Compare commits

..

4 Commits

Author SHA1 Message Date
k3nny 7f404f3492 docs(docs): update README, CHANGELOG, ROADMAP, Taskfile for v0.3.0
ci / vet, staticcheck, test, build (push) Failing after 2m10s
release / Build and publish release (push) Successful in 1m12s
Document glint render, --no-warn, exit codes 2/10, --no-skipped, and
colorized output. Fix Taskfile validate entries: fixtures that now exit
10 (warnings only) require ignore_error: true to pass the validate task.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 22:35:55 +02:00
k3nny 1615655c00 feat(cli): --no-warn, new exit codes, glint render, and graph --no-skipped
Exit codes (breaking change from exit 1):
- 0  clean (no findings)
- 2  one or more errors
- 10 one or more warnings, no errors
Errors take precedence over warnings.

glint check --no-warn:
  Discard warning findings before output and exit-code calculation.
  Mixed pipelines (errors + warnings) still exit 2 but only errors print.
  Warnings-only pipelines exit 0 with "OK" when --no-warn is set.

glint render <PIPELINE>:
  New subcommand. Resolves all include: and extends: chains, then writes
  a single flat .gitlab-ci.yml (default: rendered.gitlab-ci.yml, or
  stdout with --output -). Strips consumed keys (include:, extends:).
  Template jobs (.) are retained. Flags: --output, --token, --gitlab-url,
  --cache-dir, --offline, --proxy (all with .glint.yml fallback).
  To support render, Resolve() now writes the merged raw map back to
  p.RawJobs[name] and also preserves j.Column from the original job.

glint graph --no-skipped:
  Removes jobs that evaluate to JobSkipped in the given context before
  any graph function sees the pipeline. Works for tree, pipeline (SVG,
  HTML, Mermaid), includes, and all modes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 22:27:12 +02:00
k3nny 8c3605ed52 feat(cli): colorized, columnized text output with line:col locations
Replace the per-line fmt.Println loop with writeTextFindings() in
cmd/glint/output.go. The new renderer:

- Aligns all findings into four space-separated columns: location,
  rule ID, severity, message — widths computed from the full finding
  set so all lines are flush
- Colors severity words when stdout is a TTY and NO_COLOR is not set:
  red+bold for "error", orange+bold for "warning"; location dimmed;
  rule ID bold
- Formats location as file:line:col when column is known, file:line
  otherwise, falling back to just file

To populate column numbers, add Column int to model.Job (set from
keyNode.Column in the YAML parser) and Finding.Column (set during
the checkJob source-location attachment pass and in the ten cross-job
check sites that explicitly set Line: job.Line).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 22:13:52 +02:00
k3nny f79c64cd44 feat(security): security hardening, proxy support, and GL045 HTTP include warning
ci / vet, staticcheck, test, build (push) Failing after 2m32s
release / Build and publish release (push) Successful in 1m17s
Security fixes:
- Path traversal guard in include: local: — paths with ../ that escape
  the repo root are rejected instead of reading arbitrary host files
- HTTP timeout (30 s) on all fetcher requests to prevent indefinite hangs
- Response size cap (10 MiB) via io.LimitReader to prevent memory exhaustion
- Cache directory and file permissions tightened to 0700/0600
- LSP Content-Length cap (64 MiB) to guard against DoS from a malicious client

New feature:
- --proxy flag on check, graph, and lsp subcommands; also proxy: key in
  .glint.yml; overrides system HTTP_PROXY / HTTPS_PROXY env vars when set;
  cmdGraph and cmdLSP now also load .glint.yml for proxy/token/url fallbacks

New lint rule:
- GL045 (Warning): include: remote: using plain http:// instead of https://

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 21:52:57 +02:00
33 changed files with 950 additions and 72 deletions
+38
View File
@@ -5,6 +5,44 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
This project uses [Semantic Versioning](https://semver.org). This project uses [Semantic Versioning](https://semver.org).
## [0.3.0] - 2026-06-26
### Added
- **`glint render` subcommand** — resolves all `include:` and `extends:` chains and writes the fully flattened pipeline to a single YAML file (default: `rendered.gitlab-ci.yml`; use `--output -` for stdout). Strips the consumed `include:` and `extends:` keys; retains template jobs (`.name`). Accepts the same network flags as `glint check` (`--token`, `--gitlab-url`, `--cache-dir`, `--offline`, `--proxy`). Useful for inspecting what GitLab CI actually sees or running further local tooling.
- **`glint check --no-warn`** — discard all warning findings before output and exit-code calculation. Mixed pipelines (errors + warnings) still exit 2 but only errors are printed. Warnings-only pipelines report "OK" and exit 0.
- **`glint graph --no-skipped`** — remove jobs that evaluate to `skipped` in the given context (or the implicit `branch=main` default) from all graph output: tree, SVG, HTML, and Mermaid.
- **Colorized, columnized text output** — `glint check` (text format) now renders findings in four aligned columns: location, rule ID, severity, message. `error` is printed in bold red; `warning` in bold orange. Colors are auto-detected (stdout must be a terminal) and suppressed when `NO_COLOR` is set. Location uses `file:line:col` format when column information is available.
- **`line:col` locations** — `Column int` added to `model.Job` (set from the YAML parser's `yaml.Node.Column`) and propagated to `Finding.Column` across all linter rules. Plain-text and `Finding.String()` now emit `file:line:col` when column is known.
### Changed
- **Exit codes** *(breaking)*`glint check` now exits `2` when one or more error findings are present (previously `1`) and `10` when findings contain only warnings. Exit `0` remains for a clean pipeline. Errors take precedence over warnings. Scripts that test `[ $? -eq 1 ]` need to be updated to `[ $? -eq 2 ]`.
## [0.2.31] - 2026-06-26
### Added
- **Proxy support** — `--proxy <URL>` flag on `glint check`, `glint graph`, and `glint lsp`; also configurable via `proxy:` in `.glint.yml`. When set it takes precedence over `HTTP_PROXY` / `HTTPS_PROXY` env vars; when unset, system proxy settings are honoured automatically. Covers all remote include fetches and GitLab API calls.
- **GL045: HTTP remote include warning** — new pipeline-level lint rule that warns when `include: remote:` uses a plain `http://` URL. CI templates fetched over unencrypted HTTP are at risk of in-transit tampering; `https://` is always preferred.
### Fixed
- **Path traversal in local includes** — `include: local:` paths containing `../` sequences that would escape the repository root (e.g. `../../etc/passwd`) are now rejected with a warning instead of reading arbitrary files from the host.
- **HTTP timeout on remote fetches** — all HTTP calls in `internal/fetcher` now use a 30-second timeout; previously the client had no timeout and could hang indefinitely on slow or unresponsive servers.
- **Unbounded response size** — remote include and GitLab API responses are now capped at 10 MiB using `io.LimitReader`; previously an arbitrarily large response could exhaust process memory.
- **Cache file permissions** — the cache directory is created with mode `0700` (was `0755`) and cache files with `0600` (was `0644`), preventing other local users from reading cached GitLab tokens or pipeline content.
- **LSP Content-Length DoS** — `glint lsp` now rejects incoming messages whose `Content-Length` header exceeds 64 MiB, preventing memory exhaustion from a malicious or misbehaving LSP client.
## [0.2.30] - 2026-06-26 ## [0.2.30] - 2026-06-26
### Added ### Added
+8 -2
View File
@@ -7,7 +7,7 @@ For planned work see [ROADMAP.md](ROADMAP.md).
## Lint rules ## Lint rules
Every finding carries a stable rule ID (`GL001` `GL043`) that can be used to Every finding carries a stable rule ID (`GL001` `GL045`) that can be used to
suppress, filter, or look up the check. Run `glint explain <ID>` for a suppress, filter, or look up the check. Run `glint explain <ID>` for a
description, bad-YAML example, and fix. description, bad-YAML example, and fix.
@@ -19,6 +19,7 @@ description, bad-YAML example, and fix.
| GL002 | ERR | `workflow.rules[*].when` must be `always` or `never` | | GL002 | ERR | `workflow.rules[*].when` must be `always` or `never` |
| GL036 | ERR | `default.timeout` is not a valid GitLab CI duration string | | GL036 | ERR | `default.timeout` is not a valid GitLab CI duration string |
| GL040 | WARN | A stage name appears more than once in `stages:` | | GL040 | WARN | A stage name appears more than once in `stages:` |
| GL045 | WARN | `include: remote:` uses plain `http://` — CI templates fetched unencrypted; prefer `https://` |
### Job structure ### Job structure
@@ -243,9 +244,14 @@ url: https://gitlab.example.com
# Default cache directory. # Default cache directory.
cache_dir: ~/.cache/glint cache_dir: ~/.cache/glint
# HTTP proxy for remote includes and GitLab API calls.
# Overrides HTTP_PROXY / HTTPS_PROXY env vars when set.
# Leave empty to use system proxy settings.
proxy: http://proxy.example.com:8080
``` ```
**Priority chain:** `--token`/`--gitlab-url` flags > `.glint.yml` > environment variables. **Priority chain:** `--token`/`--gitlab-url`/`--proxy` flags > `.glint.yml` > environment variables.
### Inline suppression (`# glint: ignore`) ### Inline suppression (`# glint: ignore`)
+7 -6
View File
@@ -6,7 +6,7 @@
<p align="center"> <p align="center">
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License"></a> <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License"></a>
<a href="CHANGELOG.md"><img src="https://img.shields.io/badge/release-v0.2.30-blue.svg" alt="Release"></a> <a href="CHANGELOG.md"><img src="https://img.shields.io/badge/release-v0.3.0-blue.svg" alt="Release"></a>
</p> </p>
> **Disclaimer:** This tool was built through iterative AI-assisted development with [Claude](https://claude.ai). It is experimental, incomplete, and not intended for production use. Coverage of GitLab CI keywords is best-effort and may lag behind GitLab's evolving spec. Use it at your own discretion — no correctness guarantees are made. Contributions and bug reports are welcome. > **Disclaimer:** This tool was built through iterative AI-assisted development with [Claude](https://claude.ai). It is experimental, incomplete, and not intended for production use. Coverage of GitLab CI keywords is best-effort and may lag behind GitLab's evolving spec. Use it at your own discretion — no correctness guarantees are made. Contributions and bug reports are welcome.
@@ -15,12 +15,13 @@ A local tool to validate and lint `.gitlab-ci.yml` pipelines without needing a G
## What it does ## What it does
- **Lints** — 43 rules covering pipeline structure, keyword constraints, `needs:`/`dependencies:` graphs, expression reachability, and deprecations (GL001GL043); run `glint explain <ID>` for any rule - **Lints** — 45 rules covering pipeline structure, keyword constraints, `needs:`/`dependencies:` graphs, expression reachability, and deprecations (GL001GL045); run `glint explain <ID>` for any rule
- **Resolves includes** — local files, HTTPS URLs, GitLab project templates, and CI/CD Catalog components, with offline cache support - **Resolves includes** — local files, HTTPS URLs, GitLab project templates, and CI/CD Catalog components, with offline cache support and HTTP proxy support (`--proxy` flag or `proxy:` in `.glint.yml`)
- **Renders merged pipeline** — `glint render` resolves all includes and `extends:` chains into a single flat YAML file, matching what GitLab CI actually processes
- **Simulates context** — `--branch`, `--tag`, `--source` flags evaluate `rules:if:` and `only`/`except` to show which jobs would be active, manual, or skipped; `--context branch=main --context branch=develop` prints a multi-column comparison table across multiple contexts in one run - **Simulates context** — `--branch`, `--tag`, `--source` flags evaluate `rules:if:` and `only`/`except` to show which jobs would be active, manual, or skipped; `--context branch=main --context branch=develop` prints a multi-column comparison table across multiple contexts in one run
- **Multiple output formats** — `--format text` (default, ruff-style), `json`, `sarif` (GitHub Code Scanning / GitLab SAST), `junit`, `github` (PR annotations) - **Multiple output formats** — `--format text` (default, colorized and column-aligned), `json`, `sarif` (GitHub Code Scanning / GitLab SAST), `junit`, `github` (PR annotations); exits `2` on errors, `10` on warnings only
- **Project config** — `.glint.yml` for rule suppression, severity overrides, token/URL defaults; `# glint: ignore RULE` for per-job inline suppression - **Project config** — `.glint.yml` for rule suppression, severity overrides, token/URL/proxy defaults; `# glint: ignore RULE` for per-job inline suppression; `--no-warn` flag to suppress all warnings
- **Graph visualization** — `glint graph` prints a terminal job tree; `glint graph pipeline` renders a GitLab CI-style SVG/PNG; `--format mermaid` emits a Mermaid flowchart; `--format html` produces a self-contained HTML file with pan/zoom and a job-detail sidebar; context flags grey out skipped jobs - **Graph visualization** — `glint graph` prints a terminal job tree; `glint graph pipeline` renders a GitLab CI-style SVG/PNG; `--format mermaid` emits a Mermaid flowchart; `--format html` produces a self-contained HTML file with pan/zoom and a job-detail sidebar; `--no-skipped` hides jobs that would not run in the given context
- **LSP server** — `glint lsp` starts a Language Server Protocol server over stdin/stdout; connect with any LSP client to get inline diagnostics (rule ID as code, error/warning severity) in VS Code, Neovim, Emacs, JetBrains, etc. - **LSP server** — `glint lsp` starts a Language Server Protocol server over stdin/stdout; connect with any LSP client to get inline diagnostics (rule ID as code, error/warning severity) in VS Code, Neovim, Emacs, JetBrains, etc.
- **VS Code extension** — `editors/vscode/` wraps the LSP server; inline squiggles for every glint rule directly in the editor - **VS Code extension** — `editors/vscode/` wraps the LSP server; inline squiggles for every glint rule directly in the editor
+18
View File
@@ -53,6 +53,7 @@ The current rule set covers the most common sources of broken pipelines. These a
- [x] **Recursive include depth limit** — shipped v0.2.17; depth capped at 100 (matching GitLab); project/component includes now tracked in visited set to prevent cross-file cycles - [x] **Recursive include depth limit** — shipped v0.2.17; depth capped at 100 (matching GitLab); project/component includes now tracked in visited set to prevent cross-file cycles
- [x] **Offline mode / cache** — shipped v0.2.17; `--cache-dir DIR` persists fetched templates; `--offline` serves from cache only; default cache dir (`~/.cache/glint`) used automatically with `--offline` - [x] **Offline mode / cache** — shipped v0.2.17; `--cache-dir DIR` persists fetched templates; `--offline` serves from cache only; default cache dir (`~/.cache/glint`) used automatically with `--offline`
- [x] **`include: inputs:`** — shipped v0.2.17; `$[[ inputs.KEY ]]` and `$[[ inputs.KEY | default(…) ]]` placeholders in fetched component YAML are substituted from the include's `with:` block before parsing - [x] **`include: inputs:`** — shipped v0.2.17; `$[[ inputs.KEY ]]` and `$[[ inputs.KEY | default(…) ]]` placeholders in fetched component YAML are substituted from the include's `with:` block before parsing
- [x] **`glint render` subcommand** — shipped v0.3.0; resolves all `include:` and `extends:` chains into a single flat YAML file; strips consumed keys; accepts same network flags as `glint check`; default output `rendered.gitlab-ci.yml`, use `--output -` for stdout
--- ---
@@ -79,6 +80,7 @@ The SVG renderer and terminal tree cover the basic layout. These would bring it
- [x] **Mermaid pipeline output** — shipped v0.2.25; `glint graph pipeline --format mermaid` prints a Mermaid flowchart to stdout (paste into mermaid.live) - [x] **Mermaid pipeline output** — shipped v0.2.25; `glint graph pipeline --format mermaid` prints a Mermaid flowchart to stdout (paste into mermaid.live)
- [x] **Same-stage job ordering** — shipped v0.2.26; jobs within a stage that have `needs:` between each other are placed in topological sub-columns (left-to-right by depth); stage header spans all sub-columns - [x] **Same-stage job ordering** — shipped v0.2.26; jobs within a stage that have `needs:` between each other are placed in topological sub-columns (left-to-right by depth); stage header spans all sub-columns
- [x] **Graph links rendered behind job chips** — shipped v0.2.26; SVG connectors (Bézier curves and bus-bar stubs) are drawn before job chips so lines pass behind rectangles - [x] **Graph links rendered behind job chips** — shipped v0.2.26; SVG connectors (Bézier curves and bus-bar stubs) are drawn before job chips so lines pass behind rectangles
- [x] **`glint graph --no-skipped`** — shipped v0.3.0; removes jobs evaluated as `skipped` in the given context from tree, SVG, HTML, and Mermaid output
--- ---
@@ -86,6 +88,8 @@ The SVG renderer and terminal tree cover the basic layout. These would bring it
- [x] **File and line numbers on findings** — shipped post-v0.2.0; every finding includes the source file and exact line of the job key; works across local includes, remote project templates, and fetched component templates - [x] **File and line numbers on findings** — shipped post-v0.2.0; every finding includes the source file and exact line of the job key; works across local includes, remote project templates, and fetched component templates
- [x] **Ruff-style output format** — shipped v0.2.11; findings follow `file:line: RULEID [severity] message` matching the convention used by ruff and other modern linters - [x] **Ruff-style output format** — shipped v0.2.11; findings follow `file:line: RULEID [severity] message` matching the convention used by ruff and other modern linters
- [x] **Colorized, columnized text output** — shipped v0.3.0; four aligned columns (location, rule, severity, message); `error` in bold red, `warning` in bold orange; auto-detected terminal color (respects `NO_COLOR`)
- [x] **`line:col` locations** — shipped v0.3.0; `Column int` on `model.Job` and `Finding`; text output and `Finding.String()` emit `file:line:col` when column is known
- [x] **`needs: optional: true` false-positive errors** — shipped post-v0.2.0; optional missing needs are downgraded to `[WARNING]` - [x] **`needs: optional: true` false-positive errors** — shipped post-v0.2.0; optional missing needs are downgraded to `[WARNING]`
- [x] **`extends:` jobs with missing script false errors** — shipped post-v0.2.0; jobs using `extends:` that have no `script` after resolution emit `[WARNING]` (the script may come from an unfetchable remote base) - [x] **`extends:` jobs with missing script false errors** — shipped post-v0.2.0; jobs using `extends:` that have no `script` after resolution emit `[WARNING]` (the script may come from an unfetchable remote base)
- [x] **`rules:if:` static reachability (GL042)** — shipped v0.2.20; warns when all `rules:if:` conditions evaluate to false given declared variable values (only fires when all referenced vars are declared in YAML) - [x] **`rules:if:` static reachability (GL042)** — shipped v0.2.20; warns when all `rules:if:` conditions evaluate to false given declared variable values (only fires when all referenced vars are declared in YAML)
@@ -106,6 +110,18 @@ The SVG renderer and terminal tree cover the basic layout. These would bring it
- [x] **`.glint.yml` config file** — shipped v0.2.19; `ignore:`, `severity:`, `stages:`, `token:`, `url:`, `cache_dir:`; searched from the pipeline directory up to the git root - [x] **`.glint.yml` config file** — shipped v0.2.19; `ignore:`, `severity:`, `stages:`, `token:`, `url:`, `cache_dir:`; searched from the pipeline directory up to the git root
- [x] **Inline suppression comments** — shipped v0.2.19; `# glint: ignore GL007` before a job definition; comma/space-separated rules; `# glint: ignore all` wildcard - [x] **Inline suppression comments** — shipped v0.2.19; `# glint: ignore GL007` before a job definition; comma/space-separated rules; `# glint: ignore all` wildcard
- [x] **Proxy support** — shipped v0.2.31; `--proxy` flag on `check`, `graph`, and `lsp` subcommands; also configurable via `proxy:` in `.glint.yml`; overrides `HTTP_PROXY` / `HTTPS_PROXY` env vars when set
---
## Security & hardening
- [x] **Path traversal guard for local includes** — shipped v0.2.31; `include: local:` paths containing `../../` or similar sequences are rejected instead of reading files outside the repository root
- [x] **HTTP timeout on remote fetches** — shipped v0.2.31; all HTTP calls via the fetcher use a 30-second timeout to prevent indefinite hangs on slow or unresponsive servers
- [x] **Unbounded response size cap** — shipped v0.2.31; remote include and GitLab API responses are capped at 10 MiB; responses exceeding the limit are rejected to prevent memory exhaustion
- [x] **Cache file permissions** — shipped v0.2.31; cache directories are created with mode `0700` and cache files with mode `0600`; previously used world-readable `0755`/`0644`
- [x] **GL045: HTTP remote include warning** — shipped v0.2.31; warns when `include: remote:` uses a plain `http://` URL; CI templates fetched unencrypted are at risk of tampering
- [x] **LSP Content-Length DoS cap** — shipped v0.2.31; `glint lsp` rejects messages with `Content-Length` exceeding 64 MiB to prevent memory exhaustion from a malicious client
--- ---
@@ -117,3 +133,5 @@ The SVG renderer and terminal tree cover the basic layout. These would bring it
- [x] **Subcommand CLI** — shipped v0.2.0 (2026-06-11); `glint check` / `glint graph [mode]` with ruff-style `--help` - [x] **Subcommand CLI** — shipped v0.2.0 (2026-06-11); `glint check` / `glint graph [mode]` with ruff-style `--help`
- [x] **Changelog automation** — shipped v0.2.27; `cliff.toml` configures git-cliff to produce Keep-a-Changelogcompatible release notes from Conventional Commits; `task changelog` regenerates `CHANGELOG.md`, `task changelog-next` previews unreleased entries - [x] **Changelog automation** — shipped v0.2.27; `cliff.toml` configures git-cliff to produce Keep-a-Changelogcompatible release notes from Conventional Commits; `task changelog` regenerates `CHANGELOG.md`, `task changelog-next` previews unreleased entries
- [x] **Fuzz testing** — shipped v0.2.27; `FuzzParseBytes` and `FuzzSanitizeYAMLEscapes` in `internal/model/fuzz_test.go`; seeds run as regular tests in CI; `task fuzz` runs them continuously (default 30 s) - [x] **Fuzz testing** — shipped v0.2.27; `FuzzParseBytes` and `FuzzSanitizeYAMLEscapes` in `internal/model/fuzz_test.go`; seeds run as regular tests in CI; `task fuzz` runs them continuously (default 30 s)
- [x] **`glint check --no-warn`** — shipped v0.3.0; discards all warning findings before output and exit-code calculation; mixed pipelines (errors + warnings) still exit 2 but only errors are printed; warnings-only pipelines exit 0
- [x] **Exit codes 2 / 10** *(breaking)* — shipped v0.3.0; `glint check` exits `2` when errors are present (previously `1`) and `10` when findings contain only warnings; exit `0` for clean
+16 -14
View File
@@ -68,31 +68,31 @@ tasks:
- cmd: ./{{.BINARY}} check --branch feat/x testdata/rules_if_expr.yml - cmd: ./{{.BINARY}} check --branch feat/x testdata/rules_if_expr.yml
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check testdata/workflow_vars.yml - cmd: ./{{.BINARY}} check testdata/workflow_vars.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check --branch main testdata/workflow_vars.yml - cmd: ./{{.BINARY}} check --branch main testdata/workflow_vars.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check --branch develop testdata/workflow_vars.yml - cmd: ./{{.BINARY}} check --branch develop testdata/workflow_vars.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check --branch feat/x testdata/workflow_vars.yml - cmd: ./{{.BINARY}} check --branch feat/x testdata/workflow_vars.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/workflow_escape.yml - cmd: ./{{.BINARY}} check testdata/workflow_escape.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/variable_refs.yml - cmd: ./{{.BINARY}} check testdata/variable_refs.yml
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check testdata/variable_refs_included.yml - cmd: ./{{.BINARY}} check testdata/variable_refs_included.yml
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check testdata/dead_rules.yml - cmd: ./{{.BINARY}} check testdata/dead_rules.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/new_rules_valid.yml - cmd: ./{{.BINARY}} check testdata/new_rules_valid.yml
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check testdata/new_rules_invalid.yml - cmd: ./{{.BINARY}} check testdata/new_rules_invalid.yml
ignore_error: true ignore_error: true
- cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci.yml - cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci-coverage.yml - cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci-coverage.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci-private.yml - cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci-private.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check --format json testdata/valid.yml - cmd: ./{{.BINARY}} check --format json testdata/valid.yml
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check --format sarif testdata/valid.yml - cmd: ./{{.BINARY}} check --format sarif testdata/valid.yml
@@ -104,15 +104,15 @@ tasks:
- cmd: ./{{.BINARY}} check testdata/config_ignored/.gitlab-ci.yml - cmd: ./{{.BINARY}} check testdata/config_ignored/.gitlab-ci.yml
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check testdata/config_severity/.gitlab-ci.yml - cmd: ./{{.BINARY}} check testdata/config_severity/.gitlab-ci.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/config_suppress/.gitlab-ci.yml - cmd: ./{{.BINARY}} check testdata/config_suppress/.gitlab-ci.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/static_dead_rules.yml - cmd: ./{{.BINARY}} check testdata/static_dead_rules.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/inherit_dead.yml - cmd: ./{{.BINARY}} check testdata/inherit_dead.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/inherit_dead_fields.yml - cmd: ./{{.BINARY}} check testdata/inherit_dead_fields.yml
ignore_error: false ignore_error: true
- cmd: ./{{.BINARY}} check testdata/rules_needs_valid.yml - cmd: ./{{.BINARY}} check testdata/rules_needs_valid.yml
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check testdata/rules_needs_invalid.yml - cmd: ./{{.BINARY}} check testdata/rules_needs_invalid.yml
@@ -123,6 +123,8 @@ tasks:
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} explain GL044 - cmd: ./{{.BINARY}} explain GL044
ignore_error: false ignore_error: false
- cmd: ./{{.BINARY}} check testdata/insecure_remote_include.yml
ignore_error: true
- cmd: ./{{.BINARY}} explain - cmd: ./{{.BINARY}} explain
ignore_error: false ignore_error: false
+32 -3
View File
@@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"os" "os"
"git.k3nny.fr/glint/internal/config"
"git.k3nny.fr/glint/internal/fetcher" "git.k3nny.fr/glint/internal/fetcher"
"git.k3nny.fr/glint/internal/lsp" "git.k3nny.fr/glint/internal/lsp"
) )
@@ -15,6 +16,7 @@ func cmdLSP(args []string) {
gitlabURL := fs.String("gitlab-url", "", "GitLab instance URL (overrides CI_SERVER_URL / GITLAB_URL)") gitlabURL := fs.String("gitlab-url", "", "GitLab instance URL (overrides CI_SERVER_URL / GITLAB_URL)")
cacheDir := fs.String("cache-dir", "", "directory for caching fetched remote includes") cacheDir := fs.String("cache-dir", "", "directory for caching fetched remote includes")
offline := fs.Bool("offline", false, "skip all network calls; serve only from --cache-dir") offline := fs.Bool("offline", false, "skip all network calls; serve only from --cache-dir")
proxy := fs.String("proxy", "", "HTTP proxy URL for remote includes and GitLab API calls (e.g. http://proxy:8080); overrides system proxy env vars")
fs.Usage = func() { fs.Usage = func() {
fmt.Fprintf(os.Stderr, "glint %s\n\n", version) fmt.Fprintf(os.Stderr, "glint %s\n\n", version)
fmt.Fprint(os.Stderr, `Start a Language Server Protocol server for .gitlab-ci.yml files. fmt.Fprint(os.Stderr, `Start a Language Server Protocol server for .gitlab-ci.yml files.
@@ -42,6 +44,12 @@ Options:
Do not make any network calls; resolve only local includes. Do not make any network calls; resolve only local includes.
Implies --cache-dir default (~/.cache/glint) when not set. Implies --cache-dir default (~/.cache/glint) when not set.
--proxy <URL>
HTTP proxy URL for remote includes and GitLab API calls
(e.g. http://proxy:8080). Overrides system proxy env vars
(HTTP_PROXY / HTTPS_PROXY). Also configurable via proxy: in
.glint.yml.
-h, --help -h, --help
Print help Print help
@@ -49,19 +57,40 @@ Examples:
glint lsp glint lsp
glint lsp --token glpat-xxxx --cache-dir ~/.cache/glint glint lsp --token glpat-xxxx --cache-dir ~/.cache/glint
glint lsp --offline glint lsp --offline
glint lsp --proxy http://proxy.example.com:8080
`) `)
} }
_ = fs.Parse(args) _ = fs.Parse(args)
// Load project config from the working directory (the project root from
// which the LSP server is launched). CLI flags take priority.
wd, _ := os.Getwd()
glintCfg, cfgErr := config.Load(wd)
if cfgErr != nil {
fmt.Fprintf(os.Stderr, "glint lsp: [warning] %s: %v\n", config.Filename, cfgErr)
}
fetcherToken := *token
if fetcherToken == "" {
fetcherToken = glintCfg.Token
}
fetcherURL := *gitlabURL
if fetcherURL == "" {
fetcherURL = glintCfg.URL
}
resolvedCacheDir := *cacheDir resolvedCacheDir := *cacheDir
if resolvedCacheDir == "" {
resolvedCacheDir = glintCfg.CacheDir
}
if resolvedCacheDir == "" { if resolvedCacheDir == "" {
resolvedCacheDir = defaultCacheDir() resolvedCacheDir = defaultCacheDir()
} }
if *offline && resolvedCacheDir == "" { resolvedProxy := *proxy
resolvedCacheDir = defaultCacheDir() if resolvedProxy == "" {
resolvedProxy = glintCfg.Proxy
} }
cfg := fetcher.AutoConfig().WithOverrides(*gitlabURL, *token, resolvedCacheDir, *offline) cfg := fetcher.AutoConfig().WithOverrides(fetcherURL, fetcherToken, resolvedCacheDir, *offline).WithProxy(resolvedProxy)
srv := lsp.New(os.Stdin, os.Stdout, cfg, version) srv := lsp.New(os.Stdin, os.Stdout, cfg, version)
if err := srv.Run(); err != nil { if err := srv.Run(); err != nil {
+86 -11
View File
@@ -66,7 +66,8 @@ const globalUsage = `glint: Lint and visualise GitLab CI pipelines locally.
Usage: glint [OPTIONS] <COMMAND> Usage: glint [OPTIONS] <COMMAND>
Commands: Commands:
check Lint a pipeline file — exits 0 (clean) or 1 (errors found) check Lint a pipeline file — exits 0 (clean), 2 (errors), or 10 (warnings only)
render Resolve all includes and extends into a single merged YAML file
graph Visualise the pipeline as a job tree or Mermaid graph graph Visualise the pipeline as a job tree or Mermaid graph
explain Show description and fix for a lint rule (e.g. glint explain GL007) explain Show description and fix for a lint rule (e.g. glint explain GL007)
lsp Start a Language Server Protocol server (stdin/stdout) lsp Start a Language Server Protocol server (stdin/stdout)
@@ -87,6 +88,8 @@ func main() {
switch os.Args[1] { switch os.Args[1] {
case "check": case "check":
cmdCheck(os.Args[2:]) cmdCheck(os.Args[2:])
case "render":
cmdRender(os.Args[2:])
case "graph": case "graph":
cmdGraph(os.Args[2:]) cmdGraph(os.Args[2:])
case "explain": case "explain":
@@ -119,7 +122,9 @@ func cmdCheck(args []string) {
gitlabURL := fs.String("gitlab-url", "", "GitLab instance URL (overrides CI_SERVER_URL / GITLAB_URL)") gitlabURL := fs.String("gitlab-url", "", "GitLab instance URL (overrides CI_SERVER_URL / GITLAB_URL)")
cacheDir := fs.String("cache-dir", "", "directory to cache fetched remote includes (created if needed)") cacheDir := fs.String("cache-dir", "", "directory to cache fetched remote includes (created if needed)")
offline := fs.Bool("offline", false, "skip all network calls; serve only from --cache-dir") offline := fs.Bool("offline", false, "skip all network calls; serve only from --cache-dir")
proxy := fs.String("proxy", "", "HTTP proxy URL for remote includes and GitLab API calls (e.g. http://proxy:8080); overrides system proxy env vars")
format := fs.String("format", "text", "output format: text, json, sarif, junit, github") format := fs.String("format", "text", "output format: text, json, sarif, junit, github")
noWarn := fs.Bool("no-warn", false, "suppress warning findings; only errors are shown and affect the exit code")
branch := fs.String("branch", "", "simulate a branch push (sets CI_COMMIT_BRANCH, …)") branch := fs.String("branch", "", "simulate a branch push (sets CI_COMMIT_BRANCH, …)")
tag := fs.String("tag", "", "simulate a tag push (sets CI_COMMIT_TAG, …)") tag := fs.String("tag", "", "simulate a tag push (sets CI_COMMIT_TAG, …)")
source := fs.String("source", "", "set CI_PIPELINE_SOURCE") source := fs.String("source", "", "set CI_PIPELINE_SOURCE")
@@ -136,7 +141,11 @@ func cmdCheck(args []string) {
fmt.Fprint(os.Stderr, `Lint a GitLab CI pipeline file. fmt.Fprint(os.Stderr, `Lint a GitLab CI pipeline file.
Resolves local includes and extends chains, then runs all lint rules. Resolves local includes and extends chains, then runs all lint rules.
Exits 0 when no errors are found, 1 when at least one error is reported.
Exit codes:
0 no findings (clean)
2 one or more errors
10 one or more warnings, no errors
Usage: glint check [OPTIONS] <PIPELINE> Usage: glint check [OPTIONS] <PIPELINE>
@@ -148,6 +157,10 @@ Options:
Output format for findings. Output format for findings.
[default: text] [possible values: text, json, sarif, junit, github] [default: text] [possible values: text, json, sarif, junit, github]
--no-warn
Suppress warning findings. Only errors are printed and counted toward
the exit code; warnings are ignored entirely.
--token <TOKEN> --token <TOKEN>
GitLab personal access token. Required to fetch project: includes; GitLab personal access token. Required to fetch project: includes;
component: includes are attempted unauthenticated. component: includes are attempted unauthenticated.
@@ -286,8 +299,12 @@ Examples:
if *offline && resolvedCacheDir == "" { if *offline && resolvedCacheDir == "" {
resolvedCacheDir = defaultCacheDir() resolvedCacheDir = defaultCacheDir()
} }
resolvedProxy := *proxy
if resolvedProxy == "" {
resolvedProxy = glintCfg.Proxy
}
cfg := fetcher.AutoConfig().WithOverrides(fetcherURL, fetcherToken, resolvedCacheDir, *offline) cfg := fetcher.AutoConfig().WithOverrides(fetcherURL, fetcherToken, resolvedCacheDir, *offline).WithProxy(resolvedProxy)
p, err := model.Parse(path) p, err := model.Parse(path)
if err != nil { if err != nil {
@@ -397,7 +414,19 @@ Examples:
findings := linter.Lint(p, skipped) findings := linter.Lint(p, skipped)
findings = applyConfig(findings, glintCfg, p.Suppressions) findings = applyConfig(findings, glintCfg, p.Suppressions)
errCount, _ := countSeverities(findings)
// --no-warn: discard warnings before any output or exit-code calculation.
if *noWarn {
kept := findings[:0]
for _, f := range findings {
if f.Severity != linter.Warning {
kept = append(kept, f)
}
}
findings = kept
}
errCount, warnCount := countSeverities(findings)
// In structured formats the summary line goes to stderr so stdout is clean. // In structured formats the summary line goes to stderr so stdout is clean.
summaryOut := os.Stdout summaryOut := os.Stdout
@@ -415,19 +444,27 @@ Examples:
case "github": case "github":
writeGitHub(os.Stdout, findings) writeGitHub(os.Stdout, findings)
default: // "text" default: // "text"
for _, f := range findings { writeTextFindings(os.Stdout, findings)
fmt.Println(f)
}
} }
if len(findings) == 0 { if len(findings) == 0 {
fmt.Fprintf(summaryOut, "OK: %s — no issues found (%d job(s), %d stage(s))\n", path, len(p.Jobs), len(p.Stages)) fmt.Fprintf(summaryOut, "OK: %s — no issues found (%d job(s), %d stage(s))\n", path, len(p.Jobs), len(p.Stages))
} else { } else {
switch {
case errCount > 0 && warnCount > 0:
fmt.Fprintf(summaryOut, "%d finding(s): %d error(s), %d warning(s)\n", len(findings), errCount, warnCount)
case errCount > 0:
fmt.Fprintf(summaryOut, "%d finding(s): %d error(s)\n", len(findings), errCount) fmt.Fprintf(summaryOut, "%d finding(s): %d error(s)\n", len(findings), errCount)
default:
fmt.Fprintf(summaryOut, "%d finding(s): %d warning(s)\n", len(findings), warnCount)
}
} }
if errCount > 0 { switch {
exit(1) case errCount > 0:
exit(2)
case warnCount > 0:
exit(10)
} }
} }
@@ -448,6 +485,7 @@ func cmdGraph(args []string) {
gitlabURL := fs.String("gitlab-url", "", "GitLab instance URL (overrides CI_SERVER_URL / GITLAB_URL)") gitlabURL := fs.String("gitlab-url", "", "GitLab instance URL (overrides CI_SERVER_URL / GITLAB_URL)")
cacheDir := fs.String("cache-dir", "", "directory to cache fetched remote includes (created if needed)") cacheDir := fs.String("cache-dir", "", "directory to cache fetched remote includes (created if needed)")
offline := fs.Bool("offline", false, "skip all network calls; serve only from --cache-dir") offline := fs.Bool("offline", false, "skip all network calls; serve only from --cache-dir")
proxy := fs.String("proxy", "", "HTTP proxy URL for remote includes and GitLab API calls (e.g. http://proxy:8080)")
out := fs.String("out", "glint-out", "output directory for rendered graph files (pipeline mode)") out := fs.String("out", "glint-out", "output directory for rendered graph files (pipeline mode)")
format := fs.String("format", "svg", "pipeline output format: svg, mermaid, or html") format := fs.String("format", "svg", "pipeline output format: svg, mermaid, or html")
fs.Usage = func() { fs.Usage = func() {
@@ -509,6 +547,12 @@ Options:
Run "git diff --name-only <REF>" to determine changed files for Run "git diff --name-only <REF>" to determine changed files for
rules:changes: evaluation. rules:changes: evaluation.
--no-skipped
Omit jobs that would be skipped in the given context. Requires at
least one context flag (--branch, --tag, --source, --var) or the
implicit default context (branch=main). Skipped jobs are removed
from the tree, SVG, HTML, and Mermaid output entirely.
--list-vars --list-vars
Print all pipeline-level variables collected from the root file and Print all pipeline-level variables collected from the root file and
every included file (sorted KEY=VALUE) to stderr, then continue every included file (sorted KEY=VALUE) to stderr, then continue
@@ -539,6 +583,7 @@ Examples:
branch := fs.String("branch", "", "simulate a branch push (sets CI_COMMIT_BRANCH, …)") branch := fs.String("branch", "", "simulate a branch push (sets CI_COMMIT_BRANCH, …)")
tag := fs.String("tag", "", "simulate a tag push (sets CI_COMMIT_TAG, …)") tag := fs.String("tag", "", "simulate a tag push (sets CI_COMMIT_TAG, …)")
source := fs.String("source", "", "set CI_PIPELINE_SOURCE") source := fs.String("source", "", "set CI_PIPELINE_SOURCE")
noSkipped := fs.Bool("no-skipped", false, "hide jobs that would be skipped in the given context (requires a context)")
listVars := fs.Bool("list-vars", false, "print all collected pipeline variables to stderr, then continue") listVars := fs.Bool("list-vars", false, "print all collected pipeline variables to stderr, then continue")
var vars multiFlag var vars multiFlag
fs.Var(&vars, "var", "set a CI variable as KEY=VALUE; repeatable") fs.Var(&vars, "var", "set a CI variable as KEY=VALUE; repeatable")
@@ -559,13 +604,34 @@ Examples:
return return
} }
path := fs.Arg(0) path := fs.Arg(0)
rootDir := filepath.Dir(filepath.Clean(path))
glintCfg, cfgErr := config.Load(rootDir)
if cfgErr != nil {
fmt.Fprintf(os.Stderr, "%s: [warning] %s: %v\n", path, config.Filename, cfgErr)
}
fetcherToken := *token
if fetcherToken == "" {
fetcherToken = glintCfg.Token
}
fetcherURL := *gitlabURL
if fetcherURL == "" {
fetcherURL = glintCfg.URL
}
resolvedCacheDir := *cacheDir resolvedCacheDir := *cacheDir
if resolvedCacheDir == "" {
resolvedCacheDir = glintCfg.CacheDir
}
if *offline && resolvedCacheDir == "" { if *offline && resolvedCacheDir == "" {
resolvedCacheDir = defaultCacheDir() resolvedCacheDir = defaultCacheDir()
} }
resolvedProxy := *proxy
if resolvedProxy == "" {
resolvedProxy = glintCfg.Proxy
}
cfg := fetcher.AutoConfig().WithOverrides(*gitlabURL, *token, resolvedCacheDir, *offline) cfg := fetcher.AutoConfig().WithOverrides(fetcherURL, fetcherToken, resolvedCacheDir, *offline).WithProxy(resolvedProxy)
p, err := model.Parse(path) p, err := model.Parse(path)
if err != nil { if err != nil {
@@ -574,7 +640,6 @@ Examples:
return return
} }
rootDir := filepath.Dir(filepath.Clean(path))
resolver.ResolveIncludes(p, cfg, rootDir) //nolint:errcheck resolver.ResolveIncludes(p, cfg, rootDir) //nolint:errcheck
resolver.Resolve(p) //nolint:errcheck resolver.Resolve(p) //nolint:errcheck
@@ -607,6 +672,16 @@ Examples:
printVars(p, ctx) printVars(p, ctx)
} }
// --no-skipped: remove jobs that evaluate to skipped in the current context
// before handing the pipeline to any graph function.
if *noSkipped && !ctx.IsEmpty() {
for name, job := range p.Jobs {
if !strings.HasPrefix(name, ".") && cicontext.EvalJob(job, ctx) == cicontext.JobSkipped {
delete(p.Jobs, name)
}
}
}
switch mode { switch mode {
case "default": case "default":
fmt.Print(graph.Tree(p, ctx)) fmt.Print(graph.Tree(p, ctx))
+22 -22
View File
@@ -112,7 +112,7 @@ func TestCmdCheck_MissingFile(t *testing.T) {
if *code != 2 { t.Errorf("missing file: want exit(2), got %d", *code) } if *code != 2 { t.Errorf("missing file: want exit(2), got %d", *code) }
} }
func TestCmdCheck_WithErrors_ExitsOne(t *testing.T) { func TestCmdCheck_WithErrors_ExitsTwo(t *testing.T) {
code := captureExit(t) code := captureExit(t)
// Pipeline with an error finding (invalid stage reference) // Pipeline with an error finding (invalid stage reference)
content := ` content := `
@@ -123,7 +123,7 @@ test-job:
` `
path := writePipeline(t, content) path := writePipeline(t, content)
cmdCheck([]string{path}) cmdCheck([]string{path})
if *code != 1 { t.Errorf("pipeline with errors: want exit(1), got %d", *code) } if *code != 2 { t.Errorf("pipeline with errors: want exit(2), got %d", *code) }
} }
func TestCmdCheck_FormatJSON(t *testing.T) { func TestCmdCheck_FormatJSON(t *testing.T) {
@@ -703,10 +703,10 @@ func TestCmdCheck_ChangesFrom_Fails(t *testing.T) {
code := captureExit(t) code := captureExit(t)
path := writePipeline(t, minimalPipeline) path := writePipeline(t, minimalPipeline)
// Should warn but not crash; pipeline is clean → no exit(1). // Should warn but not crash; pipeline is clean → no exit(2).
cmdCheck([]string{"--changes-from", "origin/main", path}) cmdCheck([]string{"--changes-from", "origin/main", path})
if *code == 1 { if *code == 2 {
t.Errorf("expected no exit(1) when --changes-from fails gracefully, got %d", *code) t.Errorf("expected no exit(2) when --changes-from fails gracefully, got %d", *code)
} }
} }
@@ -753,10 +753,10 @@ build-job:
` `
path := writePipeline(t, content) path := writePipeline(t, content)
// build-job's rule fires only if src/** matches; with 0 changed files it is skipped. // build-job's rule fires only if src/** matches; with 0 changed files it is skipped.
// Pipeline is clean (no lint errors) → no exit(1). // Pipeline is clean (no lint errors) → no exit(2).
cmdCheck([]string{"--changes-from", "origin/main", path}) cmdCheck([]string{"--changes-from", "origin/main", path})
if *code == 1 { if *code == 2 {
t.Errorf("unexpected exit(1): %d", *code) t.Errorf("unexpected exit(2): %d", *code)
} }
} }
@@ -770,8 +770,8 @@ func TestCmdGraph_ChangesFrom_Fails(t *testing.T) {
code := captureExit(t) code := captureExit(t)
path := writePipeline(t, minimalPipeline) path := writePipeline(t, minimalPipeline)
cmdGraph([]string{"tree", "--changes-from", "origin/main", path}) cmdGraph([]string{"tree", "--changes-from", "origin/main", path})
if *code == 1 { if *code == 2 {
t.Errorf("unexpected exit(1) when --changes-from fails in graph mode") t.Errorf("unexpected exit(2) when --changes-from fails in graph mode")
} }
} }
@@ -785,8 +785,8 @@ func TestCmdGraph_ChangesFrom_Success(t *testing.T) {
code := captureExit(t) code := captureExit(t)
path := writePipeline(t, minimalPipeline) path := writePipeline(t, minimalPipeline)
cmdGraph([]string{"tree", "--changes-from", "origin/main", path}) cmdGraph([]string{"tree", "--changes-from", "origin/main", path})
if *code == 1 { if *code == 2 {
t.Errorf("unexpected exit(1) in graph --changes-from success path") t.Errorf("unexpected exit(2) in graph --changes-from success path")
} }
} }
@@ -801,8 +801,8 @@ func TestCmdGraph_ChangesFrom_EmptyDiff(t *testing.T) {
path := writePipeline(t, minimalPipeline) path := writePipeline(t, minimalPipeline)
// reliable=true, allChanged nil → allChanged = []string{} branch hit // reliable=true, allChanged nil → allChanged = []string{} branch hit
cmdGraph([]string{"tree", "--changes-from", "origin/main", path}) cmdGraph([]string{"tree", "--changes-from", "origin/main", path})
if *code == 1 { if *code == 2 {
t.Errorf("unexpected exit(1) in graph --changes-from empty diff") t.Errorf("unexpected exit(2) in graph --changes-from empty diff")
} }
} }
@@ -818,8 +818,8 @@ build-job:
` `
path := writePipeline(t, content) path := writePipeline(t, content)
cmdGraph([]string{"tree", "--changes", "src/app.go", path}) cmdGraph([]string{"tree", "--changes", "src/app.go", path})
if *code == 1 { if *code == 2 {
t.Errorf("unexpected exit(1) with valid pipeline and --changes flag") t.Errorf("unexpected exit(2) with valid pipeline and --changes flag")
} }
} }
@@ -848,7 +848,7 @@ deploy-job:
// by rules evaluation → needs cross-check suppressed → exit 0. // by rules evaluation → needs cross-check suppressed → exit 0.
code := captureExit(t) code := captureExit(t)
cmdCheck([]string{"--branch", "main", path}) cmdCheck([]string{"--branch", "main", path})
if *code == 1 { if *code == 2 {
t.Error("skipped job's needs: error should be suppressed in context-scoped lint") t.Error("skipped job's needs: error should be suppressed in context-scoped lint")
} }
} }
@@ -873,8 +873,8 @@ deploy-job:
code := captureExit(t) code := captureExit(t)
cmdCheck([]string{"--tag", "v1.0.0", path}) cmdCheck([]string{"--tag", "v1.0.0", path})
if *code != 1 { if *code != 2 {
t.Error("active job's bad needs: should still produce GL027 error") t.Error("active job's bad needs: should still produce GL027 error (exit 2)")
} }
} }
@@ -883,7 +883,7 @@ func TestCmdCheck_ContextScopedLinting_SkippedSet_IsNilWhenAllActive(t *testing.
code := captureExit(t) code := captureExit(t)
path := writePipeline(t, minimalPipeline) path := writePipeline(t, minimalPipeline)
cmdCheck([]string{"--branch", "main", path}) cmdCheck([]string{"--branch", "main", path})
if *code == 1 { if *code == 2 {
t.Error("valid pipeline with all-active jobs should not produce errors") t.Error("valid pipeline with all-active jobs should not produce errors")
} }
} }
@@ -1142,8 +1142,8 @@ test-job:
` `
path := writePipeline(t, content) path := writePipeline(t, content)
cmdCheck([]string{"--context", "branch=main", path}) cmdCheck([]string{"--context", "branch=main", path})
if *code != 1 { if *code != 2 {
t.Errorf("multi-context error pipeline: want exit(1), got %d", *code) t.Errorf("multi-context error pipeline: want exit(2), got %d", *code)
} }
} }
+111
View File
@@ -0,0 +1,111 @@
package main
import (
"fmt"
"io"
"os"
"strings"
"git.k3nny.fr/glint/internal/linter"
)
// ANSI escape sequences used for colorized output.
const (
ansiReset = "\033[0m"
ansiBold = "\033[1m"
ansiDim = "\033[2m"
ansiRed = "\033[31m"
ansiOrange = "\033[33m" // rendered as orange/amber in most terminals
)
// colorEnabled reports whether ANSI color should be used when writing to w.
// Colors are suppressed when NO_COLOR is set or when w is not a terminal.
func colorEnabled(w io.Writer) bool {
if os.Getenv("NO_COLOR") != "" {
return false
}
f, ok := w.(*os.File)
if !ok {
return false
}
fi, err := f.Stat()
return err == nil && (fi.Mode()&os.ModeCharDevice) != 0
}
// writeTextFindings prints findings in a columnized format with optional
// ANSI color. All findings are scanned first to compute column widths so
// that each field aligns across all output lines.
//
// Output columns (space-separated, no borders):
//
// location RULE severity message
func writeTextFindings(w io.Writer, findings []linter.Finding) {
if len(findings) == 0 {
return
}
color := colorEnabled(w)
// Pre-compute locations and maximum location width.
locs := make([]string, len(findings))
maxLoc := 0
for i, f := range findings {
locs[i] = findingLocation(f)
if len(locs[i]) > maxLoc {
maxLoc = len(locs[i])
}
}
// Rule IDs are always 5 chars (GL001GL999).
const ruleWidth = 5
// Severity width: "warning" = 7 chars.
const sevWidth = 7
for i, f := range findings {
loc := locs[i]
rule := f.Rule
sev := strings.ToLower(string(f.Severity))
msg := f.Message
if f.Job != "" {
msg = fmt.Sprintf("job %q: %s", f.Job, msg)
}
if color {
var sevSeq string
if f.Severity == linter.Error {
sevSeq = ansiRed + ansiBold
} else {
sevSeq = ansiOrange + ansiBold
}
fmt.Fprintf(w, "%s%-*s%s %s%-*s%s %s%-*s%s %s\n",
ansiDim, maxLoc, loc, ansiReset,
ansiBold, ruleWidth, rule, ansiReset,
sevSeq, sevWidth, sev, ansiReset,
msg,
)
} else {
fmt.Fprintf(w, "%-*s %-*s %-*s %s\n",
maxLoc, loc,
ruleWidth, rule,
sevWidth, sev,
msg,
)
}
}
}
// findingLocation formats the file:line:col location string for a finding.
func findingLocation(f linter.Finding) string {
if f.File == "" {
return ""
}
switch {
case f.Line > 0 && f.Column > 0:
return fmt.Sprintf("%s:%d:%d", f.File, f.Line, f.Column)
case f.Line > 0:
return fmt.Sprintf("%s:%d", f.File, f.Line)
default:
return f.File
}
}
+269
View File
@@ -0,0 +1,269 @@
package main
import (
"flag"
"fmt"
"os"
"path/filepath"
"sort"
"strings"
"git.k3nny.fr/glint/internal/config"
"git.k3nny.fr/glint/internal/fetcher"
"git.k3nny.fr/glint/internal/model"
"git.k3nny.fr/glint/internal/resolver"
"gopkg.in/yaml.v3"
)
func cmdRender(args []string) {
fs := flag.NewFlagSet("glint render", flag.ExitOnError)
output := fs.String("output", "", "output file path (default: rendered.gitlab-ci.yml; use - for stdout)")
token := fs.String("token", "", "GitLab personal access token (overrides GITLAB_TOKEN)")
gitlabURL := fs.String("gitlab-url", "", "GitLab instance URL (overrides CI_SERVER_URL / GITLAB_URL)")
cacheDir := fs.String("cache-dir", "", "directory to cache fetched remote includes")
offline := fs.Bool("offline", false, "skip all network calls; serve only from --cache-dir")
proxy := fs.String("proxy", "", "HTTP proxy URL for remote includes (e.g. http://proxy:8080)")
fs.Usage = func() {
fmt.Fprintf(os.Stderr, "glint %s\n\n", version)
fmt.Fprint(os.Stderr, `Resolve all includes and extends into a single merged YAML file.
Performs the same include resolution and extends merging that GitLab CI
does server-side, then writes the fully flattened pipeline to a single file.
Useful for inspecting the resolved pipeline or running further local tooling.
The output file strips 'include:' (consumed by resolution) and 'extends:'
(applied to each job) keys. All other fields are preserved verbatim.
Template jobs (names starting with '.') are retained.
Usage: glint render [OPTIONS] <PIPELINE>
Arguments:
<PIPELINE> Path to the .gitlab-ci.yml file to resolve
Options:
--output <FILE>
Write the rendered pipeline to FILE.
Use '-' to write to stdout.
[default: rendered.gitlab-ci.yml]
--token <TOKEN>
GitLab personal access token for fetching project: and component:
includes.
[env: GITLAB_TOKEN | CI_JOB_TOKEN | GITLAB_PRIVATE_TOKEN]
--gitlab-url <URL>
GitLab instance URL.
[env: CI_SERVER_URL | GITLAB_URL] [default: https://gitlab.com]
--cache-dir <DIR>
Cache directory for fetched remote includes.
--offline
Do not make any network calls; use cache only.
--proxy <URL>
HTTP proxy URL for remote includes and GitLab API calls.
-h, --help
Print help
Examples:
glint render .gitlab-ci.yml
glint render --output merged.yml .gitlab-ci.yml
glint render --output - .gitlab-ci.yml | yq .
glint render --offline --cache-dir ~/.cache/glint .gitlab-ci.yml
`)
}
_ = fs.Parse(args)
if fs.NArg() != 1 {
fs.Usage()
exit(2)
return
}
path := fs.Arg(0)
rootDir := filepath.Dir(filepath.Clean(path))
glintCfg, cfgErr := config.Load(rootDir)
if cfgErr != nil {
fmt.Fprintf(os.Stderr, "%s: [warning] %s: %v\n", path, config.Filename, cfgErr)
}
fetcherToken := *token
if fetcherToken == "" {
fetcherToken = glintCfg.Token
}
fetcherURL := *gitlabURL
if fetcherURL == "" {
fetcherURL = glintCfg.URL
}
resolvedCacheDir := *cacheDir
if resolvedCacheDir == "" {
resolvedCacheDir = glintCfg.CacheDir
}
if *offline && resolvedCacheDir == "" {
resolvedCacheDir = defaultCacheDir()
}
resolvedProxy := *proxy
if resolvedProxy == "" {
resolvedProxy = glintCfg.Proxy
}
cfg := fetcher.AutoConfig().WithOverrides(fetcherURL, fetcherToken, resolvedCacheDir, *offline).WithProxy(resolvedProxy)
p, err := model.Parse(path)
if err != nil {
fmt.Fprintf(os.Stderr, "error: %v\n", err)
exit(2)
return
}
warnings, _ := resolver.ResolveIncludes(p, cfg, rootDir)
for _, w := range warnings {
fmt.Fprintf(os.Stderr, "%s: [warning] include %s\n", path, w)
}
extWarnings, err := resolver.Resolve(p)
if err != nil {
fmt.Fprintf(os.Stderr, "error: resolving extends: %v\n", err)
exit(2)
return
}
for _, w := range extWarnings {
fmt.Fprintf(os.Stderr, "%s: [warning] job %q extends unknown job %q; extends chain skipped\n", path, w.Job, w.Base)
}
doc, err := buildRenderDoc(p)
if err != nil {
fmt.Fprintf(os.Stderr, "error: building output: %v\n", err)
exit(2)
return
}
outPath := *output
if outPath == "" {
outPath = "rendered.gitlab-ci.yml"
}
var w interface{ Write([]byte) (int, error) }
if outPath == "-" {
w = os.Stdout
} else {
f, err := os.Create(outPath)
if err != nil {
fmt.Fprintf(os.Stderr, "error: creating output file: %v\n", err)
exit(2)
return
}
defer f.Close()
w = f
}
enc := yaml.NewEncoder(w)
enc.SetIndent(2)
if err := enc.Encode(doc); err != nil {
fmt.Fprintf(os.Stderr, "error: writing output: %v\n", err)
exit(2)
return
}
_ = enc.Close()
if outPath != "-" {
jobCount := 0
for name := range p.Jobs {
if !strings.HasPrefix(name, ".") {
jobCount++
}
}
fmt.Fprintf(os.Stderr, "rendered: %s (%d job(s), %d stage(s))\n", outPath, jobCount, len(p.Stages))
}
}
// buildRenderDoc constructs an ordered yaml.Node document from the resolved
// pipeline. Pipeline-level keys (stages, variables, default, workflow) come
// first, followed by template jobs (.name) then regular jobs, both sorted
// alphabetically. 'include:' and 'extends:' are omitted — they have been
// consumed by the resolution passes.
func buildRenderDoc(p *model.Pipeline) (*yaml.Node, error) {
root := &yaml.Node{Kind: yaml.MappingNode, Tag: "!!map"}
addField := func(key string, val any) error {
n, err := anyToNode(val)
if err != nil {
return fmt.Errorf("encoding %q: %w", key, err)
}
root.Content = append(root.Content,
&yaml.Node{Kind: yaml.ScalarNode, Tag: "!!str", Value: key},
n,
)
return nil
}
if len(p.Stages) > 0 {
if err := addField("stages", p.Stages); err != nil {
return nil, err
}
}
if len(p.Variables) > 0 {
if err := addField("variables", p.Variables); err != nil {
return nil, err
}
}
if p.Default != nil {
if err := addField("default", p.Default); err != nil {
return nil, err
}
}
if p.Workflow != nil {
if err := addField("workflow", p.Workflow); err != nil {
return nil, err
}
}
// Collect and sort job names: template jobs first, then regular jobs.
var templates, regular []string
for name := range p.RawJobs {
if strings.HasPrefix(name, ".") {
templates = append(templates, name)
} else {
regular = append(regular, name)
}
}
sort.Strings(templates)
sort.Strings(regular)
for _, name := range append(templates, regular...) {
raw := p.RawJobs[name]
// Copy to avoid mutating the shared map; strip resolution-consumed keys.
cleaned := make(map[string]any, len(raw))
for k, v := range raw {
if k == "extends" {
continue
}
cleaned[k] = v
}
if err := addField(name, cleaned); err != nil {
return nil, err
}
}
doc := &yaml.Node{Kind: yaml.DocumentNode, Content: []*yaml.Node{root}}
return doc, nil
}
// anyToNode converts an arbitrary Go value to a *yaml.Node by round-tripping
// through yaml.Marshal / yaml.Unmarshal, which preserves all value types.
func anyToNode(v any) (*yaml.Node, error) {
data, err := yaml.Marshal(v)
if err != nil {
return nil, err
}
var doc yaml.Node
if err := yaml.Unmarshal(data, &doc); err != nil {
return nil, err
}
if doc.Kind == yaml.DocumentNode && len(doc.Content) > 0 {
return doc.Content[0], nil
}
return &doc, nil
}
+6
View File
@@ -38,6 +38,12 @@ type Config struct {
// CacheDir is the default directory for caching fetched remote includes. // CacheDir is the default directory for caching fetched remote includes.
// Overridden by the --cache-dir flag. // Overridden by the --cache-dir flag.
CacheDir string `yaml:"cache_dir"` CacheDir string `yaml:"cache_dir"`
// Proxy is the HTTP proxy URL for fetching remote includes and GitLab API
// calls (e.g. "http://proxy.example.com:8080"). Overridden by the --proxy
// flag. When empty, system proxy settings (HTTP_PROXY / HTTPS_PROXY /
// NO_PROXY env vars) are used automatically.
Proxy string `yaml:"proxy"`
} }
// Load searches for a .glint.yml file starting from dir and walking up toward // Load searches for a .glint.yml file starting from dir and walking up toward
+2 -2
View File
@@ -26,10 +26,10 @@ func cacheWrite(dir, key string, data []byte) {
if dir == "" { if dir == "" {
return return
} }
if err := os.MkdirAll(dir, 0o755); err != nil { if err := os.MkdirAll(dir, 0o700); err != nil {
return return
} }
_ = os.WriteFile(cachePath(dir, key), data, 0o644) _ = os.WriteFile(cachePath(dir, key), data, 0o600)
} }
// cachePath returns the filesystem path for a cache entry. // cachePath returns the filesystem path for a cache entry.
+25
View File
@@ -71,3 +71,28 @@ func TestCacheWrite_MkdirAll(t *testing.T) {
t.Errorf("directory not created: %v", err) t.Errorf("directory not created: %v", err)
} }
} }
func TestCacheWrite_FilePermissions(t *testing.T) {
dir := t.TempDir()
cacheWrite(dir, "seckey", []byte("secret"))
info, err := os.Stat(cachePath(dir, "seckey"))
if err != nil {
t.Fatalf("stat cache file: %v", err)
}
if mode := info.Mode().Perm(); mode != 0o600 {
t.Errorf("cache file mode = %04o; want 0600", mode)
}
}
func TestCacheWrite_DirPermissions(t *testing.T) {
parent := t.TempDir()
dir := filepath.Join(parent, "glint-cache")
cacheWrite(dir, "k", []byte("v"))
info, err := os.Stat(dir)
if err != nil {
t.Fatalf("stat cache dir: %v", err)
}
if mode := info.Mode().Perm(); mode != 0o700 {
t.Errorf("cache dir mode = %04o; want 0700", mode)
}
}
+51 -4
View File
@@ -8,8 +8,18 @@ import (
"net/url" "net/url"
"os" "os"
"strings" "strings"
"time"
) )
// httpClient is the shared HTTP client for all fetcher requests.
// Timeout guards against hung remote servers. Transport is intentionally nil
// so http.DefaultTransport is used dynamically — allowing tests to swap it.
var httpClient = &http.Client{Timeout: 30 * time.Second}
// maxResponseBytes is the per-response size cap. Responses larger than this
// are rejected to prevent memory exhaustion from pathological servers.
const maxResponseBytes int64 = 10 << 20 // 10 MiB
// TokenSource describes where a token was found, which determines the correct // TokenSource describes where a token was found, which determines the correct
// authentication header to use with the GitLab API. // authentication header to use with the GitLab API.
type TokenSource int type TokenSource int
@@ -27,6 +37,10 @@ type GitLabConfig struct {
Source TokenSource Source TokenSource
CacheDir string // local cache directory; empty = caching disabled CacheDir string // local cache directory; empty = caching disabled
Offline bool // when true, return an error instead of making network calls Offline bool // when true, return an error instead of making network calls
// ProxyURL overrides the HTTP proxy for all requests made with this config.
// Empty string means use system proxy settings (HTTP_PROXY / HTTPS_PROXY /
// NO_PROXY env vars honoured automatically by http.DefaultTransport).
ProxyURL string
} }
// AutoConfig builds a GitLabConfig from environment variables. // AutoConfig builds a GitLabConfig from environment variables.
@@ -56,6 +70,33 @@ func AutoConfig() GitLabConfig {
return cfg return cfg
} }
// WithProxy returns a copy of cfg with ProxyURL set.
func (cfg GitLabConfig) WithProxy(proxyURL string) GitLabConfig {
cfg.ProxyURL = proxyURL
return cfg
}
// client returns an HTTP client for this config.
// When ProxyURL is set it takes precedence over system proxy env vars;
// otherwise http.DefaultTransport's built-in ProxyFromEnvironment is used.
func (cfg GitLabConfig) client() *http.Client {
if cfg.ProxyURL == "" {
return httpClient
}
proxyURL, err := url.Parse(cfg.ProxyURL)
if err != nil {
return httpClient
}
// Clone the default transport so all TLS/dial settings are preserved.
t, ok := http.DefaultTransport.(*http.Transport)
if !ok {
return httpClient
}
transport := t.Clone()
transport.Proxy = http.ProxyURL(proxyURL)
return &http.Client{Timeout: httpClient.Timeout, Transport: transport}
}
// WithOverrides returns a copy of cfg with the provided overrides applied. // WithOverrides returns a copy of cfg with the provided overrides applied.
// Non-empty strings overwrite the corresponding field; booleans are always // Non-empty strings overwrite the corresponding field; booleans are always
// applied (so offline: false explicitly clears offline mode). // applied (so offline: false explicitly clears offline mode).
@@ -128,16 +169,19 @@ func (cfg GitLabConfig) FetchFile(project, filePath, ref string) ([]byte, error)
} }
} }
resp, err := http.DefaultClient.Do(req) resp, err := cfg.client().Do(req)
if err != nil { if err != nil {
return nil, fmt.Errorf("GET %s: %w", apiURL, err) return nil, fmt.Errorf("GET %s: %w", apiURL, err)
} }
defer resp.Body.Close() defer resp.Body.Close()
body, err := io.ReadAll(resp.Body) body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBytes+1))
if err != nil { if err != nil {
return nil, fmt.Errorf("reading response body: %w", err) return nil, fmt.Errorf("reading response body: %w", err)
} }
if int64(len(body)) > maxResponseBytes {
return nil, fmt.Errorf("response body exceeds maximum size (%d MiB)", maxResponseBytes>>20)
}
if resp.StatusCode != http.StatusOK { if resp.StatusCode != http.StatusOK {
msg := strings.TrimSpace(string(body)) msg := strings.TrimSpace(string(body))
@@ -169,15 +213,18 @@ func (cfg GitLabConfig) FetchURL(rawURL string) ([]byte, error) {
return nil, fmt.Errorf("offline mode: %s is not in the local cache (run without --offline first to populate the cache)", rawURL) return nil, fmt.Errorf("offline mode: %s is not in the local cache (run without --offline first to populate the cache)", rawURL)
} }
resp, err := http.Get(rawURL) //nolint:noctx resp, err := cfg.client().Get(rawURL)
if err != nil { if err != nil {
return nil, fmt.Errorf("GET %s: %w", rawURL, err) return nil, fmt.Errorf("GET %s: %w", rawURL, err)
} }
defer resp.Body.Close() defer resp.Body.Close()
body, err := io.ReadAll(resp.Body) body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBytes+1))
if err != nil { if err != nil {
return nil, fmt.Errorf("reading body: %w", err) return nil, fmt.Errorf("reading body: %w", err)
} }
if int64(len(body)) > maxResponseBytes {
return nil, fmt.Errorf("response body exceeds maximum size (%d MiB)", maxResponseBytes>>20)
}
if resp.StatusCode != http.StatusOK { if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("GET %s: status %d", rawURL, resp.StatusCode) return nil, fmt.Errorf("GET %s: status %d", rawURL, resp.StatusCode)
} }
+44
View File
@@ -6,6 +6,7 @@ import (
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"os" "os"
"strings"
"testing" "testing"
) )
@@ -339,3 +340,46 @@ func TestFetchURL_NotOK(t *testing.T) {
_, err := cfg.FetchURL(srv.URL) _, err := cfg.FetchURL(srv.URL)
if err == nil { t.Fatal("expected error for non-200 status") } if err == nil { t.Fatal("expected error for non-200 status") }
} }
func TestFetchFile_ResponseTooLarge(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
// Write maxResponseBytes+1 bytes to exceed the cap.
chunk := make([]byte, 4096)
written := int64(0)
for written <= maxResponseBytes {
n, _ := w.Write(chunk)
written += int64(n)
}
}))
defer srv.Close()
cfg := GitLabConfig{BaseURL: srv.URL}
_, err := cfg.FetchFile("group/project", "/ci.yml", "main")
if err == nil {
t.Fatal("expected error for oversized response")
}
if !strings.Contains(err.Error(), "exceeds maximum size") {
t.Errorf("unexpected error: %v", err)
}
}
func TestFetchURL_ResponseTooLarge(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
chunk := make([]byte, 4096)
written := int64(0)
for written <= maxResponseBytes {
n, _ := w.Write(chunk)
written += int64(n)
}
}))
defer srv.Close()
cfg := GitLabConfig{}
_, err := cfg.FetchURL(srv.URL)
if err == nil {
t.Fatal("expected error for oversized response")
}
if !strings.Contains(err.Error(), "exceeds maximum size") {
t.Errorf("unexpected error: %v", err)
}
}
+2
View File
@@ -30,6 +30,7 @@ func checkDependencies(p *model.Pipeline, skipped map[string]bool) []Finding {
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: fmt.Sprintf("'dependencies' references unknown job %q", dep), Message: fmt.Sprintf("'dependencies' references unknown job %q", dep),
}) })
continue continue
@@ -43,6 +44,7 @@ func checkDependencies(p *model.Pipeline, skipped map[string]bool) []Finding {
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: fmt.Sprintf("'dependencies' job %q must be in an earlier stage (in %q, current job is in %q)", dep, depJob.Stage, job.Stage), Message: fmt.Sprintf("'dependencies' job %q must be in an earlier stage (in %q, current job is in %q)", dep, depJob.Stage, job.Stage),
}) })
} }
+14
View File
@@ -853,4 +853,18 @@ test:
- if: $CI_COMMIT_BRANCH == "main" - if: $CI_COMMIT_BRANCH == "main"
needs: [build, lint]`, needs: [build, lint]`,
}, },
RuleInsecureRemoteInclude: {
Title: "remote include uses plain HTTP",
Severity: Warning,
Description: "An include: remote: entry uses an http:// URL instead of https://. " +
"CI templates fetched over plain HTTP are transmitted in cleartext; an " +
"attacker with network access could intercept or modify the template " +
"before it is parsed. Use https:// so the connection is encrypted and " +
"the server's identity is verified.",
Example: `include:
- remote: http://ci-templates.example.com/build.yml`,
Fix: `include:
- remote: https://ci-templates.example.com/build.yml`,
},
} }
+1
View File
@@ -99,6 +99,7 @@ func evalRulesReachability(name string, job model.Job, jobVars map[string]string
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: "rules: block can never activate: all if: conditions evaluate to false given the declared pipeline variables", Message: "rules: block can never activate: all if: conditions evaluate to false given the declared pipeline variables",
} }
} }
+31
View File
@@ -0,0 +1,31 @@
package linter
import (
"fmt"
"strings"
"git.k3nny.fr/glint/internal/model"
)
// checkInsecureRemoteInclude warns when an include: remote: entry uses plain
// HTTP (GL045). The file is still fetched and linted; the finding is a warning
// so pipelines that use HTTP for internal infra are not blocked.
func checkInsecureRemoteInclude(p *model.Pipeline) []Finding {
var findings []Finding
for _, inc := range p.Include {
m, ok := inc.(map[string]any)
if !ok {
continue
}
remote, _ := m["remote"].(string)
if strings.HasPrefix(remote, "http://") {
findings = append(findings, Finding{
Severity: Warning,
Rule: RuleInsecureRemoteInclude,
File: p.SourceFile,
Message: fmt.Sprintf("remote include %q uses plain HTTP; CI templates are fetched unencrypted — prefer HTTPS", remote),
})
}
}
return findings
}
+73
View File
@@ -0,0 +1,73 @@
package linter
import (
"testing"
"git.k3nny.fr/glint/internal/model"
)
func TestCheckInsecureRemoteInclude(t *testing.T) {
tests := []struct {
name string
include []any
wantGL string // expected rule ID, empty = no findings
}{
{
name: "http URL triggers GL045",
include: []any{map[string]any{"remote": "http://example.com/ci.yml"}},
wantGL: RuleInsecureRemoteInclude,
},
{
name: "https URL is clean",
include: []any{map[string]any{"remote": "https://example.com/ci.yml"}},
},
{
name: "local include ignored",
include: []any{map[string]any{"local": "/templates/ci.yml"}},
},
{
name: "string include ignored",
include: []any{"/templates/ci.yml"},
},
{
name: "no includes",
include: nil,
},
{
name: "mixed: http fires, https does not",
include: []any{
map[string]any{"remote": "https://ok.example.com/ci.yml"},
map[string]any{"remote": "http://bad.example.com/ci.yml"},
},
wantGL: RuleInsecureRemoteInclude,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
p := &model.Pipeline{
Include: tc.include,
Jobs: map[string]model.Job{},
}
findings := checkInsecureRemoteInclude(p)
if tc.wantGL == "" {
if len(findings) != 0 {
t.Errorf("expected no findings, got: %v", findings)
}
return
}
found := false
for _, f := range findings {
if f.Rule == tc.wantGL {
found = true
if f.Severity != Warning {
t.Errorf("severity = %v; want Warning", f.Severity)
}
}
}
if !found {
t.Errorf("expected finding %s, got: %v", tc.wantGL, findings)
}
})
}
}
+2
View File
@@ -40,6 +40,7 @@ func checkJobInheritCompleteness(p *model.Pipeline, name string, job model.Job)
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: "'inherit: default:' is declared but the pipeline has no 'default:' block — declaration has no effect", Message: "'inherit: default:' is declared but the pipeline has no 'default:' block — declaration has no effect",
}} }}
} }
@@ -70,6 +71,7 @@ func checkJobInheritCompleteness(p *model.Pipeline, name string, job model.Job)
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: fmt.Sprintf( Message: fmt.Sprintf(
"'inherit: default: [%s]': %s not defined in the 'default:' block — %s", "'inherit: default: [%s]': %s not defined in the 'default:' block — %s",
strings.Join(dead, ", "), strings.Join(dead, ", "),
+8 -2
View File
@@ -22,15 +22,19 @@ type Finding struct {
Job string // empty for pipeline-level findings Job string // empty for pipeline-level findings
File string // source file where the finding originates File string // source file where the finding originates
Line int // line number in File (0 = unknown) Line int // line number in File (0 = unknown)
Column int // column number in File (0 = unknown; 1-indexed)
Message string Message string
} }
func (f Finding) String() string { func (f Finding) String() string {
var loc string var loc string
if f.File != "" { if f.File != "" {
if f.Line > 0 { switch {
case f.Line > 0 && f.Column > 0:
loc = fmt.Sprintf("%s:%d:%d: ", f.File, f.Line, f.Column)
case f.Line > 0:
loc = fmt.Sprintf("%s:%d: ", f.File, f.Line) loc = fmt.Sprintf("%s:%d: ", f.File, f.Line)
} else { default:
loc = fmt.Sprintf("%s: ", f.File) loc = fmt.Sprintf("%s: ", f.File)
} }
} }
@@ -67,6 +71,7 @@ func Lint(p *model.Pipeline, skipped map[string]bool) []Finding {
findings = append(findings, checkVariableRefs(p)...) findings = append(findings, checkVariableRefs(p)...)
findings = append(findings, checkRulesIfReachability(p)...) findings = append(findings, checkRulesIfReachability(p)...)
findings = append(findings, checkInheritCompleteness(p)...) findings = append(findings, checkInheritCompleteness(p)...)
findings = append(findings, checkInsecureRemoteInclude(p)...)
slices.SortStableFunc(findings, func(a, b Finding) int { slices.SortStableFunc(findings, func(a, b Finding) int {
if c := cmp.Compare(a.File, b.File); c != 0 { if c := cmp.Compare(a.File, b.File); c != 0 {
return c return c
@@ -224,6 +229,7 @@ func checkJob(name string, job model.Job, stageSet map[string]bool) []Finding {
if findings[i].Job != "" && findings[i].File == "" { if findings[i].Job != "" && findings[i].File == "" {
findings[i].File = job.File findings[i].File = job.File
findings[i].Line = job.Line findings[i].Line = job.Line
findings[i].Column = job.Column
} }
} }
return findings return findings
+4
View File
@@ -53,6 +53,7 @@ func checkNeeds(p *model.Pipeline, skipped map[string]bool) []Finding {
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: fmt.Sprintf("needs unknown job %q", entry.job), Message: fmt.Sprintf("needs unknown job %q", entry.job),
}) })
continue continue
@@ -71,6 +72,7 @@ func checkNeeds(p *model.Pipeline, skipped map[string]bool) []Finding {
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: fmt.Sprintf( Message: fmt.Sprintf(
"needs %q which is in a later stage (%q after %q)", "needs %q which is in a later stage (%q after %q)",
entry.job, neededJob.Stage, job.Stage, entry.job, neededJob.Stage, job.Stage,
@@ -111,6 +113,7 @@ func checkRulesNeeds(p *model.Pipeline, skipped map[string]bool) []Finding {
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: fmt.Sprintf( Message: fmt.Sprintf(
"rules[%d].needs: references unknown job %q", "rules[%d].needs: references unknown job %q",
i, entry.job, i, entry.job,
@@ -171,6 +174,7 @@ func detectNeedsCycles(graph map[string][]string, jobs map[string]model.Job) []F
Job: name, Job: name,
File: j.File, File: j.File,
Line: j.Line, Line: j.Line,
Column: j.Column,
Message: fmt.Sprintf("circular dependency in needs: %v → %s", path, name), Message: fmt.Sprintf("circular dependency in needs: %v → %s", path, name),
}) })
} }
+5
View File
@@ -158,4 +158,9 @@ const (
// GL044: a rules:needs: entry references a job that does not exist in the pipeline. // GL044: a rules:needs: entry references a job that does not exist in the pipeline.
// rules:needs: overrides the top-level needs: when a specific rule matches (GitLab CI 16.4+). // rules:needs: overrides the top-level needs: when a specific rule matches (GitLab CI 16.4+).
RuleRulesNeedsUnknown = "GL044" RuleRulesNeedsUnknown = "GL044"
// GL045: an include: remote: entry uses plain HTTP instead of HTTPS.
// CI templates fetched over HTTP are transmitted in cleartext and can be
// intercepted or modified in transit.
RuleInsecureRemoteInclude = "GL045"
) )
+1
View File
@@ -148,6 +148,7 @@ func checkVariableRefs(p *model.Pipeline) []Finding {
Job: name, Job: name,
File: job.File, File: job.File,
Line: job.Line, Line: job.Line,
Column: job.Column,
Message: fmt.Sprintf("rules[%d].if: $%s is not declared in pipeline or job variables:", i, varName), Message: fmt.Sprintf("rules[%d].if: $%s is not declared in pipeline or job variables:", i, varName),
}) })
} }
+8
View File
@@ -66,6 +66,11 @@ func (s *Server) Run() error {
} }
} }
// maxLSPMessageBytes caps the body size accepted from an LSP client.
// A legitimate editor message is never this large; enforcing the cap prevents
// a crafted Content-Length from triggering a multi-gigabyte allocation.
const maxLSPMessageBytes = 64 << 20 // 64 MiB
// readMessage reads one Content-Lengthframed JSON-RPC message from the stream. // readMessage reads one Content-Lengthframed JSON-RPC message from the stream.
func (s *Server) readMessage() (*Message, error) { func (s *Server) readMessage() (*Message, error) {
var contentLength int var contentLength int
@@ -92,6 +97,9 @@ func (s *Server) readMessage() (*Message, error) {
if contentLength == 0 { if contentLength == 0 {
return nil, fmt.Errorf("missing or zero Content-Length header") return nil, fmt.Errorf("missing or zero Content-Length header")
} }
if contentLength > maxLSPMessageBytes {
return nil, fmt.Errorf("Content-Length %d exceeds maximum %d", contentLength, maxLSPMessageBytes)
}
body := make([]byte, contentLength) body := make([]byte, contentLength)
if _, err := io.ReadFull(s.in, body); err != nil { if _, err := io.ReadFull(s.in, body); err != nil {
+14
View File
@@ -364,6 +364,20 @@ func TestServer_DidClose_ClearsdiAgnostics(t *testing.T) {
} }
} }
func TestServer_ContentLengthTooLarge(t *testing.T) {
// Craft a header with a content-length that exceeds the cap.
// The server must reject it before allocating a giant buffer.
header := fmt.Sprintf("Content-Length: %d\r\n\r\n", maxLSPMessageBytes+1)
srv, _, _ := newTestServer([]byte(header))
err := srv.Run()
if err == nil {
t.Fatal("expected error for oversized Content-Length, got nil")
}
if !strings.Contains(err.Error(), "exceeds maximum") {
t.Errorf("unexpected error: %v", err)
}
}
func TestServer_UriToPath(t *testing.T) { func TestServer_UriToPath(t *testing.T) {
tests := []struct { tests := []struct {
uri string uri string
+1
View File
@@ -84,6 +84,7 @@ func ParseBytes(data []byte) (*Pipeline, error) {
} }
j.Name = key j.Name = key
j.Line = keyNode.Line // exact line of the job name key j.Line = keyNode.Line // exact line of the job name key
j.Column = keyNode.Column // exact column of the job name key
p.Jobs[key] = j p.Jobs[key] = j
} }
+1
View File
@@ -48,6 +48,7 @@ type Job struct {
Name string // set by parser, not from YAML Name string // set by parser, not from YAML
File string // source file; set by Parse / resolver File string // source file; set by Parse / resolver
Line int // line of the job key in its source file; set by parser Line int // line of the job key in its source file; set by parser
Column int // column of the job key (1-indexed); set by parser
Stage string `yaml:"stage"` Stage string `yaml:"stage"`
Script any `yaml:"script"` // []string or string (block scalar) Script any `yaml:"script"` // []string or string (block scalar)
Run any `yaml:"run"` // alternative to script (CI steps) Run any `yaml:"run"` // alternative to script (CI steps)
+4 -1
View File
@@ -80,12 +80,15 @@ func Resolve(p *model.Pipeline) ([]ExtendWarning, error) {
return extWarnings, fmt.Errorf("job %q: re-decoding merged definition: %w", name, err) return extWarnings, fmt.Errorf("job %q: re-decoding merged definition: %w", name, err)
} }
j.Name = name j.Name = name
// Preserve source location — File/Line are not part of the YAML map // Preserve source location — these fields are not part of the YAML map
// and are lost during the encode/decode round-trip. // and are lost during the encode/decode round-trip.
orig := p.Jobs[name] orig := p.Jobs[name]
j.File = orig.File j.File = orig.File
j.Line = orig.Line j.Line = orig.Line
j.Column = orig.Column
p.Jobs[name] = j p.Jobs[name] = j
// Write merged raw map back so p.RawJobs always reflects post-extends state.
p.RawJobs[name] = merged
} }
return extWarnings, nil return extWarnings, nil
+6
View File
@@ -133,6 +133,12 @@ func resolveLocalInclude(p *model.Pipeline, rawPath string, cfg fetcher.GitLabCo
absPath := filepath.Join(rootDir, relPath) absPath := filepath.Join(rootDir, relPath)
label := "local " + rawPath label := "local " + rawPath
// Guard against path traversal: reject any path that escapes rootDir.
rel, err := filepath.Rel(rootDir, absPath)
if err != nil || strings.HasPrefix(rel, "..") {
return []IncludeWarning{{Label: label, Err: fmt.Errorf("path escapes repository root: %s", rawPath)}}, nil
}
if visited[absPath] { if visited[absPath] {
return nil, nil return nil, nil
} }
+27
View File
@@ -6,6 +6,7 @@ import (
"net/http/httptest" "net/http/httptest"
"os" "os"
"path/filepath" "path/filepath"
"strings"
"testing" "testing"
"git.k3nny.fr/glint/internal/fetcher" "git.k3nny.fr/glint/internal/fetcher"
@@ -332,6 +333,32 @@ func TestResolveLocalInclude_WithNestedIncludes(t *testing.T) {
} }
} }
func TestResolveLocalInclude_PathTraversal(t *testing.T) {
dir := t.TempDir()
p := &model.Pipeline{Jobs: map[string]model.Job{}, RawJobs: map[string]map[string]any{}}
// A path that escapes the repository root via "../.." must produce a warning,
// not silently read an arbitrary file.
warnings, _ := resolveLocalInclude(p, "../../etc/passwd", fetcher.GitLabConfig{}, dir, map[string]bool{}, 0)
if len(warnings) == 0 {
t.Fatal("expected warning for path traversal, got none")
}
if !strings.Contains(warnings[0].Err.Error(), "path escapes") {
t.Errorf("unexpected warning: %v", warnings[0])
}
if len(p.Jobs) != 0 {
t.Error("no jobs should be merged when path escapes root")
}
}
func TestResolveLocalInclude_PathTraversalWithLeadingSlash(t *testing.T) {
dir := t.TempDir()
p := &model.Pipeline{Jobs: map[string]model.Job{}, RawJobs: map[string]map[string]any{}}
warnings, _ := resolveLocalInclude(p, "/../../etc/shadow", fetcher.GitLabConfig{}, dir, map[string]bool{}, 0)
if len(warnings) == 0 {
t.Fatal("expected warning for path traversal via leading slash, got none")
}
}
// ── resolveRemoteInclude ────────────────────────────────────────────────────── // ── resolveRemoteInclude ──────────────────────────────────────────────────────
func TestResolveRemoteInclude_Success(t *testing.T) { func TestResolveRemoteInclude_Success(t *testing.T) {
+8
View File
@@ -0,0 +1,8 @@
stages: [build]
include:
- remote: http://ci-templates.example.invalid/template.yml
build-job:
stage: build
script: echo hello