FetchFile(project, filePath, ref string) ([]byte, error) {
|
||||
if ref == "" {
|
||||
ref = "HEAD"
|
||||
}
|
||||
|
||||
cKey := cfg.BaseURL + "|" + project + "|" + filePath + "|" + ref
|
||||
if data, ok := cacheRead(cfg.CacheDir, cKey); ok {
|
||||
return data, nil
|
||||
}
|
||||
if cfg.Offline {
|
||||
return nil, fmt.Errorf("offline mode: %s:%s@%s is not in the local cache (run without --offline first to populate the cache)", project, filePath, ref)
|
||||
}
|
||||
|
||||
encodedProject := url.PathEscape(project)
|
||||
encodedFile := url.PathEscape(strings.TrimPrefix(filePath, "/"))
|
||||
|
||||
apiURL := fmt.Sprintf("%s/api/v4/projects/%s/repository/files/%s/raw",
|
||||
cfg.BaseURL, encodedProject, encodedFile)
|
||||
|
||||
if ref == "" {
|
||||
ref = "HEAD"
|
||||
}
|
||||
|
||||
req, err := http.NewRequest(http.MethodGet, apiURL, nil)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("building request: %w", err)
|
||||
@@ -139,12 +154,21 @@ func (cfg GitLabConfig) FetchFile(project, filePath, ref string) ([]byte, error)
|
||||
}
|
||||
}
|
||||
|
||||
cacheWrite(cfg.CacheDir, cKey, body)
|
||||
return body, nil
|
||||
}
|
||||
|
||||
// FetchURL downloads the content at a plain HTTPS URL without authentication.
|
||||
// Used for include: remote: entries which are public by definition.
|
||||
func FetchURL(rawURL string) ([]byte, error) {
|
||||
// Responses are read from and written to the local cache when CacheDir is set.
|
||||
func (cfg GitLabConfig) FetchURL(rawURL string) ([]byte, error) {
|
||||
if data, ok := cacheRead(cfg.CacheDir, rawURL); ok {
|
||||
return data, nil
|
||||
}
|
||||
if cfg.Offline {
|
||||
return nil, fmt.Errorf("offline mode: %s is not in the local cache (run without --offline first to populate the cache)", rawURL)
|
||||
}
|
||||
|
||||
resp, err := http.Get(rawURL) //nolint:noctx
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("GET %s: %w", rawURL, err)
|
||||
@@ -157,6 +181,7 @@ func FetchURL(rawURL string) ([]byte, error) {
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return nil, fmt.Errorf("GET %s: status %d", rawURL, resp.StatusCode)
|
||||
}
|
||||
cacheWrite(cfg.CacheDir, rawURL, body)
|
||||
return body, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user