2026-06-14 11:17:27 +02:00 · 2026-06-14 11:13:02 +02:00 · 2026-06-14 11:07:51 +02:00 · 2026-06-14 11:02:23 +02:00 · 2026-06-14 10:23:33 +02:00
31 changed files with 2755 additions and 417 deletions
k3nny
7f7e2bf77b
						
							
							docs(docs): release v0.2.20
						
						
...
			
	
		
		
	
		
		
	
	
	
		
			
				
	
				ci / vet, staticcheck, test, build (push) Successful in 1m52s
				
					
					Details
				
			
		
			
				
	
				release / Build and publish release (push) Successful in 1m17s
				
					
					Details
				
			
		
		
	
	
Add FEATURES.md and USAGE.md entries to the [0.2.20] changelog section.
No code changes — documentation reorganisation only.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-14 11:17:27 +02:00
k3nny
e13455a629
						
							
							docs(docs): extract usage examples to USAGE.md, trim README
						
						
...
Move all command-by-command reference (output formats, context
simulation, remote includes, cache/offline, component format, graph
modes, explain, project config, inline suppression, example output)
from README.md into a new USAGE.md. Replace the 326-line Usage section
in README with the commands block and a single link to USAGE.md.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-14 11:13:02 +02:00
k3nny
b8e640de03
						
							
							docs(docs): extract features to FEATURES.md, trim README
						
						
...
The README features block grew to 38 bullets plus a full lint-rules
table, making the document hard to scan. This commit:
- Creates FEATURES.md with a structured reference covering lint rules
  (GL001–GL043 tables), include resolution, context simulation, output
  formats, configuration, graph visualization, and developer tools.
- Replaces the flat bullet list in README with a 6-line "What it does"
  category summary that links to FEATURES.md and ROADMAP.md.
- Removes the redundant ## Lint rules section from README (now in
  FEATURES.md).
- Adds 'explain' to the commands block in the README Usage section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-14 11:07:51 +02:00
k3nny
4ce7f86d4d
						
							
							feat(linter): glint explain, GL042 rules:if: reachability, GL043 inherit completeness
						
						
...
- `glint explain <RULE>`: new subcommand printing rule description,
  rationale, bad-YAML example and fix for every GL001–GL043 rule.
  `glint explain` (no arg) lists all rules with ID, severity, title.
  Rule IDs are case-insensitive.
- GL042 (rules:if: evaluated reachability): warns when every rules:if:
  condition evaluates to false given the values of variables declared in
  the pipeline YAML, making the job statically unreachable. Conservative:
  only fires when all referenced variables are declared in YAML; predefined
  CI_* / GITLAB_* variables are skipped to avoid false positives.
- GL043 (inherit: completeness): warns when inherit: default: is declared
  but there is no default: block in the pipeline (dead declaration), or
  when the list form names fields not set in the default: block.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-14 11:02:23 +02:00
k3nny
02d8e63a98
						
							
							feat(cli): .glint.yml config and inline suppression comments
						
						
...
			
	
		
		
	
		
		
	
	
	
		
			
				
	
				ci / vet, staticcheck, test, build (push) Successful in 2m25s
				
					
					Details
				
			
		
			
				
	
				release / Build and publish release (push) Successful in 1m24s
				
					
					Details
				
			
		
		
	
	
Adds project-level configuration and per-job suppression directives:
.glint.yml (searched from pipeline dir up to the git root):
- ignore: [GL007, GL032] — suppress rules globally for the project
- severity: {GL004: warning} — override rule severity (error/warning/ignore)
- stages: [quality] — extra stages beyond the pipeline's stages: block
- token: / url: / cache_dir: — defaults for flags; lower priority than
  CLI flags and environment variables
Inline suppression (# glint: ignore):
- Place "# glint: ignore GL007" immediately before a job definition to
  suppress that rule for the specific job only
- Multiple rules: "# glint: ignore GL007, GL032" (comma or space separated)
- Wildcard: "# glint: ignore all" suppresses every finding for the job
- Suppressions are scoped to the annotated job; pipeline-level findings
  are unaffected
- Parsed from yaml.Node head/line comments in the first parse pass;
  stored in Pipeline.Suppressions (root file only, not includes)
New packages: internal/config (Load, walk-up search, .git boundary stop)
New files: cmd/glint/filter.go (applyConfig, isSuppressed helpers)
Tests: config_test.go, parser_suppress_test.go, filter_test.go
Validate fixtures: testdata/config_ignored/, config_severity/, config_suppress/
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-14 10:23:33 +02:00
@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
This project uses [Semantic Versioning](https://semver.org).
## [0.2.20] - 2026-06-14
### Added
- **`glint explain <RULE>`** — new subcommand that prints the description, rationale, a bad-YAML example, and the corrected fix for any rule ID (GL001–GL043). `glint explain` with no argument lists all rules with ID, severity, and title. Rule IDs are case-insensitive (`gl007` and `GL007` are equivalent).
- **`rules:if:` evaluated reachability (GL042)** — warns when every `rules:if:` condition in a job evaluates to false using the values of variables declared in the pipeline YAML, meaning the job can never be included in a pipeline run. The check is conservative: it only fires when all variables referenced in the `if:` expressions are explicitly declared in the YAML; predefined `CI_*` / `GITLAB_*` variables and undeclared variables are treated as unknown (may have any runtime value) to avoid false positives.
- **`inherit:` completeness (GL043)** — warns when a job declares `inherit: default:` (boolean or list form) but the pipeline has no `default:` block, making the declaration a no-op. Also warns when the list form names fields (e.g. `[image, before_script]`) that are not actually set in the `default:` block — those list entries have no effect.
- **`FEATURES.md`** — full feature reference extracted from the README: all 43 lint rules in categorised tables, include resolution capabilities, context simulation details, output format schemas, configuration reference, graph visualisation modes, and developer tools. The README `## Features` section replaced with a compact 6-line `## What it does` summary with a link to `FEATURES.md`.
- **`USAGE.md`** — complete command-by-command usage reference extracted from the README: `glint check` with all output formats and examples, context simulation flags and predefined variable table, remote includes and token resolution, cache and offline mode, component reference format, `glint graph` modes, `glint explain` usage, project config (`.glint.yml`), and inline suppression. The README `## Usage` section replaced with the commands block and a single link to `USAGE.md`.
## [0.2.19] - 2026-06-14
### Added
- **`.glint.yml` project config file** — glint now searches for a `.glint.yml` file starting from the pipeline file's directory and walking up to the first `.git` boundary. Supported keys:
  - `ignore: [GL007, GL032]` — suppress rules globally for the project.
  - `severity: {GL004: warning}` — override rule severity (`error`, `warning`, or `ignore`). `ignore` is equivalent to listing the rule in `ignore:`.
  - `stages: [quality]` — declare extra stage names that are valid beyond those in the pipeline's own `stages:` block; jobs in these stages are not flagged by GL004.
  - `token: glpat-xxx` — default GitLab personal access token (lower priority than the `--token` flag and `GITLAB_TOKEN` env var).
  - `url: https://gitlab.example.com` — default GitLab instance URL.
  - `cache_dir: ~/.cache/glint` — default cache directory for fetched remote includes.
- **Inline suppression comments** — a `# glint: ignore RULE` comment placed immediately before a job definition suppresses that rule for the specific job. Multiple rules can be comma- or space-separated (`# glint: ignore GL007, GL032`). Use `# glint: ignore all` to suppress every finding for the job. Suppressions are scoped to the annotated job; pipeline-level findings are unaffected.
## [0.2.18] - 2026-06-14
### Added
 
@@ -0,0 +1,259 @@
# glint — feature reference
This document describes every capability in the current release.
For planned work see [ROADMAP.md](ROADMAP.md).
---
## Lint rules
Every finding carries a stable rule ID (`GL001` – `GL043`) that can be used to
suppress, filter, or look up the check. Run `glint explain <ID>` for a
description, bad-YAML example, and fix.
### Pipeline-level
| ID | Sev | Rule |
|----|-----|------|
| GL001 | WARN | No `stages:` block — GitLab falls back to its built-in default stages |
| GL002 | ERR | `workflow.rules[*].when` must be `always` or `never` |
| GL036 | ERR | `default.timeout` is not a valid GitLab CI duration string |
| GL040 | WARN | A stage name appears more than once in `stages:` |
### Job structure
| ID | Sev | Rule |
|----|-----|------|
| GL003 | ERR | Job missing required `script:` (or `run:`) |
| GL004 | ERR | Job `stage:` references a stage not declared in `stages:` |
| GL005 | ERR | `only:` and `rules:` used together |
| GL006 | ERR | `except:` and `rules:` used together |
| GL007 | WARN | `only:` / `except:` used (deprecated; prefer `rules:`) |
### Keyword constraints
| ID | Sev | Rule |
|----|-----|------|
| GL008 | ERR | `when:` has an invalid value |
| GL009 | ERR | `when: delayed` without `start_in:` |
| GL010 | ERR | `start_in:` set but `when:` is not `delayed` |
| GL011 | ERR | `parallel:` integer not in range 2–200, or map form missing `matrix:` |
| GL012 | ERR | `retry:` integer not in range 0–2, or `retry.max` out of range |
| GL013 | ERR | `retry.when:` contains an unrecognised failure type |
| GL014 | ERR | `allow_failure:` is not a boolean or a map with `exit_codes:` |
| GL015 | ERR | `interruptible:` is not a boolean |
| GL016 | ERR | Trigger job also defines `script:` |
| GL017 | ERR | `trigger:` map missing `project:` or `include:` |
| GL018 | ERR | `coverage:` is not a regex wrapped in `/…/` |
| GL019 | ERR | `release:` missing required `tag_name:`, or is not a map |
| GL020 | ERR | `environment.url` set without `environment.name`, or invalid `action:` |
| GL021 | ERR | `artifacts.when` invalid, or `expose_as` set without `paths` |
| GL022 | WARN | `pages` job `artifacts.paths` does not include `public/` |
| GL023 | ERR | `cache.when` or `cache.policy` has an invalid value |
| GL024 | ERR | `rules[*].when` has an invalid value |
| GL025 | ERR | `image:` map form missing `name:` |
| GL026 | ERR | `inherit.default` / `inherit.variables` is not a boolean or list |
| GL034 | ERR | `services:` map form missing `name:`, or `alias:` is not a valid DNS label |
| GL036 | ERR | `timeout:` is not a valid GitLab CI duration string |
| GL037 | ERR | `id_tokens:` entry missing required `aud:` |
| GL038 | ERR | `secrets:` entry missing a provider key (`vault`, `gcp_secret_manager`, `azure_key_vault`) |
| GL039 | WARN | Job uses `pages:` keyword but `artifacts.paths` doesn't include the publish directory |
| GL041 | WARN | `cache.key.files` entry looks like a glob; must be an exact file path |
### Cross-job graph
| ID | Sev | Rule |
|----|-----|------|
| GL027 | ERR/WARN | `needs:` references a job that doesn't exist (WARN when `optional: true`) |
| GL028 | ERR | `needs:` references a job in a later stage |
| GL029 | ERR | Circular dependency in `needs:` graph |
| GL030 | ERR | `dependencies:` references a job that doesn't exist |
| GL031 | ERR | `dependencies:` references a job in the same or a later stage |
### Expression & reachability
| ID | Sev | Rule |
|----|-----|------|
| GL032 | WARN | `rules:if:` references `$VAR` not declared in any `variables:` block (may be false-positive for project-setting variables) |
| GL033 | WARN | Every rule in `rules:` has `when: never` — job permanently excluded (provable without evaluating `if:` expressions) |
| GL035 | WARN | `rules:changes` / `rules:exists` path is absolute — absolute paths never match in GitLab CI |
| GL042 | WARN | Every `rules:if:` condition evaluates to false given the declared variable values — job statically unreachable (only fires when all referenced variables are declared in YAML) |
### Inheritance
| ID | Sev | Rule |
|----|-----|------|
| GL043 | WARN | `inherit: default:` declared but the pipeline has no `default:` block (dead declaration), or the list form names fields not set in `default:` |
### Hidden jobs
Jobs whose name starts with `.` are reusable templates; most rules are skipped for them. This matches GitLab CI's own behaviour.
---
## Include resolution
| Capability | Notes |
|------------|-------|
| `include: local:` | Read from disk, recursively merged before linting |
| `include: remote:` | HTTPS URL fetched unauthenticated; unreachable URLs produce a warning, linting continues |
| `include: project:` | Fetched from the GitLab REST API using the configured token; skipped with a warning when no token is available |
| `include: component:` | Fetched from the GitLab CI/CD Catalog; public components work without a token |
| `include: inputs:` | `$[[ inputs.KEY ]]` and `$[[ inputs.KEY \| default(…) ]]` placeholders substituted from the `with:` block before parsing |
| Depth limit | Include chains capped at 100 levels (matches GitLab); circular cross-file references detected via visited-set tracking |
| Offline mode | `--offline` serves all remote includes from the cache; missing entries produce a warning |
| Include cache | `--cache-dir DIR` (or `~/.cache/glint` by default with `--offline`) persists fetched templates; keyed by SHA-256 of the request coordinates |
**Token resolution order** (first non-empty wins):
| Source | Header |
|--------|--------|
| `--token` flag / `GITLAB_TOKEN` env | `PRIVATE-TOKEN` |
| `CI_JOB_TOKEN` env | `JOB-TOKEN` |
| `GITLAB_PRIVATE_TOKEN` env | `PRIVATE-TOKEN` |
**URL resolution order:** `--gitlab-url` flag → `CI_SERVER_URL` env → `GITLAB_URL` env → `https://gitlab.com`
---
## Context simulation
Pass `--branch`, `--tag`, `--source`, or `--var` to evaluate `rules:if:` and
`only`/`except` filters against a specific pipeline event. When no context flag
is given glint defaults to `--branch main --source push` so that `rules:if:`
expressions are always evaluated.
**Evaluated at lint time:**
- `rules:if:` — full expression language: `==`, `!=`, `=~`, `!~`, `&&`, `||`, `!`, `(…)`, `$VAR`/`${VAR}`, string literals, `null`, regex flags (`/pat/i`)
- `only:` / `except:` — ref keywords, branch-name globs, and `/regex/` patterns
- `workflow:rules:` — evaluated to determine whether the pipeline would run; matching rule's `variables:` are injected before job evaluation
- Variable expansion — `$VAR` / `${VAR}` references in variable values expanded after all sources merge; transitive chains resolved (up to 10 passes)
**Not evaluated** (no git tree at lint time): `rules:changes:`, `rules:exists:`.
**Predefined variables** set by shortcut flags:
| Flag | Variables populated |
|------|---------------------|
| `--branch NAME` | `CI_COMMIT_BRANCH`, `CI_COMMIT_REF_NAME`, `CI_COMMIT_REF_SLUG`, `CI_PIPELINE_SOURCE=push` |
| `--tag NAME` | `CI_COMMIT_TAG`, `CI_COMMIT_REF_NAME`, `CI_COMMIT_REF_SLUG`, `CI_PIPELINE_SOURCE=push`; clears `CI_COMMIT_BRANCH` |
| `--source EVENT` | `CI_PIPELINE_SOURCE` |
| `--var KEY=VALUE` | any variable; overrides shortcuts; repeatable |
Use `--list-vars` to print the resolved variable table to stderr.
---
## Output formats
Pass `--format` to `glint check`. In structured formats the summary line is
written to stderr so stdout contains only the machine-readable payload.
| Format | Flag | Description |
|--------|------|-------------|
| Text (default) | `--format text` | Ruff-style `file:line: RULE [sev] message` |
| JSON | `--format json` | Stable schema (version 1); `findings` array + `summary` block |
| SARIF 2.1.0 | `--format sarif` | Consumed by GitHub Code Scanning and GitLab SAST |
| JUnit XML | `--format junit` | CI test-report artifact (`artifacts:reports:junit`) |
| GitHub annotations | `--format github` | `::error file=…,line=…,title=RULE::message` inline PR comments |
**JSON schema (`schema_version: 1`):**
```json
{
  "schema_version": 1,
  "glint_version": "v0.2.20",
  "pipeline": ".gitlab-ci.yml",
  "findings": [
    {"rule":"GL004","severity":"error","file":".gitlab-ci.yml","line":14,
     "job":"deploy","message":"stage \"production\" is not defined in 'stages'"}
  ],
  "summary": {"total": 1, "errors": 1, "warnings": 0}
}
```
---
## Configuration
### `.glint.yml` project config file
Searched from the pipeline file's directory upward to the first `.git` boundary.
```yaml
# Suppress rules globally for this project.
ignore:
  - GL007   # migrating from only:/except:
  - GL032   # dynamic variables injected by CI
# Override rule severity (error | warning | ignore).
# 'ignore' is equivalent to listing the rule in ignore:.
severity:
  GL004: warning   # demote during a stage migration
  GL035: error     # promote to hard error for this project
# Extra stage names valid beyond those in the pipeline's own stages: block.
stages:
  - quality
  - security
# Default GitLab token (lower priority than --token and GITLAB_TOKEN).
token: glpat-xxxx
# Default GitLab instance URL.
url: https://gitlab.example.com
# Default cache directory.
cache_dir: ~/.cache/glint
```
**Priority chain:** `--token`/`--gitlab-url` flags > `.glint.yml` > environment variables.
### Inline suppression (`# glint: ignore`)
Suppress a finding for a specific job by placing a comment immediately before it:
```yaml
# glint: ignore GL007
legacy-job:
  only: [main]
  script: echo ok
# Multiple rules (comma- or space-separated):
# glint: ignore GL007, GL032
other-job:
  script: echo ok
# Suppress every rule for this job:
# glint: ignore all
noisy-job:
  script: echo ok
```
Suppressions are scoped to the single job they precede and do not affect other
jobs or pipeline-level findings.
---
## Graph visualization (`glint graph`)
| Mode | Output |
|------|--------|
| `tree` (default) | Terminal job tree: stages as branches, jobs as leaves; annotated with `[manual]`, `[delayed]`, `[trigger]` where applicable |
| `includes` | Mermaid flowchart to stdout; colour-coded nodes by include type (local, remote, project, component, template) |
| `pipeline` | GitLab CI-style SVG/PNG written to `--out` directory (default: `glint-out/`); converted to PNG when `rsvg-convert`, `inkscape`, or `magick` is available |
| `all` | `includes` to stdout + `pipeline` file path to stderr |
In DAG pipelines (any job has `needs:`) the pipeline graph uses job-to-job
Bézier connectors instead of stage-to-stage lines.
---
## Developer tools
| Tool | Description |
|------|-------------|
| `glint explain <RULE>` | Print description, rationale, bad-YAML example, and fix for a rule. Case-insensitive (`gl007` = `GL007`). |
| `glint explain` | List all rules with ID, severity, and title. |
| `--list-vars` | Print all resolved pipeline variables (pipeline + workflow rules + context) to stderr before linting. |
| `--version` / `-v` | Print the compiled version string. |
@@ -6,48 +6,23 @@
<p align="center">
  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License"></a>
  <a href="CHANGELOG.md"><img src="https://img.shields.io/badge/release-v0.2.18-blue.svg" alt="Release"></a>
  <a href="CHANGELOG.md"><img src="https://img.shields.io/badge/release-v0.2.20-blue.svg" alt="Release"></a>
</p>
> **Disclaimer:** This tool was built through iterative AI-assisted development with [Claude](https://claude.ai). It is experimental, incomplete, and not intended for production use. Coverage of GitLab CI keywords is best-effort and may lag behind GitLab's evolving spec. Use it at your own discretion — no correctness guarantees are made. Contributions and bug reports are welcome.
A local tool to validate and lint `.gitlab-ci.yml` pipelines without needing a GitLab server.
## Features
## What it does
- **YAML validation** — detects malformed pipeline files early
- **Stage validation** — every job's `stage` must be declared in `stages`
- **`extends:` resolution** — resolves single and multi-level template inheritance before linting, so derived jobs are evaluated against their fully merged definition
- **`needs:` DAG validation** — checks that `needs:` references exist, respect stage ordering, and contain no circular dependencies
- **`dependencies:` validation** — checks that artifact dependency references exist and are in earlier stages
- **Keyword validation** — validates constraints on `when`, `parallel`, `retry`, `allow_failure`, `trigger`, `artifacts`, `cache`, `release`, `environment`, `coverage`, `rules`, and more
- **Remote project includes** — fetches `include: project:` templates from the GitLab API so extends/needs can be validated against the full merged pipeline
- **CI/CD catalog components** — resolves `include: component:` references from the GitLab CI/CD Catalog; public components work without a token
- **Deprecation warnings** — flags `only`/`except` usage in favour of `rules`
- **Local include resolution** — `include: local:` entries are read from disk and recursively merged before linting, so multi-file pipelines are fully validated
- **Extended variable declarations** — `variables:` entries may use the `{value, description, options}` map form (GitLab CI 13.7+); `default.image` accepts both string and map form; `rules.changes`/`rules.exists` accept both list and `{paths, compare_to}` map form
- **Graph output** — `glint graph` prints a job tree (stages → jobs) to the terminal; `glint graph includes` emits a Mermaid include dependency diagram; `glint graph pipeline` renders a GitLab CI-style PNG/SVG
- **Context simulation** — pass `--branch`, `--tag`, or `--source` to `glint check` or `glint graph` to see which jobs would be active, manual, or skipped for a specific pipeline event; evaluates `rules:if:` expressions and `only`/`except` filters
- **Variable expansion** — `$VAR` and `${VAR}` references inside variable values are expanded after all sources are merged (pipeline defaults → workflow-rule overrides → CLI flags); transitive chains resolve automatically; visible via `--list-vars`
- **Non-string variable scalars** — `BUILD: true`, `RETRIES: 3` and other bare boolean/integer variable values are handled correctly throughout: they render in `--list-vars` output and are injected into the evaluation context as their string equivalents, matching GitLab CI's behaviour
- **Static reachability (GL033)** — warns when a job's `rules:` block can never activate: if every rule has `when: never` the job is permanently excluded from any pipeline run, provable without evaluating any `if:` expressions
- **`services:` validation (GL034)** — map form requires a `name` key; `alias` must be a valid DNS label (letters, digits, hyphens, dots; no leading/trailing hyphens)
- **`rules:changes` / `rules:exists` glob safety (GL035)** — warns when paths are absolute (start with `/`), which can never match since GitLab CI paths are always relative to the repository root
- **`timeout:` format (GL036)** — validates that job and `default:` timeout values are valid GitLab CI duration strings (`1h 30m`, `90 minutes`, `2 hours`, etc.)
- **`id_tokens:` validation (GL037)** — each OIDC token entry must have an `aud` key (missing `aud` is a GitLab API error at runtime)
- **`secrets:` validation (GL038)** — each secret entry must declare exactly one provider (`vault`, `gcp_secret_manager`, or `azure_key_vault`)
- **`pages:` keyword + `artifacts.paths` (GL039)** — warns when a job uses the `pages:` keyword but `artifacts.paths` does not include the publish directory (default: `public`)
- **Duplicate stage names (GL040)** — warns when a stage name appears more than once in `stages:`; GitLab silently merges duplicates, which can cause confusing ordering
- **`cache.key.files` glob detection (GL041)** — warns when `cache.key.files` entries contain glob metacharacters; this field requires exact file paths, not patterns
- **Recursive include depth limit** — include chains are capped at 100 nesting levels (matching GitLab's own limit); project and component includes are now tracked in the visited-file set to prevent cross-include cycles
- **`include: inputs:` substitution** — when a `component:` entry has a `with:` block, all `$[[ inputs.KEY ]]` and `$[[ inputs.KEY | default(…) ]]` placeholders in the fetched template are substituted before parsing, so component-scoped jobs get their correct `stage:` and keyword values instead of `$[[…]]` placeholders
- **Offline mode + include cache** — pass `--cache-dir DIR` to cache fetched remote templates (project: and component: includes) to disk; `--offline` serves entirely from the cache without making network calls
- **Structured output formats** — `--format json` emits a stable JSON report; `--format sarif` emits SARIF 2.1.0 (consumed by GitHub Code Scanning and GitLab SAST); `--format junit` emits JUnit XML (consumable as a CI test-report artifact); `--format github` emits GitHub Actions annotation lines (`::error file=…::`) so findings appear as inline PR comments
- **Sorted findings output** — findings are sorted by source file then line number, so all issues from the same file appear together in order; pipeline-level findings (no file) sort first
- **Consistent ruff-style warnings** — all warnings (unresolvable includes, skipped extends chains, workflow non-start) use the same `path: [warning] message` format as lint findings
- **`--version` / `-v` flag** — prints the compiled version string (e.g. `glint v0.2.14`); the version is also shown at the top of every `--help` output
- **Lints** — 43 rules covering pipeline structure, keyword constraints, `needs:`/`dependencies:` graphs, expression reachability, and deprecations (GL001–GL043); run `glint explain <ID>` for any rule
- **Resolves includes** — local files, HTTPS URLs, GitLab project templates, and CI/CD Catalog components, with offline cache support
- **Simulates context** — `--branch`, `--tag`, `--source` flags evaluate `rules:if:` and `only`/`except` to show which jobs would be active, manual, or skipped
- **Multiple output formats** — `--format text` (default, ruff-style), `json`, `sarif` (GitHub Code Scanning / GitLab SAST), `junit`, `github` (PR annotations)
- **Project config** — `.glint.yml` for rule suppression, severity overrides, token/URL defaults; `# glint: ignore RULE` for per-job inline suppression
- **Graph visualization** — `glint graph` prints a terminal job tree; `glint graph pipeline` renders a GitLab CI-style SVG/PNG
See [ROADMAP.md](ROADMAP.md) for planned improvements.
See [FEATURES.md](FEATURES.md) for the complete feature reference and lint rules table, and [ROADMAP.md](ROADMAP.md) for planned improvements.
## Requirements
@@ -76,332 +51,12 @@ glint [OPTIONS] <COMMAND>
Commands:
  check    Lint a pipeline file — exits 0 (clean) or 1 (errors found)
  graph    Visualise the pipeline as a job tree or Mermaid graph
  explain  Print description and fix for a lint rule
```
Run `glint <command> --help` for command-specific options and examples.
### `glint check`
```bash
glint check .gitlab-ci.yml
```
Exits `0` when no errors are found, `1` when at least one error is reported.
### Output formats
Pass `--format` to control the output. Plain text is the default.
```bash
# Default: ruff-style text (human-readable)
glint check .gitlab-ci.yml
# JSON — stable schema, machine-readable
glint check --format json .gitlab-ci.yml
# SARIF 2.1.0 — GitHub Code Scanning / GitLab SAST
glint check --format sarif .gitlab-ci.yml > glint.sarif
# JUnit XML — CI test-report artifact (GitLab: artifacts:reports:junit)
glint check --format junit .gitlab-ci.yml > glint-junit.xml
# GitHub Actions annotations — inline PR diff comments
glint check --format github .gitlab-ci.yml
```
In structured formats (`json`, `sarif`, `junit`, `github`) the summary line
(`OK: … no issues found` or `N finding(s): M error(s)`) is written to stderr
so stdout contains only the machine-readable payload.
**JSON schema (`schema_version: 1`):**
```json
{
  "schema_version": 1,
  "glint_version": "v0.2.18",
  "pipeline": ".gitlab-ci.yml",
  "findings": [
    {"rule":"GL004","severity":"error","file":".gitlab-ci.yml","line":14,
     "job":"deploy","message":"stage \"production\" is not defined in 'stages'"}
  ],
  "summary": {"total": 1, "errors": 1, "warnings": 0}
}
```
**GitHub annotation lines:**
```
::error file=.gitlab-ci.yml,line=14,title=GL004::job "deploy": stage "production" is not defined in 'stages'
```
### Remote project includes
Pipelines that include templates from other GitLab projects are supported.
Provide a token so `glint` can fetch them:
```bash
# personal access token (read_api scope)
GITLAB_TOKEN=glpat-xxxx glint check .gitlab-ci.yml
# CI/CD job token (when running inside a pipeline)
CI_JOB_TOKEN=$CI_JOB_TOKEN glint check .gitlab-ci.yml
# self-hosted GitLab
GITLAB_TOKEN=glpat-xxxx GITLAB_URL=https://gitlab.example.com glint check .gitlab-ci.yml
# or via flags
glint check --token glpat-xxxx --gitlab-url https://gitlab.example.com .gitlab-ci.yml
```
**Project includes** require a token; without one they are skipped with a
warning and the rest of the pipeline is linted as-is.
### Include cache and offline mode
Pass `--cache-dir` to cache fetched remote templates so repeated runs skip the network:
```bash
# First run: fetches and caches
glint check --cache-dir ~/.cache/glint .gitlab-ci.yml
# Subsequent runs: served from cache
glint check --cache-dir ~/.cache/glint .gitlab-ci.yml
# Fully offline (uses ~/.cache/glint automatically when --cache-dir is absent)
glint check --offline .gitlab-ci.yml
glint check --offline --cache-dir ~/.cache/glint .gitlab-ci.yml
```
Cache entries are keyed by SHA-256 of the full request URL/coordinates and stored as plain YAML files in the cache directory. There is currently no automatic expiry — delete the directory or individual entries to force a fresh fetch.
**Component includes** (`include: component: ...`) attempt the fetch
unauthenticated, so public [CI/CD Catalog](https://gitlab.com/explore/catalog)
components work without a token. A warning is emitted if the fetch fails.
Token resolution order (first non-empty wins):
| Source | Header used |
|--------|-------------|
| `--token` flag / `GITLAB_TOKEN` | `PRIVATE-TOKEN` |
| `CI_JOB_TOKEN` | `JOB-TOKEN` |
| `GITLAB_PRIVATE_TOKEN` | `PRIVATE-TOKEN` |
Instance URL resolution order: `--gitlab-url` flag → `CI_SERVER_URL` →
`GITLAB_URL` → `https://gitlab.com`
### Component reference format
```
<host>/<project-path>/<component-name>@<version>
gitlab.com/components/secret-detection/secret-detection@v0.1.0
gitlab.com/my-org/ci-catalog/lint@main
gitlab.example.com/platform/components/build@~latest
```
The component file is looked up in order:
1. `templates/<component-name>.yml` (single-file layout)
2. `templates/<component-name>/template.yml` (directory layout)
Component input parameters (`with:`) are not validated — they are resolved by
GitLab at runtime. Jobs in fetched components may use `$[[ inputs.xxx ]]`
placeholders in fields like `stage`; `glint` skips those fields rather
than producing false positive errors.
### `glint graph`
Visualise the pipeline. Without a mode word, prints a job tree and the include
dependency graph separated by `---`.
```bash
# Default: job tree + include dependency graph
glint graph .gitlab-ci.yml
# Job tree only (stages → jobs, like the tree command)
glint graph tree .gitlab-ci.yml
# Include dependency graph → Mermaid flowchart to stdout
glint graph includes .gitlab-ci.yml > includes.mmd
# GitLab-like pipeline layout → PNG (or SVG fallback) written to --out dir
glint graph pipeline .gitlab-ci.yml
# prints the output file path, e.g.: glint-out/pipeline-20260607-143022.png
# Mermaid to stdout + pipeline file path to stderr
glint graph all .gitlab-ci.yml > includes.mmd
# Custom output directory (pipeline mode)
glint graph pipeline --out /tmp/graphs .gitlab-ci.yml
```
**Job tree** (`graph tree`) — stages as branches, jobs as leaves. Jobs with
`when: manual`, `when: delayed`, or `trigger:` are annotated in brackets.
**Include graph** (`graph includes`) — [Mermaid](https://mermaid.js.org) flowchart written to stdout.
Pipe to a `.mmd` file or paste into [mermaid.live](https://mermaid.live).
One node per include entry, colour-coded by type:
- Orange (bold): the main pipeline file
- Purple: `project:` includes
- Green: `component:` includes
- Blue: `local:` includes
- Grey: `remote:` URL includes
- Light orange: GitLab-provided `template:` includes
**Pipeline graph** (`graph pipeline`) — GitLab CI-style SVG rendered to a timestamped file
in the `--out` directory (default: `glint-out/`). Converted to PNG automatically
when `rsvg-convert`, `inkscape`, or `magick` is available; falls back to SVG otherwise.
Jobs are colour-coded by type:
- Blue (`#1f75cb`): regular jobs
- Orange (`#fc6d26`): `when: manual` jobs
- Purple (`#6b4fbb`): `trigger:` jobs
- Amber (`#fca326`): `when: delayed` jobs
DAG mode (job-to-job Bézier arrows) activates automatically when any job has a `needs:` list.
Classic mode draws L-shaped or straight connectors between stage columns otherwise.
### Context simulation
Pass `--branch`, `--tag`, or `--source` to `glint check` to see which jobs
would run for a given pipeline event. The pipeline is still fully linted;
context output is printed first.
```bash
# What runs on a push to develop?
glint check --branch develop .gitlab-ci.yml
# What runs when a v1.2.0 tag is pushed?
glint check --tag v1.2.0 .gitlab-ci.yml
# Merge request pipeline
glint check --source merge_request_event .gitlab-ci.yml
# Arbitrary variable overrides (repeatable)
glint check --branch main --var DEPLOY_ENV=production .gitlab-ci.yml
```
**Evaluated:**
- `rules:if:` — full expression language: `==`, `!=`, `=~`, `!~`, `&&`, `||`, `!`, `()`, `$VAR`, string literals, `null`
- `only:` / `except:` — ref keywords (`branches`, `tags`, `merge_requests`, `schedules`, …), branch name globs (`feat/*`), and `/regex/` patterns
- Variable expansion — `$VAR` / `${VAR}` references within variable values are expanded after all sources are merged; use `--list-vars` to inspect the resolved values
**Not evaluated** (no git tree at lint time): `rules:changes:`, `rules:exists:`.
Rules without an `if:` clause always match.
**Predefined variables** set automatically by the shortcut flags:
| Flag | Variables populated |
|------|---------------------|
| `--branch <name>` | `CI_COMMIT_BRANCH`, `CI_COMMIT_REF_NAME`, `CI_COMMIT_REF_SLUG`, `CI_PIPELINE_SOURCE=push` |
| `--tag <name>` | `CI_COMMIT_TAG`, `CI_COMMIT_REF_NAME`, `CI_COMMIT_REF_SLUG`, `CI_PIPELINE_SOURCE=push` (clears `CI_COMMIT_BRANCH`) |
| `--source <event>` | `CI_PIPELINE_SOURCE` |
| `--var KEY=VALUE` | any variable; overrides shortcuts |
### Example output
```
# Clean pipeline (implicit default: --branch main --source push)
Context: branch=main, source=push
Active  (5): build, deploy-staging, test, ...
OK: .gitlab-ci.yml — no issues found (5 job(s), 3 stage(s))
# With --branch develop context
Context: branch=develop, source=push
Active  (3): build, deploy-staging, test
Skipped (2): deploy-prod, release-notes
OK: .gitlab-ci.yml — no issues found (5 job(s), 3 stage(s))
# With --tag v1.0.0 context
Context: tag=v1.0.0, source=push
Active  (4): build, deploy-prod, release-notes, test
Skipped (1): deploy-staging
OK: .gitlab-ci.yml — no issues found (5 job(s), 3 stage(s))
# Pipeline with issues
.gitlab-ci.yml:14: GL004 [error] job "deploy": stage "production" is not defined in 'stages'
.gitlab-ci.yml:22: GL027 [error] job "test": needs unknown job "build-app"
.gitlab-ci.yml:31: GL007 [warning] job "old-job": 'only'/'except' are deprecated; prefer 'rules'
3 finding(s): 2 error(s)
```
## Lint rules
Every finding includes a stable rule ID (e.g. `GL003`) that can be used to filter output or reference a specific check in documentation.
### Pipeline-level
| ID | Severity | Rule |
|----|----------|------|
| GL002 | ERROR | `workflow.rules[*].when` is not `always` or `never` |
| GL001 | WARNING | No `stages` defined (GitLab falls back to default stages) |
| GL036 | ERROR | `default.timeout` is not a valid GitLab CI duration string |
| GL040 | WARNING | A stage name appears more than once in `stages:` |
### Job-level — structure
| ID | Severity | Rule |
|----|----------|------|
| GL003 | ERROR | Job is missing required `script` (or `run`) — non-trigger, non-template jobs |
| GL004 | ERROR | Job references a `stage` not declared in `stages` |
| GL005 | ERROR | `only` and `rules` used together on the same job |
| GL006 | ERROR | `except` and `rules` used together on the same job |
| GL007 | WARNING | `only`/`except` used (deprecated, prefer `rules`) |
### Job-level — keyword constraints
| ID | Severity | Rule |
|----|----------|------|
| GL008 | ERROR | `when` is not one of `on_success`, `on_failure`, `always`, `manual`, `delayed`, `never` |
| GL009 | ERROR | `when: delayed` without `start_in` |
| GL010 | ERROR | `start_in` set but `when` is not `delayed` |
| GL011 | ERROR | `parallel` integer not in range 2–200, or map form missing `matrix` key |
| GL012 | ERROR | `retry` integer not in range 0–2, or `retry.max` out of range |
| GL013 | ERROR | `retry.when` contains an unrecognised failure type |
| GL014 | ERROR | `allow_failure` is not a boolean or a map with `exit_codes` |
| GL015 | ERROR | `interruptible` is not a boolean |
| GL016 | ERROR | `trigger` job also has `script` |
| GL017 | ERROR | `trigger` map missing `project` or `include` |
| GL018 | ERROR | `coverage` is not a regex pattern wrapped in `/` |
| GL019 | ERROR | `release` missing required `tag_name`, or is not a map |
| GL020 | ERROR | `environment.url` set without `environment.name`, or invalid `environment.action` |
| GL021 | ERROR | `artifacts.when` invalid, or `artifacts.expose_as` set without `artifacts.paths` |
| GL022 | WARNING | `pages` job `artifacts.paths` does not include `public` |
| GL023 | ERROR | `cache.when` or `cache.policy` has an invalid value |
| GL024 | ERROR | `rules[*].when` is not one of the valid `when` values |
| GL025 | ERROR | `image` map form missing `name` key |
| GL026 | ERROR | `inherit.default` / `inherit.variables` is not a boolean or list |
| GL034 | ERROR | `services:` map form missing `name`, or `alias` is not a valid DNS label |
| GL036 | ERROR | `timeout:` is not a valid GitLab CI duration string (e.g. `1h 30m`, `90 minutes`) |
| GL037 | ERROR | `id_tokens:` entry is missing the required `aud` key |
| GL038 | ERROR | `secrets:` entry is missing a provider key (`vault`, `gcp_secret_manager`, or `azure_key_vault`) |
| GL039 | WARNING | Job has `pages:` keyword but `artifacts.paths` does not include the publish directory |
| GL041 | WARNING | `cache.key.files` entry looks like a glob pattern; must be an exact file path |
### Cross-job graph
| ID | Severity | Rule |
|----|----------|------|
| GL027 | ERROR/WARNING | `needs:` references a job that does not exist (WARNING when `optional: true`) |
| GL028 | ERROR | `needs:` references a job in a later stage |
| GL029 | ERROR | Circular dependency detected in `needs:` graph |
| GL030 | ERROR | `dependencies:` references a job that does not exist |
| GL031 | ERROR | `dependencies:` references a job in the same or a later stage |
### Expression validation
| ID | Severity | Rule |
|----|----------|------|
| GL032 | WARNING | `rules:if:` references `$VAR` not declared in `variables:` (pipeline, job, or `workflow:rules:variables:`) — may be a false positive for variables set in GitLab CI/CD project settings |
| GL033 | WARNING | Every rule in `rules:` has `when: never` — job is permanently excluded from the pipeline (statically provable without context) |
| GL035 | WARNING | `rules:changes` / `rules:exists` path is absolute; GitLab CI paths are relative to the repo root — absolute paths will never match |
### Hidden jobs (templates)
Jobs whose name starts with `.` are treated as reusable templates and skipped for most rules. This matches GitLab's own behaviour.
Run `glint <command> --help` for all flags. See [USAGE.md](USAGE.md) for full
examples covering output formats, context simulation, remote includes, cache,
graph modes, and project configuration.
## Development
 
@@ -4,53 +4,25 @@ This document tracks planned improvements to `glint`. Items are grouped by theme
---
## Context-aware validation — ✓ single-context shipped in v0.2.0; expression evaluator hardened post-v0.2.0; implicit defaults and --list-vars shipped v0.2.11; variable expansion and scalar handling shipped v0.2.13; workflow evaluation and output fixes shipped v0.2.14
## Context simulation
Single-context simulation is fully implemented. Pass `--branch`, `--tag`, `--source`, or `--var` to either `glint check` or `glint graph`; jobs are evaluated and shown as active / manual / skipped.
Pass `--branch`, `--tag`, `--source`, or `--var` to `glint check` or `glint graph` to evaluate `rules:if:` expressions and `only`/`except` filters against a specific pipeline event.
```bash
# shipped: single-context simulation
glint check --branch develop .gitlab-ci.yml
glint check --tag v1.2.0 .gitlab-ci.yml
glint check --source merge_request_event --var CI_MERGE_REQUEST_TARGET_BRANCH_NAME=main .gitlab-ci.yml
glint graph tree --branch main .gitlab-ci.yml   # tree annotated with [skipped] / [manual]
```
**Shipped post-v0.2.0 (unreleased)**
- ✓ **`workflow:rules:variables:` propagation** — variables defined on the matching `workflow:rules:` entry are injected into the evaluation context before job `rules:if:` expressions are evaluated. Pipeline-level `variables:` defaults are also available. Priority chain (highest wins): `--var` > shortcuts > workflow-rule vars > pipeline defaults.
- ✓ **Expression evaluator: multi-line expressions** — newlines in block-scalar and folded YAML `if:` values are now treated as whitespace; `||` / `&&` on a continuation line evaluate correctly.
- ✓ **Expression evaluator: `${VAR}` curly-brace syntax** — `${CI_COMMIT_BRANCH}` is equivalent to `$CI_COMMIT_BRANCH` everywhere.
- ✓ **Expression evaluator: regex flags** — `/pattern/i`, `/pattern/m`, `/pattern/s` are now supported; `i` maps to `(?i)` in Go's regexp.
- ✓ **Expression evaluator: variable as regex RHS** — `$BRANCH =~ $PATTERN` where `$PATTERN` holds a `/regex/` string is evaluated correctly.
- ✓ **Expression evaluator: bare `true` / `false` keywords** — treated as the strings `"true"` / `"false"` matching GitLab CI's own behaviour; `$GATEWAY_ENABLED == true` now evaluates correctly.
- ✓ **Expression evaluator: integer literals** — `$COUNT == 4`, `$ENABLED == 1`, `$DISABLED == 0` compare as decimal strings.
~~**Implicit default context**~~ — ✓ shipped v0.2.11; `glint check` and `glint graph` default to `--branch main --source push` when no context flag is given, so `rules:if:` expressions are always evaluated out of the box.
~~**`--list-vars` debug flag**~~ — ✓ shipped v0.2.11; prints sorted `KEY=VALUE` of all collected variables (pipeline YAML + included files + workflow-rule union + effective context) to stderr.
**Shipped in v0.2.13**
- ✓ **Variable expansion** — `$VAR` / `${VAR}` references within variable values are expanded after all sources are merged; transitive chains resolve over multiple passes; visible in `--list-vars` effective-context output.
- ✓ **Non-string scalar variables** — `BUILD: true`, `RETRIES: 3` and similar bare boolean/integer values now render correctly in `--list-vars` and are injected into the evaluation context as string equivalents; previously shown as `(complex)` and silently dropped.
- ✓ **YAML `\/` escape in double-quoted strings** — regex patterns like `/^us\//` in double-quoted `if:` blocks no longer cause a parse error; the raw bytes are preprocessed before YAML unmarshalling.
**Shipped in v0.2.14**
- ✓ **Workflow rule strict evaluation** — workflow `rules:if:` now uses strict mode (parse failure → skip rule, not match); fixes premature matching that blocked later rules and injected wrong variables.
- ✓ **Single `=` operator** — `=` is now accepted as an alias for `==` in `rules:if:` expressions, matching common user intent.
- ✓ **Source location through `extends:` resolution** — `File` and `Line` are now preserved when a job is rebuilt via extends, so findings reference the correct source location.
- ✓ **Sorted findings output** — findings are sorted by `(File, Line, Rule)`; same-file issues group together in line order.
- ✓ **Consistent warning format** — all warnings use ruff-style `path: [warning] message` format.
- ✓ **`--version` / `-v` flag** — prints compiled version; version also shown at the top of every `--help` output.
**Remaining work**
- **Multi-context simulation** — run multiple contexts in one invocation and print a comparison table:
  ```bash
  glint check --context branch=main --context branch=develop --context tag=v1.0.0 .gitlab-ci.yml
  ```
- ~~**Single-context simulation**~~ — ✓ shipped v0.2.0; `--branch`, `--tag`, `--source`, `--var` flags on both subcommands; jobs classified as active / manual / skipped
- ~~**`workflow:rules:variables:` propagation**~~ — ✓ shipped post-v0.2.0; variables from the matching workflow rule entry injected into the evaluation context before job `rules:if:` expressions are evaluated
- ~~**Expression evaluator: multi-line `if:` values**~~ — ✓ shipped post-v0.2.0; newlines in block-scalar and folded YAML `if:` values treated as whitespace
- ~~**Expression evaluator: `${VAR}` syntax**~~ — ✓ shipped post-v0.2.0; `${CI_COMMIT_BRANCH}` equivalent to `$CI_COMMIT_BRANCH` everywhere
- ~~**Expression evaluator: regex flags**~~ — ✓ shipped post-v0.2.0; `/pattern/i`, `/pattern/m`, `/pattern/s` supported
- ~~**Expression evaluator: variable as regex RHS**~~ — ✓ shipped post-v0.2.0; `$BRANCH =~ $PATTERN` where `$PATTERN` holds a `/regex/` string evaluates correctly
- ~~**Expression evaluator: bare `true`/`false` and integer literals**~~ — ✓ shipped post-v0.2.0; `$FLAG == true`, `$COUNT == 4` compare as decimal strings matching GitLab CI behaviour
- ~~**Implicit default context**~~ — ✓ shipped v0.2.11; defaults to `--branch main --source push` when no context flag is given, so `rules:if:` is always evaluated
- ~~**`--list-vars` debug flag**~~ — ✓ shipped v0.2.11; prints sorted `KEY=VALUE` of all collected pipeline variables (root file + includes + workflow-rule union + effective context) to stderr
- ~~**Variable expansion**~~ — ✓ shipped v0.2.13; `$VAR`/`${VAR}` references within variable values expanded after all sources are merged; transitive chains resolved; visible in `--list-vars`
- ~~**Non-string scalar variables**~~ — ✓ shipped v0.2.13; `BUILD: true`, `RETRIES: 3` rendered and injected correctly instead of being silently dropped
- ~~**YAML `\/` escape in double-quoted strings**~~ — ✓ shipped v0.2.13; regex patterns like `/^us\//` in double-quoted `if:` blocks no longer cause a parse error
- ~~**Workflow rule strict evaluation**~~ — ✓ shipped v0.2.14; unparseable `if:` skips the rule instead of matching everything; prevents wrong variables being injected
- ~~**Single `=` operator**~~ — ✓ shipped v0.2.14; bare `=` accepted as alias for `==` in `rules:if:` expressions
- **Multi-context simulation** — run multiple contexts in one invocation and print a comparison table (`--context branch=main --context branch=develop --context tag=v1.0.0`)
- **Context-scoped linting** — skip `needs:`/`dependencies:` cross-checks for jobs that are statically unreachable in the given context
- **`rules:changes:` evaluation** — path glob evaluation against the local git tree
@@ -70,7 +42,7 @@ The current rule set covers the most common sources of broken pipelines. These a
- ~~**Duplicate stage names (GL040)**~~ — ✓ shipped v0.2.16; warns when a stage appears more than once in `stages:`
- ~~**`cache:key:files` must be exact paths (GL041)**~~ — ✓ shipped v0.2.16; warns when entries look like glob patterns
- ~~**Unreachable jobs**~~ — covered by GL033 (shipped v0.2.15); every-`when:never` rules block is statically dead
- **`inherit:` completeness** — flag when a job overrides a default field that would require `inherit: default: false` to suppress
- ~~**`inherit:` completeness (GL043)**~~ — ✓ shipped v0.2.20; warns when `inherit: default:` is declared but there's no `default:` block, or list form names fields not set in `default:`
---
@@ -118,7 +90,7 @@ The SVG renderer and terminal tree cover the basic layout. These would bring it
- ~~**`needs: optional: true` false-positive errors**~~ — ✓ shipped post-v0.2.0; optional missing needs are downgraded to `[WARNING]`
- ~~**`extends:` jobs with missing script false errors**~~ — ✓ shipped post-v0.2.0; jobs using `extends:` that have no `script` after resolution emit `[WARNING]` (the script may come from an unfetchable remote base)
- **`rules:if:` static reachability** — report when a job's entire `rules:` block can never evaluate to `when: on_success` given the declared pipeline variables (pure static, no context required)
- ~~**`rules:if:` static reachability (GL042)**~~ — ✓ shipped v0.2.20; warns when all `rules:if:` conditions evaluate to false given declared variable values (only fires when all referenced vars are declared in YAML)
---
@@ -132,21 +104,17 @@ The SVG renderer and terminal tree cover the basic layout. These would bring it
---
## Configuration
## Configuration — ✓ shipped v0.2.19
- **`.glint.yml` config file** — project-level configuration for:
  - Rule suppression by rule ID (e.g. `ignore: [no-only, missing-stages]`)
  - Severity overrides (demote specific errors to warnings)
  - Custom `stages` allowlist for projects that use a non-standard default set
  - Token and URL defaults so flags are not needed in every invocation
- **Inline suppression comments** — `# glint: ignore next-line <rule-id>` in the pipeline YAML
- ~~**`.glint.yml` config file**~~ — ✓ shipped v0.2.19; `ignore:`, `severity:`, `stages:`, `token:`, `url:`, `cache_dir:`; searched from the pipeline directory up to the git root
- ~~**Inline suppression comments**~~ — ✓ shipped v0.2.19; `# glint: ignore GL007` before a job definition; comma/space-separated rules; `# glint: ignore all` wildcard
---
## Reliability and developer experience
- ~~**Structured rule IDs**~~ — ✓ shipped post-v0.2.0; GL001–GL031 assigned; GL032 added v0.2.11; GL033 added v0.2.15; GL034–GL041 added v0.2.16; output formats (--format json/sarif/junit/github) added v0.2.18
- **`--explain <rule-id>`** — print the rule description, rationale, and an example fix
- ~~**Structured rule IDs**~~ — ✓ shipped post-v0.2.0; GL001–GL031 assigned; GL032 added v0.2.11; GL033 added v0.2.15; GL034–GL041 added v0.2.16; output formats (--format json/sarif/junit/github) added v0.2.18; GL042–GL043 added v0.2.20
- ~~**`glint explain <rule-id>`**~~ — ✓ shipped v0.2.20; prints rule description, rationale, bad-YAML example, and fix; `glint explain` (no arg) lists all rules
- ~~**Semantic versioning and first release**~~ — shipped as `v0.1.0` (2026-06-07)
- ~~**Subcommand CLI**~~ — shipped as `v0.2.0` (2026-06-11); `glint check` / `glint graph [mode]` with ruff-style `--help`
- **Changelog automation** — generate release notes from Conventional Commits via `git-cliff` or similar
 
@@ -101,6 +101,24 @@ tasks:
        ignore_error: false
      - cmd: ./{{.BINARY}} check --format github testdata/invalid.yml
        ignore_error: true
      - cmd: ./{{.BINARY}} check testdata/config_ignored/.gitlab-ci.yml
        ignore_error: false
      - cmd: ./{{.BINARY}} check testdata/config_severity/.gitlab-ci.yml
        ignore_error: false
      - cmd: ./{{.BINARY}} check testdata/config_suppress/.gitlab-ci.yml
        ignore_error: false
      - cmd: ./{{.BINARY}} check testdata/static_dead_rules.yml
        ignore_error: false
      - cmd: ./{{.BINARY}} check testdata/inherit_dead.yml
        ignore_error: false
      - cmd: ./{{.BINARY}} check testdata/inherit_dead_fields.yml
        ignore_error: false
      - cmd: ./{{.BINARY}} explain GL007
        ignore_error: false
      - cmd: ./{{.BINARY}} explain gl042
        ignore_error: false
      - cmd: ./{{.BINARY}} explain
        ignore_error: false
  lint-go:
    desc: Run go vet on all packages
 
@@ -0,0 +1,314 @@
# glint — usage reference
Full examples and option descriptions for every command.
For the lint rules reference see [FEATURES.md](FEATURES.md).
---
## `glint check`
Lint a pipeline file. Exits `0` when no errors are found, `1` when at least
one error is reported (warnings alone do not fail).
```bash
glint check .gitlab-ci.yml
```
### Output formats
Pass `--format` to control the output. Plain text is the default.
```bash
# Default: ruff-style text (human-readable)
glint check .gitlab-ci.yml
# JSON — stable schema, machine-readable
glint check --format json .gitlab-ci.yml
# SARIF 2.1.0 — GitHub Code Scanning / GitLab SAST
glint check --format sarif .gitlab-ci.yml > glint.sarif
# JUnit XML — CI test-report artifact (GitLab: artifacts:reports:junit)
glint check --format junit .gitlab-ci.yml > glint-junit.xml
# GitHub Actions annotations — inline PR diff comments
glint check --format github .gitlab-ci.yml
```
In structured formats (`json`, `sarif`, `junit`, `github`) the summary line is
written to stderr so stdout contains only the machine-readable payload.
**JSON schema (`schema_version: 1`):**
```json
{
  "schema_version": 1,
  "glint_version": "v0.2.20",
  "pipeline": ".gitlab-ci.yml",
  "findings": [
    {"rule":"GL004","severity":"error","file":".gitlab-ci.yml","line":14,
     "job":"deploy","message":"stage \"production\" is not defined in 'stages'"}
  ],
  "summary": {"total": 1, "errors": 1, "warnings": 0}
}
```
**GitHub annotation lines:**
```
::error file=.gitlab-ci.yml,line=14,title=GL004::job "deploy": stage "production" is not defined in 'stages'
```
### Context simulation
Pass `--branch`, `--tag`, or `--source` to evaluate `rules:if:` and
`only`/`except` against a specific pipeline event. The pipeline is still fully
linted; the context summary is printed first. When no context flag is given,
glint defaults to `--branch main --source push`.
```bash
# What runs on a push to develop?
glint check --branch develop .gitlab-ci.yml
# What runs when a v1.2.0 tag is pushed?
glint check --tag v1.2.0 .gitlab-ci.yml
# Merge request pipeline
glint check --source merge_request_event .gitlab-ci.yml
# Arbitrary variable overrides (repeatable)
glint check --branch main --var DEPLOY_ENV=production .gitlab-ci.yml
# Debug variable resolution
glint check --list-vars .gitlab-ci.yml
```
**Predefined variables** set by the shortcut flags:
| Flag | Variables populated |
|------|---------------------|
| `--branch NAME` | `CI_COMMIT_BRANCH`, `CI_COMMIT_REF_NAME`, `CI_COMMIT_REF_SLUG`, `CI_PIPELINE_SOURCE=push` |
| `--tag NAME` | `CI_COMMIT_TAG`, `CI_COMMIT_REF_NAME`, `CI_COMMIT_REF_SLUG`, `CI_PIPELINE_SOURCE=push`; clears `CI_COMMIT_BRANCH` |
| `--source EVENT` | `CI_PIPELINE_SOURCE` |
| `--var KEY=VALUE` | any variable; overrides shortcuts; repeatable |
### Remote project includes
Provide a token so glint can fetch `include: project:` templates:
```bash
# Personal access token (read_api scope)
GITLAB_TOKEN=glpat-xxxx glint check .gitlab-ci.yml
# CI/CD job token (when running inside a pipeline)
CI_JOB_TOKEN=$CI_JOB_TOKEN glint check .gitlab-ci.yml
# Self-hosted GitLab
GITLAB_TOKEN=glpat-xxxx GITLAB_URL=https://gitlab.example.com glint check .gitlab-ci.yml
# Via flags (override env vars)
glint check --token glpat-xxxx --gitlab-url https://gitlab.example.com .gitlab-ci.yml
```
Project includes are skipped with a warning when no token is available; linting
continues with whatever is resolved.
**Token resolution order** (first non-empty wins):
| Source | Header |
|--------|--------|
| `--token` flag / `GITLAB_TOKEN` env | `PRIVATE-TOKEN` |
| `CI_JOB_TOKEN` env | `JOB-TOKEN` |
| `GITLAB_PRIVATE_TOKEN` env | `PRIVATE-TOKEN` |
**URL resolution order:** `--gitlab-url` flag → `CI_SERVER_URL` env → `GITLAB_URL` env → `https://gitlab.com`
### Include cache and offline mode
```bash
# Cache fetched templates to disk (keyed by SHA-256 of the request coordinates)
glint check --cache-dir ~/.cache/glint .gitlab-ci.yml
# Fully offline — serve from cache, warn on misses, make no network calls
glint check --offline .gitlab-ci.yml
glint check --offline --cache-dir /path/to/cache .gitlab-ci.yml
```
`--offline` without `--cache-dir` uses `~/.cache/glint` automatically.
There is no automatic cache expiry; delete the directory or individual entries
to force a re-fetch.
### Component reference format
`include: component:` references follow the format:
```
<host>/<project-path>/<component-name>@<version>
gitlab.com/components/secret-detection/secret-detection@v0.1.0
gitlab.com/my-org/ci-catalog/lint@main
gitlab.example.com/platform/components/build@~latest
```
The component file is looked up in order:
1. `templates/<component-name>.yml` (single-file layout)
2. `templates/<component-name>/template.yml` (directory layout)
Public Catalog components work without a token. `with:` input parameters are
substituted locally before parsing; they are not validated against the
component spec.
### Example output
```
# Clean pipeline
Context: branch=main, source=push
Active  (5): build, deploy-staging, test, lint, security-scan
OK: .gitlab-ci.yml — no issues found (5 job(s), 3 stage(s))
# With --branch develop
Context: branch=develop, source=push
Active  (3): build, deploy-staging, test
Skipped (2): deploy-prod, release-notes
OK: .gitlab-ci.yml — no issues found (5 job(s), 3 stage(s))
# Pipeline with issues
.gitlab-ci.yml:14: GL004 [error] job "deploy": stage "production" is not defined in 'stages'
.gitlab-ci.yml:22: GL027 [error] job "test": needs unknown job "build-app"
.gitlab-ci.yml:31: GL007 [warning] job "old-job": 'only'/'except' are deprecated; prefer 'rules'
3 finding(s): 2 error(s)
```
---
## `glint graph`
Visualise the pipeline. Without a mode word, prints a job tree and the include
dependency graph separated by `---`.
```bash
# Default: job tree + include dependency graph
glint graph .gitlab-ci.yml
# Job tree only
glint graph tree .gitlab-ci.yml
# Job tree with context (shows active/manual/skipped annotations)
glint graph tree --branch develop .gitlab-ci.yml
# Include dependency graph → Mermaid flowchart to stdout
glint graph includes .gitlab-ci.yml > includes.mmd
# GitLab-like pipeline layout → PNG/SVG written to --out dir
glint graph pipeline .gitlab-ci.yml
# prints the output path, e.g.: glint-out/pipeline-20260614-143022.png
# Mermaid to stdout + pipeline file path to stderr
glint graph all .gitlab-ci.yml > includes.mmd
# Custom output directory
glint graph pipeline --out /tmp/graphs .gitlab-ci.yml
```
**Job tree** — stages as branches, jobs as leaves; annotated with `[manual]`,
`[delayed]`, `[trigger]` where applicable. Context flags apply the same
evaluation as `glint check`.
**Include graph** — [Mermaid](https://mermaid.js.org) flowchart; pipe to `.mmd`
or paste into [mermaid.live](https://mermaid.live). Nodes are colour-coded by
include type: orange (main file), purple (project), green (component), blue
(local), grey (remote URL), light orange (GitLab template).
**Pipeline graph** — GitLab CI-style SVG rendered to a timestamped file.
Converted to PNG when `rsvg-convert`, `inkscape`, or `magick` is available.
DAG mode (Bézier arrows between jobs) activates automatically when any job has
a `needs:` list; classic mode uses stage-column connectors otherwise.
---
## `glint explain`
Print the documentation for a specific lint rule.
```bash
# Description, example, and fix for GL007
glint explain GL007
# Case-insensitive
glint explain gl007
# List all rules with ID, severity, and title
glint explain
```
---
## Project configuration (`.glint.yml`)
Place a `.glint.yml` anywhere in the directory tree from the pipeline file up
to the first `.git` boundary. glint searches upward and uses the first file it
finds.
```yaml
# Suppress rules globally for this project.
ignore:
  - GL007   # migrating from only:/except:
  - GL032   # dynamic variables injected by CI
# Override rule severity: error | warning | ignore
# 'ignore' is equivalent to listing the rule under ignore:.
severity:
  GL004: warning   # demote during a stage migration
  GL035: error     # promote to hard error for this project
# Extra stage names valid beyond those declared in the pipeline YAML
# (e.g. injected by an include template you don't own).
stages:
  - quality
  - security
# Default token — lower priority than --token and GITLAB_TOKEN.
token: glpat-xxxx
# Default GitLab instance URL.
url: https://gitlab.example.com
# Default cache directory for fetched remote includes.
cache_dir: ~/.cache/glint
```
**Priority chain:** `--token`/`--gitlab-url` flags > `.glint.yml` > environment variables.
---
## Inline suppression (`# glint: ignore`)
Suppress a finding for a specific job by placing a comment immediately before
the job definition in the pipeline YAML:
```yaml
# glint: ignore GL007
legacy-job:
  stage: build
  only: [main]
  script: echo ok
# Multiple rules — comma- or space-separated:
# glint: ignore GL007, GL032
other-job:
  stage: build
  script: echo ok
# Suppress every rule for this job:
# glint: ignore all
noisy-job:
  stage: build
  script: echo ok
```
Suppressions are scoped to the single job they precede and do not affect other
jobs or pipeline-level findings. For project-wide suppression, use `.glint.yml`
`ignore:` instead.
@@ -0,0 +1,69 @@
package main
import (
	"fmt"
	"os"
	"sort"
	"strings"
	"git.k3nny.fr/glint/internal/linter"
)
func cmdExplain(args []string) {
	if len(args) == 0 {
		printRuleList()
		return
	}
	ruleID := strings.ToUpper(args[0])
	entry, ok := linter.RuleCatalog[ruleID]
	if !ok {
		fmt.Fprintf(os.Stderr, "glint explain: unknown rule %q\n\nRun 'glint explain' to list all rules.\n", ruleID)
		os.Exit(2)
	}
	printRuleEntry(ruleID, entry)
}
func printRuleEntry(id string, e linter.RuleEntry) {
	sev := strings.ToLower(string(e.Severity))
	header := fmt.Sprintf("%s  [%s]  %s", id, sev, e.Title)
	rule := fmt.Sprintf("\n%s\n%s\n\n%s\n",
		header,
		strings.Repeat("─", len(header)),
		e.Description,
	)
	fmt.Print(rule)
	if e.Example != "" {
		fmt.Println("Example:")
		fmt.Println()
		for _, line := range strings.Split(e.Example, "\n") {
			fmt.Printf("  %s\n", line)
		}
		fmt.Println()
	}
	if e.Fix != "" {
		fmt.Println("Fix:")
		fmt.Println()
		for _, line := range strings.Split(e.Fix, "\n") {
			fmt.Printf("  %s\n", line)
		}
		fmt.Println()
	}
}
func printRuleList() {
	ids := make([]string, 0, len(linter.RuleCatalog))
	for id := range linter.RuleCatalog {
		ids = append(ids, id)
	}
	sort.Strings(ids)
	fmt.Printf("glint %s — lint rules\n\n", version)
	for _, id := range ids {
		e := linter.RuleCatalog[id]
		sev := strings.ToLower(string(e.Severity))
		fmt.Printf("  %-6s  [%-7s]  %s\n", id, sev, e.Title)
	}
	fmt.Println("\nUse 'glint explain <RULE>' for details on a specific rule.")
}
@@ -0,0 +1,87 @@
package main
import (
	"strings"
	"git.k3nny.fr/glint/internal/config"
	"git.k3nny.fr/glint/internal/linter"
)
// applyConfig filters and adjusts findings according to the project config
// and inline suppression comments parsed from the pipeline YAML.
//
// Processing order:
//  1. Build a combined ignore set from config.Ignore and any severity entry
//     whose value is "ignore".
//  2. Drop findings whose rule is in the ignore set.
//  3. Drop findings suppressed by an inline "# glint: ignore" comment on the
//     job definition (from p.Suppressions).
//  4. Apply severity overrides ("error" / "warning") from config.Severity.
func applyConfig(findings []linter.Finding, cfg config.Config, suppressions map[string][]string) []linter.Finding {
	// Build the global ignore set (uppercased rule IDs).
	ignoreSet := make(map[string]bool, len(cfg.Ignore))
	for _, r := range cfg.Ignore {
		ignoreSet[strings.ToUpper(r)] = true
	}
	// Severity entries with value "ignore" are equivalent to Ignore entries.
	sevMap := make(map[string]string, len(cfg.Severity)) // upperRule → lowerLevel
	for rule, sev := range cfg.Severity {
		upper := strings.ToUpper(rule)
		lower := strings.ToLower(sev)
		sevMap[upper] = lower
		if lower == "ignore" {
			ignoreSet[upper] = true
		}
	}
	if len(ignoreSet) == 0 && len(sevMap) == 0 && len(suppressions) == 0 {
		return findings
	}
	kept := findings[:0:0] // reuse underlying array but return fresh slice
	for _, f := range findings {
		ruleUpper := strings.ToUpper(f.Rule)
		// Global ignore.
		if ignoreSet[ruleUpper] {
			continue
		}
		// Inline suppression.
		if isSuppressed(f.Job, ruleUpper, suppressions) {
			continue
		}
		// Severity override.
		if level, ok := sevMap[ruleUpper]; ok {
			switch level {
			case "error":
				f.Severity = linter.Error
			case "warning":
				f.Severity = linter.Warning
			}
		}
		kept = append(kept, f)
	}
	return kept
}
// isSuppressed reports whether jobName has a "# glint: ignore" directive that
// covers ruleUpper. The wildcard entry "*" (from "# glint: ignore all")
// suppresses every rule.
func isSuppressed(jobName, ruleUpper string, suppressions map[string][]string) bool {
	if jobName == "" || len(suppressions) == 0 {
		return false
	}
	rules, ok := suppressions[jobName]
	if !ok {
		return false
	}
	for _, r := range rules {
		if r == "*" || r == ruleUpper {
			return true
		}
	}
	return false
}
@@ -0,0 +1,116 @@
package main
import (
	"testing"
	"git.k3nny.fr/glint/internal/config"
	"git.k3nny.fr/glint/internal/linter"
)
func TestApplyConfig(t *testing.T) {
	findings := []linter.Finding{
		{Severity: linter.Error, Rule: "GL004", Job: "deploy", File: "ci.yml", Line: 10, Message: "bad stage"},
		{Severity: linter.Warning, Rule: "GL007", Job: "old-job", File: "ci.yml", Line: 20, Message: "deprecated"},
		{Severity: linter.Warning, Rule: "GL032", Job: "check", File: "ci.yml", Line: 30, Message: "var ref"},
	}
	t.Run("no config — pass through", func(t *testing.T) {
		got := applyConfig(findings, config.Config{}, nil)
		if len(got) != 3 {
			t.Errorf("got %d findings, want 3", len(got))
		}
	})
	t.Run("ignore GL007", func(t *testing.T) {
		cfg := config.Config{Ignore: []string{"GL007"}}
		got := applyConfig(findings, cfg, nil)
		if len(got) != 2 {
			t.Fatalf("got %d findings, want 2", len(got))
		}
		for _, f := range got {
			if f.Rule == "GL007" {
				t.Error("GL007 should be suppressed")
			}
		}
	})
	t.Run("ignore case-insensitive", func(t *testing.T) {
		cfg := config.Config{Ignore: []string{"gl007"}}
		got := applyConfig(findings, cfg, nil)
		if len(got) != 2 {
			t.Fatalf("got %d, want 2", len(got))
		}
	})
	t.Run("severity demote error to warning", func(t *testing.T) {
		cfg := config.Config{Severity: map[string]string{"GL004": "warning"}}
		got := applyConfig(findings, cfg, nil)
		if len(got) != 3 {
			t.Fatalf("got %d findings, want 3", len(got))
		}
		if got[0].Severity != linter.Warning {
			t.Errorf("GL004 severity = %s, want WARNING", got[0].Severity)
		}
	})
	t.Run("severity promote warning to error", func(t *testing.T) {
		cfg := config.Config{Severity: map[string]string{"GL007": "error"}}
		got := applyConfig(findings, cfg, nil)
		if got[1].Severity != linter.Error {
			t.Errorf("GL007 severity = %s, want ERROR", got[1].Severity)
		}
	})
	t.Run("severity ignore is equivalent to ignore list", func(t *testing.T) {
		cfg := config.Config{Severity: map[string]string{"GL032": "ignore"}}
		got := applyConfig(findings, cfg, nil)
		if len(got) != 2 {
			t.Fatalf("got %d, want 2", len(got))
		}
		for _, f := range got {
			if f.Rule == "GL032" {
				t.Error("GL032 should be suppressed via severity=ignore")
			}
		}
	})
	t.Run("inline suppression by job", func(t *testing.T) {
		suppressions := map[string][]string{
			"old-job": {"GL007"},
		}
		got := applyConfig(findings, config.Config{}, suppressions)
		if len(got) != 2 {
			t.Fatalf("got %d, want 2", len(got))
		}
		for _, f := range got {
			if f.Job == "old-job" && f.Rule == "GL007" {
				t.Error("old-job GL007 should be suppressed")
			}
		}
	})
	t.Run("inline suppression wildcard", func(t *testing.T) {
		suppressions := map[string][]string{
			"old-job": {"*"},
		}
		got := applyConfig(findings, config.Config{}, suppressions)
		// old-job had GL007; should be gone
		if len(got) != 2 {
			t.Fatalf("got %d, want 2", len(got))
		}
	})
	t.Run("pipeline-level findings not suppressed by job comment", func(t *testing.T) {
		pipelineFindings := []linter.Finding{
			{Severity: linter.Error, Rule: "GL001", Job: "", File: "ci.yml", Line: 0, Message: "no stages"},
		}
		suppressions := map[string][]string{
			"": {"GL001"}, // empty job key should not match pipeline-level
		}
		got := applyConfig(pipelineFindings, config.Config{}, suppressions)
		// Pipeline-level findings (f.Job == "") are never suppressed by job comments.
		if len(got) != 1 {
			t.Errorf("got %d, want 1 (pipeline-level finding must not be suppressed)", len(got))
		}
	})
}
@@ -9,6 +9,7 @@ import (
	"strings"
	"git.k3nny.fr/glint/internal/cicontext"
	"git.k3nny.fr/glint/internal/config"
	"git.k3nny.fr/glint/internal/fetcher"
	"git.k3nny.fr/glint/internal/graph"
	"git.k3nny.fr/glint/internal/linter"
@@ -38,6 +39,7 @@ Usage: glint [OPTIONS] <COMMAND>
Commands:
  check    Lint a pipeline file — exits 0 (clean) or 1 (errors found)
  graph    Visualise the pipeline as a job tree or Mermaid graph
  explain  Show description and fix for a lint rule (e.g. glint explain GL007)
Options:
  -h, --help     Print help
@@ -56,6 +58,8 @@ func main() {
		cmdCheck(os.Args[2:])
	case "graph":
		cmdGraph(os.Args[2:])
	case "explain":
		cmdExplain(os.Args[2:])
	case "-h", "--help", "help":
		fmt.Fprintf(os.Stderr, "glint %s\n\n", version)
		fmt.Fprint(os.Stderr, globalUsage)
@@ -193,14 +197,34 @@ Examples:
		os.Exit(2)
	}
	path := fs.Arg(0)
	rootDir := filepath.Dir(filepath.Clean(path))
	// --offline with no explicit --cache-dir defaults to ~/.cache/glint.
	// Load project config (.glint.yml), searching from the pipeline directory
	// up to the git root.
	glintCfg, cfgErr := config.Load(rootDir)
	if cfgErr != nil {
		fmt.Fprintf(os.Stderr, "%s: [warning] %s: %v\n", path, config.Filename, cfgErr)
	}
	// CLI flags take priority over config file values, which take priority over
	// environment variables (read by AutoConfig).
	fetcherToken := *token
	if fetcherToken == "" {
		fetcherToken = glintCfg.Token
	}
	fetcherURL := *gitlabURL
	if fetcherURL == "" {
		fetcherURL = glintCfg.URL
	}
	resolvedCacheDir := *cacheDir
	if resolvedCacheDir == "" {
		resolvedCacheDir = glintCfg.CacheDir
	}
	if *offline && resolvedCacheDir == "" {
		resolvedCacheDir = defaultCacheDir()
	}
	cfg := fetcher.AutoConfig().WithOverrides(*gitlabURL, *token, resolvedCacheDir, *offline)
	cfg := fetcher.AutoConfig().WithOverrides(fetcherURL, fetcherToken, resolvedCacheDir, *offline)
	p, err := model.Parse(path)
	if err != nil {
@@ -208,7 +232,19 @@ Examples:
		os.Exit(2)
	}
	rootDir := filepath.Dir(filepath.Clean(path))
	// Merge config-defined stages into the pipeline before linting so that
	// GL004 does not fire for jobs in stages declared only in .glint.yml.
	stageSet := make(map[string]bool, len(p.Stages))
	for _, s := range p.Stages {
		stageSet[s] = true
	}
	for _, s := range glintCfg.Stages {
		if !stageSet[s] {
			p.Stages = append(p.Stages, s)
			stageSet[s] = true
		}
	}
	warnings, _ := resolver.ResolveIncludes(p, cfg, rootDir)
	for _, w := range warnings {
		fmt.Fprintf(os.Stderr, "%s: [warning] include %s\n", path, w)
@@ -239,6 +275,7 @@ Examples:
	}
	findings := linter.Lint(p)
	findings = applyConfig(findings, glintCfg, p.Suppressions)
	errCount, _ := countSeverities(findings)
	// In structured formats the summary line goes to stderr so stdout is clean.
 
@@ -0,0 +1,75 @@
package config
import (
	"fmt"
	"os"
	"path/filepath"
	"gopkg.in/yaml.v3"
)
// Filename is the name of the project-level glint configuration file.
const Filename = ".glint.yml"
// Config holds project-level glint configuration loaded from .glint.yml.
type Config struct {
	// Ignore lists rule IDs to suppress entirely (e.g. ["GL007", "GL032"]).
	Ignore []string `yaml:"ignore"`
	// Severity maps rule IDs to overridden severity levels.
	// Valid values: "error", "warning", "ignore".
	// "ignore" is equivalent to listing the rule in Ignore.
	Severity map[string]string `yaml:"severity"`
	// Stages lists additional stage names that are considered valid for this
	// project, beyond what is declared in the pipeline's own stages: block.
	// Jobs in these stages are not flagged by GL004.
	Stages []string `yaml:"stages"`
	// Token is a default GitLab personal access token used when neither the
	// --token flag nor GITLAB_TOKEN (/ CI_JOB_TOKEN / GITLAB_PRIVATE_TOKEN)
	// environment variables are set.
	Token string `yaml:"token"`
	// URL is the default GitLab instance URL. Overridden by --gitlab-url and
	// the CI_SERVER_URL / GITLAB_URL environment variables.
	URL string `yaml:"url"`
	// CacheDir is the default directory for caching fetched remote includes.
	// Overridden by the --cache-dir flag.
	CacheDir string `yaml:"cache_dir"`
}
// Load searches for a .glint.yml file starting from dir and walking up toward
// the filesystem root. The walk stops at the first .git directory found (the
// repository root) or at the filesystem root. Returns an empty Config (and no
// error) when no config file is found.
func Load(dir string) (Config, error) {
	dir = filepath.Clean(dir)
	for {
		candidate := filepath.Join(dir, Filename)
		data, err := os.ReadFile(candidate)
		if err == nil {
			var cfg Config
			if yerr := yaml.Unmarshal(data, &cfg); yerr != nil {
				return Config{}, fmt.Errorf("parsing %s: %w", candidate, yerr)
			}
			return cfg, nil
		}
		if !os.IsNotExist(err) {
			return Config{}, fmt.Errorf("reading %s: %w", candidate, err)
		}
		// Stop when we reach a git root so we don't wander into parent repos.
		if _, serr := os.Stat(filepath.Join(dir, ".git")); serr == nil {
			break
		}
		parent := filepath.Dir(dir)
		if parent == dir {
			break // filesystem root
		}
		dir = parent
	}
	return Config{}, nil
}
@@ -0,0 +1,112 @@
package config
import (
	"os"
	"path/filepath"
	"testing"
)
func TestLoad_NotFound(t *testing.T) {
	tmp := t.TempDir()
	cfg, err := Load(tmp)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	if len(cfg.Ignore) != 0 || cfg.Token != "" || cfg.URL != "" {
		t.Errorf("expected empty config, got %+v", cfg)
	}
}
func TestLoad_Found(t *testing.T) {
	tmp := t.TempDir()
	content := `
ignore:
  - GL007
  - GL032
severity:
  GL004: warning
stages:
  - quality
token: glpat-test
url: https://gitlab.example.com
cache_dir: /tmp/glint-cache
`
	if err := os.WriteFile(filepath.Join(tmp, Filename), []byte(content), 0o644); err != nil {
		t.Fatal(err)
	}
	cfg, err := Load(tmp)
	if err != nil {
		t.Fatalf("Load: %v", err)
	}
	if len(cfg.Ignore) != 2 || cfg.Ignore[0] != "GL007" {
		t.Errorf("ignore = %v", cfg.Ignore)
	}
	if cfg.Severity["GL004"] != "warning" {
		t.Errorf("severity = %v", cfg.Severity)
	}
	if len(cfg.Stages) != 1 || cfg.Stages[0] != "quality" {
		t.Errorf("stages = %v", cfg.Stages)
	}
	if cfg.Token != "glpat-test" {
		t.Errorf("token = %q", cfg.Token)
	}
	if cfg.URL != "https://gitlab.example.com" {
		t.Errorf("url = %q", cfg.URL)
	}
	if cfg.CacheDir != "/tmp/glint-cache" {
		t.Errorf("cache_dir = %q", cfg.CacheDir)
	}
}
func TestLoad_WalksUp(t *testing.T) {
	tmp := t.TempDir()
	sub := filepath.Join(tmp, "subdir", "pipeline")
	if err := os.MkdirAll(sub, 0o755); err != nil {
		t.Fatal(err)
	}
	// Config at the top-level (no .git, so walk continues to tmp).
	if err := os.WriteFile(filepath.Join(tmp, Filename), []byte("token: walked-up\n"), 0o644); err != nil {
		t.Fatal(err)
	}
	cfg, err := Load(sub)
	if err != nil {
		t.Fatalf("Load: %v", err)
	}
	if cfg.Token != "walked-up" {
		t.Errorf("token = %q, want walked-up", cfg.Token)
	}
}
func TestLoad_StopsAtGitRoot(t *testing.T) {
	tmp := t.TempDir()
	sub := filepath.Join(tmp, "repo", "src")
	if err := os.MkdirAll(sub, 0o755); err != nil {
		t.Fatal(err)
	}
	// .git marks the repo root — walk must stop here.
	if err := os.Mkdir(filepath.Join(tmp, "repo", ".git"), 0o755); err != nil {
		t.Fatal(err)
	}
	// Config placed ABOVE the .git root should not be found.
	if err := os.WriteFile(filepath.Join(tmp, Filename), []byte("token: should-not-load\n"), 0o644); err != nil {
		t.Fatal(err)
	}
	cfg, err := Load(sub)
	if err != nil {
		t.Fatalf("Load: %v", err)
	}
	if cfg.Token != "" {
		t.Errorf("token = %q, should not have crossed .git boundary", cfg.Token)
	}
}
func TestLoad_InvalidYAML(t *testing.T) {
	tmp := t.TempDir()
	if err := os.WriteFile(filepath.Join(tmp, Filename), []byte("ignore: [unclosed\n"), 0o644); err != nil {
		t.Fatal(err)
	}
	_, err := Load(tmp)
	if err == nil {
		t.Error("expected error for invalid YAML")
	}
}
@@ -0,0 +1,819 @@
package linter
// RuleEntry holds the human-readable documentation for a single lint rule,
// shown by 'glint explain <RULE>'.
type RuleEntry struct {
	Title       string   // short title (one line)
	Severity    Severity // Error or Warning
	Description string   // what triggers the rule and why it matters
	Example     string   // YAML snippet that triggers the rule
	Fix         string   // corrected YAML
}
// RuleCatalog maps stable rule IDs to their documentation entries.
var RuleCatalog = map[string]RuleEntry{
	RuleNoStages: {
		Title:    "no stages defined",
		Severity: Warning,
		Description: "The pipeline has no 'stages:' block. GitLab falls back to the " +
			"built-in default stages (build, test, deploy), which may not match your " +
			"intended job ordering.",
		Example: `# No stages: block
build-job:
  script: make build
test-job:
  script: make test`,
		Fix: `stages:
  - build
  - test
build-job:
  stage: build
  script: make build
test-job:
  stage: test
  script: make test`,
	},
	RuleWorkflowWhen: {
		Title:    "workflow.rules.when invalid value",
		Severity: Error,
		Description: "'workflow.rules[n].when' only accepts 'always' or 'never'. Any " +
			"other value (such as 'on_success' or 'manual') is invalid and will cause " +
			"the pipeline to fail to create.",
		Example: `workflow:
  rules:
    - if: $CI_COMMIT_BRANCH
      when: on_success   # invalid here`,
		Fix: `workflow:
  rules:
    - if: $CI_COMMIT_BRANCH
      when: always`,
	},
	RuleMissingScript: {
		Title:    "missing required 'script' field",
		Severity: Error,
		Description: "Every non-trigger, non-pages job must define 'script:' (or 'run:' " +
			"for CI Steps). A job with no script will fail immediately when GitLab tries " +
			"to run it.",
		Example: `my-job:
  stage: test
  image: python:3.12
  # Missing script:`,
		Fix: `my-job:
  stage: test
  image: python:3.12
  script: pytest`,
	},
	RuleUnknownStage: {
		Title:    "job references undeclared stage",
		Severity: Error,
		Description: "The job's 'stage:' value does not match any name in the pipeline's " +
			"'stages:' list. GitLab will reject the pipeline configuration.",
		Example: `stages:
  - build
  - test
deploy-job:
  stage: production   # not in stages:
  script: ./deploy.sh`,
		Fix: `stages:
  - build
  - test
  - production
deploy-job:
  stage: production
  script: ./deploy.sh`,
	},
	RuleOnlyRulesConflict: {
		Title:    "'only:' and 'rules:' used together",
		Severity: Error,
		Description: "'only:' and 'rules:' are mutually exclusive. Using both on the " +
			"same job is a configuration error that prevents the pipeline from being " +
			"created.",
		Example: `my-job:
  only:
    - main
  rules:
    - if: $CI_COMMIT_BRANCH
  script: echo conflict`,
		Fix: `# Remove only: and use rules: exclusively
my-job:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  script: echo ok`,
	},
	RuleExceptRulesConflict: {
		Title:    "'except:' and 'rules:' used together",
		Severity: Error,
		Description: "'except:' and 'rules:' are mutually exclusive. Using both on the " +
			"same job is a configuration error that prevents the pipeline from being " +
			"created.",
		Example: `my-job:
  except:
    - tags
  rules:
    - if: $CI_COMMIT_BRANCH
  script: echo conflict`,
		Fix: `my-job:
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_COMMIT_BRANCH
  script: echo ok`,
	},
	RuleDeprecatedOnly: {
		Title:    "'only:' / 'except:' deprecated",
		Severity: Warning,
		Description: "'only:' and 'except:' are deprecated in favour of 'rules:'. " +
			"GitLab may remove support for these keywords in a future major version. " +
			"'rules:' is more expressive and supports variable references, merge-request " +
			"conditions, and fine-grained 'when:' control.",
		Example: `my-job:
  only:
    - main
  script: ./deploy.sh`,
		Fix: `my-job:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  script: ./deploy.sh`,
	},
	RuleInvalidWhen: {
		Title:    "'when:' has invalid value",
		Severity: Error,
		Description: "Job-level 'when:' accepts: on_success, on_failure, always, " +
			"manual, delayed, never. Any other value is rejected by GitLab.",
		Example: `my-job:
  when: sometimes   # invalid
  script: echo hi`,
		Fix: `my-job:
  when: on_success
  script: echo hi`,
	},
	RuleDelayedNoStartIn: {
		Title:    "'when: delayed' without 'start_in:'",
		Severity: Error,
		Description: "'when: delayed' requires a 'start_in:' duration (e.g. " +
			"'30 minutes', '1 hour'). Without it GitLab rejects the job configuration.",
		Example: `my-job:
  when: delayed
  script: echo hi`,
		Fix: `my-job:
  when: delayed
  start_in: 30 minutes
  script: echo hi`,
	},
	RuleStartInNoDelayed: {
		Title:    "'start_in:' without 'when: delayed'",
		Severity: Error,
		Description: "'start_in:' is only meaningful when 'when: delayed'. Setting it " +
			"alongside any other 'when:' value is a configuration error.",
		Example: `my-job:
  when: on_success
  start_in: 30 minutes   # only valid with delayed
  script: echo hi`,
		Fix: `my-job:
  when: delayed
  start_in: 30 minutes
  script: echo hi`,
	},
	RuleInvalidParallel: {
		Title:    "'parallel:' value invalid",
		Severity: Error,
		Description: "'parallel:' must be an integer between 2 and 200 (inclusive), " +
			"or a map with a 'matrix:' key for matrix jobs. Values outside this range " +
			"or the wrong type are rejected by GitLab.",
		Example: `my-job:
  parallel: 1   # must be 2–200
  script: echo hi`,
		Fix: `my-job:
  parallel: 5
  script: echo hi`,
	},
	RuleInvalidRetry: {
		Title:    "'retry:' value invalid",
		Severity: Error,
		Description: "'retry:' accepts an integer 0–2 or a map with optional 'max:' " +
			"(0–2) and 'when:' keys. Values outside this range are rejected.",
		Example: `my-job:
  retry: 5   # max is 2
  script: echo hi`,
		Fix: `my-job:
  retry: 2
  script: echo hi`,
	},
	RuleInvalidRetryWhen: {
		Title:    "'retry.when:' has invalid failure type",
		Severity: Error,
		Description: "'retry.when:' must be a recognised GitLab CI failure type " +
			"(e.g. script_failure, runner_system_failure) or 'always'. Unknown " +
			"values are rejected.",
		Example: `my-job:
  retry:
    max: 2
    when: disk_full   # not a valid failure type
  script: echo hi`,
		Fix: `my-job:
  retry:
    max: 2
    when: runner_system_failure
  script: echo hi`,
	},
	RuleInvalidAllowFailure: {
		Title:    "'allow_failure:' invalid value",
		Severity: Error,
		Description: "'allow_failure:' must be a boolean (true/false) or a map with " +
			"an 'exit_codes:' key. Other forms are rejected by GitLab.",
		Example: `my-job:
  allow_failure: maybe   # must be true/false or map
  script: echo hi`,
		Fix: `my-job:
  allow_failure: true
  script: echo hi`,
	},
	RuleInvalidInterruptible: {
		Title:    "'interruptible:' is not a boolean",
		Severity: Error,
		Description: "'interruptible:' must be a boolean (true or false). Other types " +
			"are rejected.",
		Example: `my-job:
  interruptible: yes   # must be a YAML boolean true/false
  script: echo hi`,
		Fix: `my-job:
  interruptible: true
  script: echo hi`,
	},
	RuleTriggerWithScript: {
		Title:    "trigger job also defines 'script:'",
		Severity: Error,
		Description: "Jobs with a 'trigger:' key (downstream pipeline triggers) cannot " +
			"use 'script:'. These are mutually exclusive — a trigger job has no runner " +
			"environment to execute scripts in.",
		Example: `trigger-job:
  trigger:
    project: mygroup/myproject
  script: echo this will fail`,
		Fix: `trigger-job:
  trigger:
    project: mygroup/myproject`,
	},
	RuleInvalidTrigger: {
		Title:    "trigger: map missing 'project:' or 'include:'",
		Severity: Error,
		Description: "When 'trigger:' is a map it must specify either 'project:' " +
			"(downstream project trigger) or 'include:' (dynamic child pipeline). " +
			"Without one of these keys GitLab cannot determine what to trigger.",
		Example: `trigger-job:
  trigger:
    strategy: depend   # missing project: or include:`,
		Fix: `trigger-job:
  trigger:
    project: mygroup/downstream
    strategy: depend`,
	},
	RuleInvalidCoverage: {
		Title:    "'coverage:' is not a regex pattern",
		Severity: Error,
		Description: "'coverage:' must be a regex pattern wrapped in forward slashes " +
			"(e.g. '/Coverage: \\d+\\.?\\d*%/'). GitLab uses this pattern to extract " +
			"the coverage percentage from job output.",
		Example: `my-job:
  coverage: "\\d+%"   # missing surrounding /…/
  script: pytest --cov`,
		Fix: `my-job:
  coverage: '/Coverage: \d+\.?\d*%/'
  script: pytest --cov`,
	},
	RuleInvalidRelease: {
		Title:    "'release:' missing required 'tag_name:'",
		Severity: Error,
		Description: "'release:' must be a map and must include a 'tag_name:' key. " +
			"Without it GitLab cannot create the release.",
		Example: `release-job:
  script: echo releasing
  release:
    name: My Release   # missing tag_name:`,
		Fix: `release-job:
  script: echo releasing
  release:
    tag_name: $CI_COMMIT_TAG
    name: My Release`,
	},
	RuleInvalidEnvironment: {
		Title:    "'environment:' invalid url or action",
		Severity: Error,
		Description: "'environment.url' requires 'environment.name' to be set. " +
			"'environment.action' must be one of: start, stop, prepare, verify, access.",
		Example: `my-job:
  script: ./deploy.sh
  environment:
    url: https://prod.example.com   # name: is required`,
		Fix: `my-job:
  script: ./deploy.sh
  environment:
    name: production
    url: https://prod.example.com`,
	},
	RuleInvalidArtifacts: {
		Title:    "'artifacts:' invalid configuration",
		Severity: Error,
		Description: "'artifacts.when' must be on_success, on_failure, or always. " +
			"'artifacts.expose_as' requires 'artifacts.paths' to be set.",
		Example: `my-job:
  script: make
  artifacts:
    when: sometimes   # invalid value`,
		Fix: `my-job:
  script: make
  artifacts:
    when: on_failure
    paths:
      - build/logs/`,
	},
	RulePagesPublic: {
		Title:    "pages job missing 'public' in artifacts.paths",
		Severity: Warning,
		Description: "The 'pages' job must include 'public' (or a path starting with " +
			"'public/') in 'artifacts.paths' for GitLab Pages to deploy the site.",
		Example: `pages:
  script: hugo
  artifacts:
    paths:
      - dist/   # should include public/`,
		Fix: `pages:
  script: hugo --destination public
  artifacts:
    paths:
      - public/`,
	},
	RuleInvalidCache: {
		Title:    "'cache:' invalid when or policy",
		Severity: Error,
		Description: "'cache.when' must be on_success, on_failure, or always. " +
			"'cache.policy' must be pull, push, or pull-push.",
		Example: `my-job:
  script: npm ci
  cache:
    paths: [node_modules/]
    policy: read-only   # invalid; use pull`,
		Fix: `my-job:
  script: npm ci
  cache:
    paths: [node_modules/]
    policy: pull`,
	},
	RuleInvalidRulesWhen: {
		Title:    "'rules[n].when:' has invalid value",
		Severity: Error,
		Description: "Inside a 'rules:' block, 'when:' must be one of: on_success, " +
			"on_failure, always, manual, delayed, never. Other values are rejected.",
		Example: `my-job:
  rules:
    - if: $CI_COMMIT_BRANCH
      when: conditional   # not valid here
  script: echo hi`,
		Fix: `my-job:
  rules:
    - if: $CI_COMMIT_BRANCH
      when: on_success
  script: echo hi`,
	},
	RuleInvalidImage: {
		Title:    "'image:' map form missing 'name:'",
		Severity: Error,
		Description: "When 'image:' is a map, it must include a 'name:' key specifying " +
			"the Docker image. Without it GitLab cannot resolve which image to pull.",
		Example: `my-job:
  image:
    entrypoint: ["/bin/sh"]   # missing name:
  script: echo hi`,
		Fix: `my-job:
  image:
    name: alpine:3.19
    entrypoint: ["/bin/sh"]
  script: echo hi`,
	},
	RuleInvalidInherit: {
		Title:    "'inherit.default' or 'inherit.variables' invalid type",
		Severity: Error,
		Description: "'inherit.default' and 'inherit.variables' must each be a boolean " +
			"(true/false) or a list of field/variable names. Other types are rejected.",
		Example: `my-job:
  inherit:
    default: "no"   # must be true/false or a list
  script: echo hi`,
		Fix: `my-job:
  inherit:
    default: false
  script: echo hi`,
	},
	RuleNeedsUnknown: {
		Title:    "'needs:' references unknown job",
		Severity: Error,
		Description: "A job in the 'needs:' list does not exist in the pipeline. " +
			"GitLab will refuse to create the pipeline.",
		Example: `build:
  stage: build
  script: make
test:
  stage: test
  needs: [build, lint]   # lint does not exist
  script: make test`,
		Fix: `lint:
  stage: build
  script: make lint
build:
  stage: build
  script: make
test:
  stage: test
  needs: [build, lint]
  script: make test`,
	},
	RuleNeedsStageOrder: {
		Title:    "'needs:' job is in a later stage",
		Severity: Error,
		Description: "A job listed in 'needs:' is in a later stage than the current " +
			"job. GitLab does not allow needs: to reference future stages.",
		Example: `stages: [build, test, deploy]
test:
  stage: test
  needs: [deploy-job]   # deploy-job is in a later stage
  script: make test
deploy-job:
  stage: deploy
  script: ./deploy.sh`,
		Fix: `stages: [build, test, deploy]
test:
  stage: test
  needs: [build-job]
  script: make test
build-job:
  stage: build
  script: make`,
	},
	RuleNeedsCycle: {
		Title:    "circular dependency in 'needs:' graph",
		Severity: Error,
		Description: "Two or more jobs in the 'needs:' graph form a cycle — A needs B " +
			"and B needs A (directly or transitively). GitLab will reject the pipeline.",
		Example: `job-a:
  stage: test
  needs: [job-b]
  script: echo a
job-b:
  stage: test
  needs: [job-a]
  script: echo b`,
		Fix: `job-a:
  stage: test
  script: echo a
job-b:
  stage: test
  needs: [job-a]
  script: echo b`,
	},
	RuleUnknownDependency: {
		Title:    "'dependencies:' references unknown job",
		Severity: Error,
		Description: "A job listed in 'dependencies:' does not exist in the pipeline. " +
			"GitLab will refuse to create the pipeline.",
		Example: `test:
  stage: test
  dependencies: [build, missing-job]
  script: make test`,
		Fix: `build:
  stage: build
  script: make
  artifacts:
    paths: [dist/]
test:
  stage: test
  dependencies: [build]
  script: make test`,
	},
	RuleDependencyStage: {
		Title:    "'dependencies:' job in same or later stage",
		Severity: Error,
		Description: "'dependencies:' can only reference jobs in earlier stages. " +
			"Referencing a job in the same or a later stage is not allowed because " +
			"artifacts would not yet be available.",
		Example: `stages: [test, deploy]
test:
  stage: test
  dependencies: [deploy-job]   # deploy is a later stage
  script: make test
deploy-job:
  stage: deploy
  script: ./deploy.sh`,
		Fix: `stages: [build, test, deploy]
build:
  stage: build
  script: make
  artifacts:
    paths: [dist/]
test:
  stage: test
  dependencies: [build]
  script: make test`,
	},
	RuleUndeclaredVariable: {
		Title:    "'rules:if:' references undeclared variable",
		Severity: Warning,
		Description: "A 'rules:if:' expression references a variable that is not " +
			"declared in any 'variables:' block in the pipeline YAML. This may be a " +
			"typo, or the variable may be set in GitLab project settings (invisible to " +
			"glint). Predefined CI_* and GITLAB_* variables are always exempt.",
		Example: `variables:
  APP_ENV: staging
my-job:
  rules:
    - if: $DEPLOY_ENV == "prod"   # DEPLOY_ENV not declared
  script: ./deploy.sh`,
		Fix: `variables:
  APP_ENV: staging
  DEPLOY_ENV: staging   # declare it, or set it in GitLab project settings
my-job:
  rules:
    - if: $DEPLOY_ENV == "prod"
  script: ./deploy.sh`,
	},
	RuleDeadRules: {
		Title:    "rules: block has all 'when: never' — job permanently excluded",
		Severity: Warning,
		Description: "Every rule in the job's 'rules:' block has an explicit " +
			"'when: never'. No matter which conditions match, the job will never " +
			"be included in any pipeline run.",
		Example: `my-job:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
      when: never
    - when: never
  script: echo unreachable`,
		Fix: `# Option 1: remove the job entirely
# Option 2: give at least one rule a non-never when:
my-job:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
      when: on_success
    - when: never
  script: echo deploy`,
	},
	RuleInvalidService: {
		Title:    "'services:' map form missing 'name:' or invalid 'alias:'",
		Severity: Error,
		Description: "When a service entry is a map it must include a 'name:' key. " +
			"'alias:' (if set) must be a valid DNS label: alphanumeric characters, " +
			"hyphens, and dots only; must start and end with alphanumeric.",
		Example: `my-job:
  script: pytest
  services:
    - alias: my_db   # underscore is not valid in a DNS label`,
		Fix: `my-job:
  script: pytest
  services:
    - name: postgres:15
      alias: my-db`,
	},
	RuleAbsoluteGlobPath: {
		Title:    "'rules:changes' or 'rules:exists' uses absolute path",
		Severity: Warning,
		Description: "Paths in 'rules:changes' and 'rules:exists' are always relative " +
			"to the repository root. An absolute path starting with '/' will never " +
			"match any file and will silently disable the rule.",
		Example: `my-job:
  rules:
    - changes:
        - /src/**/*.go   # absolute — will never match
  script: make`,
		Fix: `my-job:
  rules:
    - changes:
        - src/**/*.go
  script: make`,
	},
	RuleInvalidTimeout: {
		Title:    "'timeout:' is not a valid duration string",
		Severity: Error,
		Description: "'timeout:' must be a GitLab CI duration string composed of " +
			"recognised time units: weeks (w), days (d), hours (h), minutes (m/min), " +
			"seconds (s). Examples: '1h 30m', '90 minutes', '2 hours'.",
		Example: `my-job:
  timeout: "1:30:00"   # colon-separated format not supported
  script: long-running-task.sh`,
		Fix: `my-job:
  timeout: 1h 30m
  script: long-running-task.sh`,
	},
	RuleInvalidIDToken: {
		Title:    "'id_tokens:' entry missing required 'aud:' key",
		Severity: Error,
		Description: "Each entry under 'id_tokens:' must be a map with an 'aud:' " +
			"(audience) key. Without 'aud:' GitLab cannot generate the ID token " +
			"and the job will fail.",
		Example: `my-job:
  id_tokens:
    MY_TOKEN:
      # missing aud:
  script: vault-login.sh`,
		Fix: `my-job:
  id_tokens:
    MY_TOKEN:
      aud: https://vault.example.com
  script: vault-login.sh`,
	},
	RuleInvalidSecret: {
		Title:    "'secrets:' entry missing a provider key",
		Severity: Error,
		Description: "Each entry under 'secrets:' must specify a provider: one of " +
			"'vault:', 'gcp_secret_manager:', or 'azure_key_vault:'. Without a " +
			"provider GitLab cannot retrieve the secret.",
		Example: `my-job:
  secrets:
    DB_PASSWORD:
      path: secret/db/password   # no provider key
  script: run.sh`,
		Fix: `my-job:
  secrets:
    DB_PASSWORD:
      vault:
        engine:
          name: kv-v2
          path: secret
        path: db/password
        field: password
  script: run.sh`,
	},
	RulePagesPublish: {
		Title:    "'pages:' keyword publish directory missing from 'artifacts.paths'",
		Severity: Warning,
		Description: "A job using the 'pages:' keyword must include its publish " +
			"directory in 'artifacts.paths'. Without this, GitLab Pages will not " +
			"deploy the site.",
		Example: `my-pages-job:
  script: hugo
  pages:
    publish: public
  artifacts:
    paths:
      - dist/   # missing public/`,
		Fix: `my-pages-job:
  script: hugo
  pages:
    publish: public
  artifacts:
    paths:
      - public/`,
	},
	RuleDuplicateStage: {
		Title:    "duplicate stage name in 'stages:'",
		Severity: Warning,
		Description: "A stage name appears more than once in the 'stages:' list. " +
			"GitLab silently merges duplicate stage entries, which can make the " +
			"pipeline order confusing.",
		Example: `stages:
  - build
  - test
  - test   # duplicate`,
		Fix: `stages:
  - build
  - test`,
	},
	RuleInvalidCacheKeyFiles: {
		Title:    "'cache.key.files' contains a glob pattern",
		Severity: Warning,
		Description: "'cache.key.files' must be a list of exact file paths. Glob " +
			"patterns (*, ?, [...]) are not expanded — the literal glob string is " +
			"used as the cache key, which probably doesn't match your intent.",
		Example: `my-job:
  script: npm ci
  cache:
    key:
      files:
        - package*.json   # glob — use exact path`,
		Fix: `my-job:
  script: npm ci
  cache:
    key:
      files:
        - package.json
        - package-lock.json`,
	},
	RuleStaticDeadRules: {
		Title:    "rules:if: block statically never activates",
		Severity: Warning,
		Description: "Every 'rules:if:' condition in this job evaluates to false " +
			"using the variable values declared in the pipeline YAML. The job will " +
			"never be included in any pipeline run. This check only fires when ALL " +
			"referenced variables are declared in the YAML (predefined CI_* variables " +
			"are not evaluated to avoid false positives).",
		Example: `variables:
  ENABLE_DEPLOY: "false"
deploy:
  rules:
    - if: '$ENABLE_DEPLOY == "true"'   # always false: ENABLE_DEPLOY is "false"
  script: ./deploy.sh`,
		Fix: `variables:
  ENABLE_DEPLOY: "true"   # fix the variable value
deploy:
  rules:
    - if: '$ENABLE_DEPLOY == "true"'
  script: ./deploy.sh
# Or add an unconditional fallback:
deploy:
  rules:
    - if: '$ENABLE_DEPLOY == "true"'
    - when: manual   # allow manual trigger as a fallback
  script: ./deploy.sh`,
	},
	RuleInheritNoDefault: {
		Title:    "'inherit: default:' declared but no 'default:' block",
		Severity: Warning,
		Description: "A job declares 'inherit: default:' but the pipeline has no " +
			"'default:' block, so the declaration has no effect. This can also fire " +
			"when 'inherit: default: [list]' names fields that are not set in the " +
			"'default:' block.",
		Example: `# No default: block exists
my-job:
  inherit:
    default: false   # no-op: nothing to opt out of
  script: echo hi`,
		Fix: `# Either add a default: block...
default:
  before_script:
    - source venv/bin/activate
my-job:
  inherit:
    default: false
  script: echo hi
# ...or remove the pointless inherit: declaration
my-job:
  script: echo hi`,
	},
}
@@ -0,0 +1,104 @@
package linter
import (
	"git.k3nny.fr/glint/internal/cicontext"
	"git.k3nny.fr/glint/internal/model"
)
// checkRulesIfReachability (GL042): warn when every rule in a job's rules: block
// can be statically proven to never activate given the values of variables
// declared in the pipeline YAML. Only fires when ALL variables referenced by the
// rules:if: expressions are declared in the pipeline or job variables: blocks —
// predefined CI_* / GITLAB_* variables or variables not declared in YAML are
// treated as unknown (could have any runtime value) so the check is skipped
// conservatively to avoid false positives.
func checkRulesIfReachability(p *model.Pipeline) []Finding {
	if len(p.Jobs) == 0 {
		return nil
	}
	// Collect scalar string values from pipeline-level variables.
	pipelineVars := make(map[string]string, len(p.Variables))
	for k, v := range p.Variables {
		if s, ok := cicontext.ScalarString(v); ok {
			pipelineVars[k] = s
		}
	}
	var findings []Finding
	for name, job := range p.Jobs {
		if len(job.Rules) == 0 {
			continue
		}
		// Merge pipeline vars with job-level variable overrides.
		jobVars := make(map[string]string, len(pipelineVars)+len(job.Variables))
		for k, v := range pipelineVars {
			jobVars[k] = v
		}
		for k, v := range job.Variables {
			if s, ok := cicontext.ScalarString(v); ok {
				jobVars[k] = s
			}
		}
		if f := evalRulesReachability(name, job, jobVars); f != nil {
			findings = append(findings, *f)
		}
	}
	return findings
}
// evalRulesReachability returns a GL042 finding when the job's rules: block
// can never activate given the provided variable map, or nil if the job
// might activate (or the check cannot be applied conservatively).
func evalRulesReachability(name string, job model.Job, jobVars map[string]string) *Finding {
	lookup := func(k string) string { return jobVars[k] }
	for _, rule := range job.Rules {
		// Explicit when: never — this rule is provably dead; continue.
		if rule.When == "never" {
			continue
		}
		// No if: condition → this rule always matches → job CAN activate.
		if rule.If == "" {
			return nil
		}
		// Check whether all variables referenced in the if: expression are
		// declared in the pipeline YAML. If any are not declared (predefined
		// CI vars, project settings, etc.), we cannot evaluate the expression
		// and must conservatively assume the job might activate.
		refs := extractIfVars(rule.If)
		allDeclared := true
		for _, ref := range refs {
			if _, ok := jobVars[ref]; !ok {
				// Variable not in YAML (predefined or unknown) → cannot evaluate.
				allDeclared = false
				break
			}
		}
		if !allDeclared {
			return nil // conservative: job might activate
		}
		// All referenced variables are declared; evaluate the expression.
		// Use strict mode (unparse → false) to avoid matching unparseable expressions.
		if cicontext.EvalIfStrict(rule.If, lookup) {
			// This rule's condition evaluates to true → job CAN activate.
			return nil
		}
		// Expression evaluated to false → this rule cannot activate; continue.
	}
	// No rule could activate the job.
	return &Finding{
		Severity: Warning,
		Rule:     RuleStaticDeadRules,
		Job:      name,
		File:     job.File,
		Line:     job.Line,
		Message:  "rules: block can never activate: all if: conditions evaluate to false given the declared pipeline variables",
	}
}
@@ -0,0 +1,152 @@
package linter
import (
	"testing"
	"git.k3nny.fr/glint/internal/model"
)
func TestCheckRulesIfReachability(t *testing.T) {
	makeJob := func(vars map[string]any, rules []model.Rule) model.Job {
		return model.Job{Variables: vars, Rules: rules}
	}
	cases := []struct {
		name        string
		pipelineVars map[string]any
		jobs        map[string]model.Job
		wantHit     []string // job names that should produce GL042
		wantMiss    []string // job names that should NOT produce GL042
	}{
		{
			name:         "declared var always false — GL042 fires",
			pipelineVars: map[string]any{"DEPLOY": "false"},
			jobs: map[string]model.Job{
				"deploy": makeJob(nil, []model.Rule{
					{If: `$DEPLOY == "true"`, When: "on_success"},
				}),
			},
			wantHit:  []string{"deploy"},
			wantMiss: nil,
		},
		{
			name:         "declared var matches — no finding",
			pipelineVars: map[string]any{"DEPLOY": "true"},
			jobs: map[string]model.Job{
				"deploy": makeJob(nil, []model.Rule{
					{If: `$DEPLOY == "true"`, When: "on_success"},
				}),
			},
			wantHit:  nil,
			wantMiss: []string{"deploy"},
		},
		{
			name:         "predefined CI_ var — skip check conservatively",
			pipelineVars: nil,
			jobs: map[string]model.Job{
				"branch-job": makeJob(nil, []model.Rule{
					{If: `$CI_COMMIT_BRANCH == "never-exists"`, When: "on_success"},
				}),
			},
			wantHit:  nil,
			wantMiss: []string{"branch-job"},
		},
		{
			name:         "undeclared var — skip check conservatively",
			pipelineVars: nil,
			jobs: map[string]model.Job{
				"my-job": makeJob(nil, []model.Rule{
					{If: `$UNKNOWN_VAR == "x"`, When: "on_success"},
				}),
			},
			wantHit:  nil,
			wantMiss: []string{"my-job"},
		},
		{
			name:         "unconditional rule — job can always activate",
			pipelineVars: map[string]any{"DEPLOY": "false"},
			jobs: map[string]model.Job{
				"my-job": makeJob(nil, []model.Rule{
					{If: `$DEPLOY == "true"`, When: "never"},
					{When: "on_success"},
				}),
			},
			wantHit:  nil,
			wantMiss: []string{"my-job"},
		},
		{
			name:         "all rules when:never — GL042 fires (not GL033 territory overlap)",
			pipelineVars: map[string]any{"DEPLOY": "false"},
			jobs: map[string]model.Job{
				"my-job": makeJob(nil, []model.Rule{
					{If: `$DEPLOY == "true"`, When: "on_success"},
					{When: "never"},
				}),
			},
			// Rule 1 evaluates to false; Rule 2 is explicit never → all dead.
			wantHit:  []string{"my-job"},
			wantMiss: nil,
		},
		{
			name:         "job-level var overrides pipeline var",
			pipelineVars: map[string]any{"FLAG": "false"},
			jobs: map[string]model.Job{
				"my-job": makeJob(map[string]any{"FLAG": "true"}, []model.Rule{
					{If: `$FLAG == "true"`, When: "on_success"},
				}),
			},
			// Job-level FLAG="true" makes the if: evaluate to true → no finding.
			wantHit:  nil,
			wantMiss: []string{"my-job"},
		},
		{
			name:         "no rules — nothing to check",
			pipelineVars: map[string]any{"DEPLOY": "false"},
			jobs: map[string]model.Job{
				"my-job": makeJob(nil, nil),
			},
			wantHit:  nil,
			wantMiss: []string{"my-job"},
		},
		{
			name:         "boolean variable evaluates correctly",
			pipelineVars: map[string]any{"FLAG": false}, // bool false
			jobs: map[string]model.Job{
				"my-job": makeJob(nil, []model.Rule{
					{If: `$FLAG == "true"`, When: "on_success"},
				}),
			},
			// ScalarString(false) → "false"; "false" == "true" → false → GL042 fires.
			wantHit:  []string{"my-job"},
			wantMiss: nil,
		},
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			p := &model.Pipeline{
				Variables: tc.pipelineVars,
				Jobs:      tc.jobs,
			}
			findings := checkRulesIfReachability(p)
			hitSet := make(map[string]bool)
			for _, f := range findings {
				if f.Rule == RuleStaticDeadRules {
					hitSet[f.Job] = true
				}
			}
			for _, want := range tc.wantHit {
				if !hitSet[want] {
					t.Errorf("expected GL042 for job %q but it was not reported; findings: %v", want, findings)
				}
			}
			for _, notWant := range tc.wantMiss {
				if hitSet[notWant] {
					t.Errorf("unexpected GL042 for job %q", notWant)
				}
			}
		})
	}
}
@@ -0,0 +1,112 @@
package linter
import (
	"fmt"
	"strings"
	"git.k3nny.fr/glint/internal/model"
)
// checkInheritCompleteness (GL043): warn when a job's 'inherit: default:'
// declaration is dead — either because there is no 'default:' block in the
// pipeline, or because the list form references fields that are not defined
// in the 'default:' block.
func checkInheritCompleteness(p *model.Pipeline) []Finding {
	var findings []Finding
	for name, job := range p.Jobs {
		findings = append(findings, checkJobInheritCompleteness(p, name, job)...)
	}
	return findings
}
func checkJobInheritCompleteness(p *model.Pipeline, name string, job model.Job) []Finding {
	if job.Inherit == nil {
		return nil
	}
	m, ok := job.Inherit.(map[string]any)
	if !ok {
		return nil
	}
	defaultVal, hasDefault := m["default"]
	if !hasDefault {
		return nil
	}
	// Case 1: no default: block at all — the entire declaration is a no-op.
	if p.Default == nil {
		return []Finding{{
			Severity: Warning,
			Rule:     RuleInheritNoDefault,
			Job:      name,
			File:     job.File,
			Line:     job.Line,
			Message:  "'inherit: default:' is declared but the pipeline has no 'default:' block — declaration has no effect",
		}}
	}
	// Case 2: list form — check for field names not set in default:.
	list, ok := defaultVal.([]any)
	if !ok {
		// bool form (true/false) with a non-nil default: block is always valid.
		return nil
	}
	var dead []string
	for _, item := range list {
		field, ok := item.(string)
		if !ok {
			continue
		}
		if !defaultBlockHasField(p.Default, field) {
			dead = append(dead, field)
		}
	}
	if len(dead) == 0 {
		return nil
	}
	return []Finding{{
		Severity: Warning,
		Rule:     RuleInheritNoDefault,
		Job:      name,
		File:     job.File,
		Line:     job.Line,
		Message: fmt.Sprintf(
			"'inherit: default: [%s]': %s not defined in the 'default:' block — %s",
			strings.Join(dead, ", "),
			pluralIs(len(dead)),
			"these entries have no effect",
		),
	}}
}
// defaultBlockHasField reports whether the given field name has a non-zero value
// in the default: block. Unknown field names return true (conservative).
func defaultBlockHasField(d *model.DefaultConfig, field string) bool {
	switch field {
	case "image":
		return d.Image != nil
	case "before_script":
		return d.BeforeScript != nil
	case "after_script":
		return d.AfterScript != nil
	case "cache":
		return d.Cache != nil
	case "artifacts":
		return d.Artifacts != nil
	case "retry":
		return d.Retry != nil
	case "timeout":
		return d.Timeout != ""
	case "tags":
		return len(d.Tags) > 0
	}
	// Unknown field name — conservatively assume it might be defined.
	return true
}
func pluralIs(n int) string {
	if n == 1 {
		return "this field is"
	}
	return "these fields are"
}
@@ -0,0 +1,94 @@
package linter
import (
	"testing"
	"git.k3nny.fr/glint/internal/model"
)
func TestCheckInheritCompleteness(t *testing.T) {
	cases := []struct {
		name    string
		default_ *model.DefaultConfig
		inherit any // job.Inherit value
		wantHit bool
	}{
		{
			name:    "no inherit — no finding",
			inherit: nil,
			wantHit: false,
		},
		{
			name:    "inherit: default: false, no default block — GL043",
			inherit: map[string]any{"default": false},
			wantHit: true,
		},
		{
			name:    "inherit: default: true, no default block — GL043",
			inherit: map[string]any{"default": true},
			wantHit: true,
		},
		{
			name:    "inherit: default: [image], no default block — GL043",
			inherit: map[string]any{"default": []any{"image"}},
			wantHit: true,
		},
		{
			name:     "inherit: default: false, default block exists — no finding",
			default_: &model.DefaultConfig{Image: "node:20"},
			inherit:  map[string]any{"default": false},
			wantHit:  false,
		},
		{
			name:     "inherit: default: [image], image in default — no finding",
			default_: &model.DefaultConfig{Image: "node:20"},
			inherit:  map[string]any{"default": []any{"image"}},
			wantHit:  false,
		},
		{
			name:     "inherit: default: [before_script], before_script NOT in default — GL043",
			default_: &model.DefaultConfig{Image: "node:20"},
			inherit:  map[string]any{"default": []any{"before_script"}},
			wantHit:  true,
		},
		{
			name:     "inherit: default: [image, before_script], only image in default — GL043 for before_script",
			default_: &model.DefaultConfig{Image: "node:20"},
			inherit:  map[string]any{"default": []any{"image", "before_script"}},
			wantHit:  true,
		},
		{
			name:     "inherit: variables only — no default check",
			default_: nil,
			inherit:  map[string]any{"variables": false},
			wantHit:  false,
		},
		{
			name:     "inherit: unknown field in list — conservative, no finding",
			default_: &model.DefaultConfig{Image: "node:20"},
			inherit:  map[string]any{"default": []any{"nonexistent_field"}},
			wantHit:  false, // unknown fields return true from defaultBlockHasField
		},
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			job := model.Job{Inherit: tc.inherit}
			p := &model.Pipeline{
				Default: tc.default_,
				Jobs:    map[string]model.Job{"test-job": job},
			}
			findings := checkInheritCompleteness(p)
			hit := false
			for _, f := range findings {
				if f.Rule == RuleInheritNoDefault {
					hit = true
				}
			}
			if hit != tc.wantHit {
				t.Errorf("GL043 hit=%v, want=%v; findings: %v", hit, tc.wantHit, findings)
			}
		})
	}
}
@@ -62,6 +62,8 @@ func Lint(p *model.Pipeline) []Finding {
	findings = append(findings, checkNeeds(p)...)
	findings = append(findings, checkDependencies(p)...)
	findings = append(findings, checkVariableRefs(p)...)
	findings = append(findings, checkRulesIfReachability(p)...)
	findings = append(findings, checkInheritCompleteness(p)...)
	slices.SortStableFunc(findings, func(a, b Finding) int {
		if c := cmp.Compare(a.File, b.File); c != 0 {
			return c
 
@@ -143,4 +143,15 @@ const (
	// GL041: cache.key.files contains a glob pattern; it must be a list of exact file paths.
	RuleInvalidCacheKeyFiles = "GL041"
	// GL042: every rules:if: condition in a job's rules: block evaluates to false
	// given the values of variables declared in the pipeline YAML, so the job can
	// never be active. Only fires when all referenced variables are declared
	// (predefined CI_* / GITLAB_* vars are not evaluated to avoid false positives).
	RuleStaticDeadRules = "GL042"
	// GL043: a job declares 'inherit: default:' (true, false, or list) but the
	// pipeline has no 'default:' block, making the declaration a no-op. Also fires
	// when 'inherit: default: [list]' names fields not set in the default: block.
	RuleInheritNoDefault = "GL043"
)
 
@@ -3,6 +3,7 @@ package model
import (
	"fmt"
	"os"
	"strings"
	"gopkg.in/yaml.v3"
)
@@ -60,6 +61,14 @@ func ParseBytes(data []byte) (*Pipeline, error) {
			continue
		}
		// Extract any inline suppression directive from the job's head or line comment.
		if rules := parseSuppressComment(keyNode.HeadComment, keyNode.LineComment); len(rules) > 0 {
			if p.Suppressions == nil {
				p.Suppressions = map[string][]string{}
			}
			p.Suppressions[key] = rules
		}
		var rawMap map[string]any
		if err := valNode.Decode(&rawMap); err != nil {
			return nil, fmt.Errorf("parsing raw job %q: %w", key, err)
@@ -78,6 +87,39 @@ func ParseBytes(data []byte) (*Pipeline, error) {
	return p, nil
}
// parseSuppressComment scans head/line comments from a YAML key node for a
// "# glint: ignore RULE [RULE ...]" directive. Returns the list of rule IDs
// to suppress (uppercased), or []string{"*"} for "# glint: ignore all".
// Returns nil when no directive is found.
func parseSuppressComment(headComment, lineComment string) []string {
	for _, raw := range []string{headComment, lineComment} {
		for _, line := range strings.Split(raw, "\n") {
			line = strings.TrimLeft(line, "# \t")
			if !strings.HasPrefix(line, "glint:") {
				continue
			}
			rest := strings.TrimSpace(strings.TrimPrefix(line, "glint:"))
			if !strings.HasPrefix(rest, "ignore") {
				continue
			}
			rest = strings.TrimSpace(strings.TrimPrefix(rest, "ignore"))
			if rest == "" || strings.EqualFold(rest, "all") {
				return []string{"*"}
			}
			var rules []string
			for _, part := range strings.FieldsFunc(rest, func(r rune) bool {
				return r == ',' || r == ' ' || r == '\t'
			}) {
				if p := strings.TrimSpace(part); p != "" {
					rules = append(rules, strings.ToUpper(p))
				}
			}
			return rules
		}
	}
	return nil
}
// sanitizeYAMLEscapes rewrites double-quoted YAML strings, replacing the \/
// escape sequence (unrecognised by gopkg.in/yaml.v3) with \\/ so that the
// parser produces a literal backslash+slash — preserving regex patterns like
 
@@ -0,0 +1,125 @@
package model
import "testing"
func TestParseSuppressComment(t *testing.T) {
	cases := []struct {
		name        string
		head        string
		line        string
		wantRules   []string
		wantNil     bool
	}{
		{
			name:    "no comment",
			head:    "",
			line:    "",
			wantNil: true,
		},
		{
			name:      "single rule head comment",
			head:      "# glint: ignore GL007",
			wantRules: []string{"GL007"},
		},
		{
			name:      "multiple rules comma-separated",
			head:      "# glint: ignore GL007, GL032",
			wantRules: []string{"GL007", "GL032"},
		},
		{
			name:      "multiple rules space-separated",
			head:      "# glint: ignore GL007 GL032",
			wantRules: []string{"GL007", "GL032"},
		},
		{
			name:      "ignore all",
			head:      "# glint: ignore all",
			wantRules: []string{"*"},
		},
		{
			name:      "ignore all bare",
			head:      "# glint: ignore",
			wantRules: []string{"*"},
		},
		{
			name:      "lowercase rule ID is uppercased",
			head:      "# glint: ignore gl007",
			wantRules: []string{"GL007"},
		},
		{
			name:      "line comment",
			head:      "",
			line:      "# glint: ignore GL004",
			wantRules: []string{"GL004"},
		},
		{
			name:    "unrelated comment",
			head:    "# This job deploys to production",
			wantNil: true,
		},
		{
			name:    "partial match - not a glint directive",
			head:    "# hint: ignore this",
			wantNil: true,
		},
		{
			name:      "multi-line head comment with directive on second line",
			head:      "# Some description\n# glint: ignore GL007",
			wantRules: []string{"GL007"},
		},
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			got := parseSuppressComment(tc.head, tc.line)
			if tc.wantNil {
				if got != nil {
					t.Errorf("expected nil, got %v", got)
				}
				return
			}
			if len(got) != len(tc.wantRules) {
				t.Fatalf("got %v, want %v", got, tc.wantRules)
			}
			for i, r := range tc.wantRules {
				if got[i] != r {
					t.Errorf("[%d] got %q, want %q", i, got[i], r)
				}
			}
		})
	}
}
func TestParseBytes_Suppressions(t *testing.T) {
	yaml := `
stages:
  - build
# glint: ignore GL007
deprecated-job:
  stage: build
  only:
    - main
normal-job:
  stage: build
  script: echo ok
`
	p, err := ParseBytes([]byte(yaml))
	if err != nil {
		t.Fatalf("ParseBytes: %v", err)
	}
	if p.Suppressions == nil {
		t.Fatal("Suppressions is nil")
	}
	rules, ok := p.Suppressions["deprecated-job"]
	if !ok {
		t.Fatal("no suppression for deprecated-job")
	}
	if len(rules) != 1 || rules[0] != "GL007" {
		t.Errorf("rules = %v, want [GL007]", rules)
	}
	if _, ok := p.Suppressions["normal-job"]; ok {
		t.Error("normal-job should have no suppressions")
	}
}
@@ -12,6 +12,10 @@ type Pipeline struct {
	// Jobs holds every non-reserved top-level key (i.e. job definitions).
	Jobs    map[string]Job            `yaml:"-"`
	RawJobs map[string]map[string]any `yaml:"-"` // pre-resolution raw maps, used by the resolver
	// Suppressions maps job names to lists of suppressed rule IDs parsed from
	// "# glint: ignore RULE" comments in the pipeline YAML. Only populated for
	// the root pipeline file (not for included templates).
	Suppressions map[string][]string `yaml:"-"`
}
// SetJobOrigin sets the File field on all jobs that don't already have one.
 
@@ -0,0 +1,10 @@
stages:
  - build
# GL007 (only/except deprecated) would normally fire here, but the .glint.yml
# in this directory ignores GL007.
deprecated-job:
  stage: build
  only:
    - main
  script: echo ok
@@ -0,0 +1,2 @@
ignore:
  - GL007
@@ -0,0 +1,8 @@
stages:
  - build
# GL004 (undefined stage) is demoted to warning by .glint.yml, so the exit
# code must be 0 even though there is a finding.
bad-stage-job:
  stage: nonexistent
  script: echo hi
@@ -0,0 +1,2 @@
severity:
  GL004: warning
@@ -0,0 +1,15 @@
stages:
  - build
# glint: ignore GL007
suppressed-job:
  stage: build
  only:
    - main
  script: echo ok
still-flagged-job:
  stage: build
  only:
    - main
  script: echo ok
@@ -0,0 +1,26 @@
stages:
  - build
  - test
# No default: block — any inherit: default: declaration is a no-op.
# GL043: inherit: default: false but no default: block.
isolated-job:
  stage: build
  inherit:
    default: false
  script: echo isolated
# GL043: inherit: default: [list] but no default: block.
selective-inherit-job:
  stage: test
  inherit:
    default: [image, tags]
  script: echo selective
# Not GL043: inherit only touches variables: (no default: check needed).
vars-inherit-job:
  stage: test
  inherit:
    variables: false
  script: echo vars-only
@@ -0,0 +1,20 @@
stages:
  - build
  - test
default:
  image: node:20
# GL043: before_script is in the list but not defined in default:.
selective-bad:
  stage: build
  inherit:
    default: [image, before_script]   # before_script not in default:
  script: echo hi
# Not GL043: image IS defined in default: — list is valid.
selective-good:
  stage: test
  inherit:
    default: [image]
  script: echo hi
@@ -9,6 +9,10 @@ workflow:
      when: always
    - when: never
default:
  tags:
    - docker
variables:
  GO_VERSION: "1.26"
 
@@ -0,0 +1,48 @@
stages:
  - deploy
  - test
variables:
  DEPLOY: "false"
  SKIP_TEST: "true"
# GL042: both if: conditions always evaluate to false given the declared variables.
always-dead-deploy:
  stage: deploy
  rules:
    - if: '$DEPLOY == "true"'
      when: on_success
  script: echo deploy
# GL042: if: is false, explicit when:on_success rule — still never fires.
always-dead-test:
  stage: test
  rules:
    - if: '$SKIP_TEST == "false"'
      when: on_success
  script: echo test
# Not GL042: references a predefined CI_ variable → unknown value → skip check.
predefined-var-job:
  stage: test
  rules:
    - if: '$CI_COMMIT_BRANCH == "nonexistent-branch"'
      when: on_success
  script: echo branch
# Not GL042: has an unconditional rule (no if: → always matches).
unconditional-job:
  stage: test
  rules:
    - if: '$DEPLOY == "true"'
      when: never
    - when: on_success
  script: echo always
# Not GL042: references undeclared variable → unknown → conservative.
undeclared-var-job:
  stage: test
  rules:
    - if: '$UNDECLARED_VAR == "something"'
      when: on_success
  script: echo undeclared
Author	SHA1	Message	Date
k3nny	7f7e2bf77b	docs(docs): release v0.2.20 ci / vet, staticcheck, test, build (push) Successful in 1m52s Details release / Build and publish release (push) Successful in 1m17s Details Add FEATURES.md and USAGE.md entries to the [0.2.20] changelog section. No code changes — documentation reorganisation only. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-14 11:17:27 +02:00
k3nny	e13455a629	docs(docs): extract usage examples to USAGE.md, trim README Move all command-by-command reference (output formats, context simulation, remote includes, cache/offline, component format, graph modes, explain, project config, inline suppression, example output) from README.md into a new USAGE.md. Replace the 326-line Usage section in README with the commands block and a single link to USAGE.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-14 11:13:02 +02:00
k3nny	b8e640de03	docs(docs): extract features to FEATURES.md, trim README The README features block grew to 38 bullets plus a full lint-rules table, making the document hard to scan. This commit: - Creates FEATURES.md with a structured reference covering lint rules (GL001–GL043 tables), include resolution, context simulation, output formats, configuration, graph visualization, and developer tools. - Replaces the flat bullet list in README with a 6-line "What it does" category summary that links to FEATURES.md and ROADMAP.md. - Removes the redundant ## Lint rules section from README (now in FEATURES.md). - Adds 'explain' to the commands block in the README Usage section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-14 11:07:51 +02:00
k3nny	4ce7f86d4d	feat(linter): glint explain, GL042 rules:if: reachability, GL043 inherit completeness - `glint explain <RULE>`: new subcommand printing rule description, rationale, bad-YAML example and fix for every GL001–GL043 rule. `glint explain` (no arg) lists all rules with ID, severity, title. Rule IDs are case-insensitive. - GL042 (rules:if: evaluated reachability): warns when every rules:if: condition evaluates to false given the values of variables declared in the pipeline YAML, making the job statically unreachable. Conservative: only fires when all referenced variables are declared in YAML; predefined CI_* / GITLAB_* variables are skipped to avoid false positives. - GL043 (inherit: completeness): warns when inherit: default: is declared but there is no default: block in the pipeline (dead declaration), or when the list form names fields not set in the default: block. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-14 11:02:23 +02:00
k3nny	02d8e63a98	feat(cli): .glint.yml config and inline suppression comments ci / vet, staticcheck, test, build (push) Successful in 2m25s Details release / Build and publish release (push) Successful in 1m24s Details Adds project-level configuration and per-job suppression directives: .glint.yml (searched from pipeline dir up to the git root): - ignore: [GL007, GL032] — suppress rules globally for the project - severity: {GL004: warning} — override rule severity (error/warning/ignore) - stages: [quality] — extra stages beyond the pipeline's stages: block - token: / url: / cache_dir: — defaults for flags; lower priority than CLI flags and environment variables Inline suppression (# glint: ignore): - Place "# glint: ignore GL007" immediately before a job definition to suppress that rule for the specific job only - Multiple rules: "# glint: ignore GL007, GL032" (comma or space separated) - Wildcard: "# glint: ignore all" suppresses every finding for the job - Suppressions are scoped to the annotated job; pipeline-level findings are unaffected - Parsed from yaml.Node head/line comments in the first parse pass; stored in Pipeline.Suppressions (root file only, not includes) New packages: internal/config (Load, walk-up search, .git boundary stop) New files: cmd/glint/filter.go (applyConfig, isSuppressed helpers) Tests: config_test.go, parser_suppress_test.go, filter_test.go Validate fixtures: testdata/config_ignored/, config_severity/, config_suppress/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-14 10:23:33 +02:00