k3nny
f5f8546bcf
Bundles three patch releases (v0.2.16–v0.2.18): v0.2.18 — output formats (--format flag on glint check): - json: stable JSON report (schema_version: 1, findings array, summary) - sarif: SARIF 2.1.0 for GitHub Code Scanning / GitLab SAST - junit: JUnit XML for CI test-report artifacts (artifacts:reports:junit) - github: GitHub Actions ::error:: / ::warning:: annotation lines - Unknown --format value exits 2 with a helpful error message - Summary line routed to stderr in structured formats; context suppressed v0.2.17 — include resolution improvements: - Recursive include depth capped at 100 (matches GitLab's own limit) - project: and component: includes tracked in visited set (cycle detection) - $[[ inputs.KEY ]] / $[[ inputs.KEY | default(…) ]] substituted from with: - --cache-dir: persist fetched remote templates to disk (SHA-256 keyed) - --offline: serve from cache only; defaults to ~/.cache/glint v0.2.16 — new lint rules (GL034–GL041): - GL034: services map form requires name; alias must be valid DNS label - GL035: rules:changes / rules:exists absolute path detection - GL036: timeout format validation (job-level + default.timeout) - GL037: id_tokens entries must have an aud key - GL038: secrets entries must declare a provider (vault / gcp / azure) - GL039: pages: keyword + artifacts.paths consistency - GL040: duplicate stage names in stages: list - GL041: cache.key.files must be exact paths, not globs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
157 lines
5.4 KiB
YAML
157 lines
5.4 KiB
YAML
version: "3"
|
|
|
|
vars:
|
|
BINARY: glint
|
|
GO: /usr/local/go/bin/go
|
|
VERSION:
|
|
sh: git describe --tags --always --dirty 2>/dev/null || echo "dev"
|
|
|
|
tasks:
|
|
default:
|
|
desc: List available tasks
|
|
cmd: task --list
|
|
|
|
build:
|
|
desc: Build the glint binary
|
|
cmds:
|
|
- "{{.GO}} build -ldflags \"-X main.version={{.VERSION}}\" -o {{.BINARY}} ./cmd/glint/..."
|
|
sources:
|
|
- "**/*.go"
|
|
- go.mod
|
|
generates:
|
|
- "{{.BINARY}}"
|
|
|
|
test:
|
|
desc: Run Go unit tests
|
|
cmd: "{{.GO}} test ./..."
|
|
|
|
validate:
|
|
desc: Run glint against all testdata fixtures
|
|
deps: [build]
|
|
cmds:
|
|
- cmd: ./{{.BINARY}} check testdata/valid.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/extends.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/keywords_valid.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/invalid.yml
|
|
ignore_error: true
|
|
- cmd: ./{{.BINARY}} check testdata/needs.yml
|
|
ignore_error: true
|
|
- cmd: ./{{.BINARY}} check testdata/needs_cycle.yml
|
|
ignore_error: true
|
|
- cmd: ./{{.BINARY}} check testdata/keywords_invalid.yml
|
|
ignore_error: true
|
|
- cmd: ./{{.BINARY}} check testdata/includes_remote.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/includes_project.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/includes_component.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/script_multiline.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/context_rules.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch main testdata/context_rules.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch develop testdata/context_rules.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch feat/my-feature testdata/context_rules.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --tag v1.0.0 testdata/context_rules.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/rules_if_expr.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch main testdata/rules_if_expr.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch feat/x testdata/rules_if_expr.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/workflow_vars.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch main testdata/workflow_vars.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch develop testdata/workflow_vars.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --branch feat/x testdata/workflow_vars.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/workflow_escape.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/variable_refs.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/variable_refs_included.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/dead_rules.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/new_rules_valid.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/new_rules_invalid.yml
|
|
ignore_error: true
|
|
- cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci-coverage.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check testdata/samba/.gitlab-ci-private.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --format json testdata/valid.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --format sarif testdata/valid.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --format junit testdata/valid.yml
|
|
ignore_error: false
|
|
- cmd: ./{{.BINARY}} check --format github testdata/invalid.yml
|
|
ignore_error: true
|
|
|
|
lint-go:
|
|
desc: Run go vet on all packages
|
|
cmd: "{{.GO}} vet ./..."
|
|
|
|
lint-static:
|
|
desc: Run staticcheck on all packages
|
|
cmd: "{{.GO}} tool staticcheck ./..."
|
|
|
|
ci:
|
|
desc: Full CI check — vet, staticcheck, test, build, validate
|
|
cmds:
|
|
- task: lint-go
|
|
- task: lint-static
|
|
- task: test
|
|
- task: build
|
|
- task: validate
|
|
|
|
build-windows:
|
|
desc: Build the glint binary for Windows x64 (requires a tagged commit)
|
|
vars:
|
|
TAG:
|
|
sh: git describe --tags --exact-match
|
|
preconditions:
|
|
- sh: git describe --tags --exact-match
|
|
msg: "Current commit is not tagged — Windows build requires a git tag"
|
|
cmds:
|
|
- "GOOS=windows GOARCH=amd64 {{.GO}} build -ldflags \"-X main.version={{.TAG}}\" -o {{.BINARY}}-{{.TAG}}.exe ./cmd/glint/..."
|
|
sources:
|
|
- "**/*.go"
|
|
- go.mod
|
|
generates:
|
|
- "{{.BINARY}}-{{.TAG}}.exe"
|
|
|
|
build-linux:
|
|
desc: Build the glint binary for Linux x64 (requires a tagged commit)
|
|
vars:
|
|
TAG:
|
|
sh: git describe --tags --exact-match
|
|
preconditions:
|
|
- sh: git describe --tags --exact-match
|
|
msg: "Current commit is not tagged — Linux build requires a git tag"
|
|
cmds:
|
|
- "GOOS=linux GOARCH=amd64 {{.GO}} build -ldflags \"-X main.version={{.TAG}}\" -o {{.BINARY}}-{{.TAG}}-linux-amd64 ./cmd/glint/..."
|
|
sources:
|
|
- "**/*.go"
|
|
- go.mod
|
|
generates:
|
|
- "{{.BINARY}}-{{.TAG}}-linux-amd64"
|
|
|
|
clean:
|
|
desc: Remove build artifacts
|
|
cmd: rm -f {{.BINARY}} {{.BINARY}}-*.exe {{.BINARY}}-*-linux-amd64
|