gitlab-dangerfiles 1.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f9f8e727ceb4fd8d6a8163b5c2637cb117426e30d3002ae5772b7031c83bc98a
-  data.tar.gz: 650de232d49a5cb7a022ed53e4607ddc8941ba0615e5cc73214da44d2e838967
+  metadata.gz: 2e4bc738b166a81e3e3ebd009c67eb6205bd40155f624d62ee3b8b4e2a4c3203
+  data.tar.gz: 7b0be83cf24f080a0d7d468db5656526de8a3937206624dcbba2cb59d44a5911
 SHA512:
-  metadata.gz: fe6821b98e683ead18db025365f4efe6821ca92773f8baacfec88ab12131ab1597d735a1262d2cf65928d24b9b72182a1db2d2cb3435edd6c52248eb029ecd87
-  data.tar.gz: e984610303236d5d6f964ed04c61f924560cf2e29b04c1b485434f0755dc9dd676d486b879972f02b4463da4d499fd070e2a8629bfb570cee93e88b0e4eaf531
+  metadata.gz: bae09716c429d549b9624223997b20b3f0c75470aa72ccb6293f145b294bbbf97bd04c7e4ce0aeb791898b9eb3ba23f1b0d87b2e3b77d667d9c07de6f2d63749
+  data.tar.gz: 2c2a4745c78288a38dec0e93f0193b5507b46680a7d029f34e1f8e90400e882ab17ef144d00f2085be06d91dbc4685df7d36af7af47bf029a94f38916f6c4586

data/.gitignore

@@ -9,6 +9,7 @@
 /pkg/
 /spec/reports/
 /tmp/
+/doc/
 
 # rspec failure tracking
 .rspec_status

data/.gitlab-ci.yml

@@ -11,7 +11,7 @@ workflow:
     # For tags, create a pipeline.
     - if: '$CI_COMMIT_TAG'
 
-default:
+.default:
   image: ruby:2.7
   tags:
     - gitlab-org
@@ -29,15 +29,50 @@ default:
     policy: pull
 
 test:rspec:
+  extends: .default
   stage: test
   script:
     - bundle exec rspec
 
 test:rufo:
+  extends: .default
   stage: test
   script:
     - bundle exec rufo --check .
 
 include:
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+  - template: Security/License-Scanning.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
   - project: 'gitlab-org/quality/pipeline-common'
     file: '/ci/gem-release.yml'
+
+# run security jobs on MRs
+# see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991
+
+brakeman-sast:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+gemnasium-dependency_scanning:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+bundler-audit-dependency_scanning:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+license_scanning:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+secret_detection:
+  rules:
+    - if: '$CI_MERGE_REQUEST_IID'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+

data/.yardopts

@@ -0,0 +1,5 @@
+--protected
+--no-private
+-
+CODE_OF_CONDUCT.md
+LICENSE.txt

data/Gemfile

@@ -5,3 +5,4 @@ gemspec
 
 gem "rake", "~> 12.0"
 gem "guard-rspec"
+gem "yard"

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2020 Rémy Coutable
+Copyright (c) 2020-2021 GitLab
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,8 +1,6 @@
 # Gitlab::Dangerfiles
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/gitlab/dangerfiles`. To experiment with that code, run `bin/console` for an interactive prompt.
-
-TODO: Delete this and the text above, and describe your gem
+The goal of this gem is to centralize Danger plugins and rules that to be used by multiple GitLab projects.
 
 ## Installation
 
@@ -14,15 +12,68 @@ gem 'gitlab-dangerfiles'
 
 And then execute:
 
-    $ bundle install
+```sh
+$ bundle install
+```
 
 Or install it yourself as:
 
-    $ gem install gitlab-dangerfiles
+```sh
+$ gem install gitlab-dangerfiles
+```
 
 ## Usage
 
-TODO: Write usage instructions here
+### Importing plugins and rules
+
+In your project's `Dangerfile`, add the following two line to import the plugins and rules from this gem:
+
+```ruby
+# Get an instance of Gitlab::Dangerfiles
+gitlab_dangerfiles = Gitlab::Dangerfiles::Engine.new(self)
+
+# Import all plugins from the gem
+gitlab_dangerfiles.import_plugins
+
+# Import all rules from the gem
+gitlab_dangerfiles.import_dangerfiles
+
+# Or import a subset of rules from the gem
+gitlab_dangerfiles.import_dangerfiles(rules: [:changes_size])
+```
+
+### Plugins
+
+Danger plugins are located under `lib/danger/plugins`.
+
+- `Danger::Helper` available in `Dangerfile`s as `helper`
+- `Danger::Roulette` available in `Dangerfile`s as `roulette`
+
+For the full documentation about the plugins, please see https://www.rubydoc.info/gems/gitlab-dangerfiles.
+
+### Rules
+
+
+Danger rules are located under `lib/danger/rules`.
+
+#### `changes_size`
+
+##### Available configurations
+
+- `code_size_thresholds`: A hash of the form `{ high: 42, medium: 12 }` where
+  `:high` is the lines changed threshold which triggers an error, and
+  `:medium` is the lines changed threshold which triggers a warning.
+
+#### `commit_messages`
+
+##### Available configurations
+
+- `max_commits_count`: The maximum number of allowed non-squashed/non-fixup commits for a given MR.
+   A warning is triggered if the MR has more commits.
+
+## Documentation
+
+Latest documentation can be found at <https://www.rubydoc.info/gems/gitlab-dangerfiles>.
 
 ## Development
 

data/gitlab-dangerfiles.gemspec

@@ -3,8 +3,8 @@ require_relative "lib/gitlab/dangerfiles/version"
 Gem::Specification.new do |spec|
   spec.name = "gitlab-dangerfiles"
   spec.version = Gitlab::Dangerfiles::VERSION
-  spec.authors = ["Rémy Coutable"]
-  spec.email = ["remy@rymai.me"]
+  spec.authors = ["GitLab"]
+  spec.email = ["gitlab_rubygems@gitlab.com"]
 
   spec.summary = %q{This gem provides common Dangerfile and plugins for GitLab projects.}
   spec.description = %q{This gem provides common Dangerfile and plugins for GitLab projects.}
@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = "https://gitlab.com/gitlab-org/gitlab-dangerfiles"
-  spec.metadata["changelog_uri"] = "https://gitlab.com/gitlab-org/gitlab-dangerfiles"
+  spec.metadata["changelog_uri"] = "https://gitlab.com/gitlab-org/gitlab-dangerfiles/-/releases"
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.

data/lib/danger/plugins/helper.rb

@@ -0,0 +1,426 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "json"
+
+require_relative "../../gitlab/dangerfiles/changes"
+require_relative "../../gitlab/dangerfiles/config"
+require_relative "../../gitlab/dangerfiles/teammate"
+require_relative "../../gitlab/dangerfiles/title_linting"
+
+module Danger
+  # Common helper functions for our danger scripts.
+  class Helper < Danger::Plugin
+    RELEASE_TOOLS_BOT = "gitlab-release-tools-bot"
+    CATEGORY_LABELS = {
+      docs: "~documentation", # Docs are reviewed along DevOps stages, so don't need roulette for now.
+      none: "",
+      qa: "~QA",
+      test: "~test ~Quality for `spec/features/*`",
+      engineering_productivity: '~"Engineering Productivity" for CI, Danger',
+      ci_template: '~"ci::templates"',
+      product_intelligence: '~"product intelligence"',
+    }.freeze
+
+    # Allows to set specific rule's configuration by passing a block.
+    #
+    # @yield [c] Yield a Gitlab::Dangerfiles::Config object
+    #
+    # @yieldparam [Gitlab::Dangerfiles::Config] The Gitlab::Dangerfiles::Config object
+    # @yieldreturn [Gitlab::Dangerfiles::Config] The Gitlab::Dangerfiles::Config object
+    #
+    # @example
+    #   helper.config do |config|
+    #     config.code_size_thresholds = { high: 42, medium: 12 }
+    #   end
+    #
+    # @return [Gitlab::Dangerfiles::Config]
+    def config
+      (@config ||= Gitlab::Dangerfiles::Config.new).tap do |c|
+        yield c if block_given?
+      end
+    end
+
+    # @example
+    #   <a href='https://gitlab.com/artsy/eigen/blob/561827e46167077b5e53515b4b7349b8ae04610b/file.txt'>file.txt</a>
+    #
+    # @param [String,  Array<String>] paths
+    #        A list of strings to convert to gitlab anchors
+    # @param [Boolean] full_path
+    #        Shows the full path as the link's text, defaults to +true+.
+    #
+    # @see https://danger.systems/reference.html Danger reference where #html_link is described
+    # @see https://github.com/danger/danger/blob/eca19719d3e585fe1cc46bc5377f9aa955ebf609/lib/danger/danger_core/plugins/dangerfile_gitlab_plugin.rb#L216 Danger reference where #html_link is implemented
+    #
+    # @return [String] a list of HTML anchors for a file, or multiple files
+    def html_link(paths, full_path: true)
+      ci? ? gitlab_helper.html_link(paths, full_path: full_path) : paths
+    end
+
+    # @return [Boolean] whether we're in the CI context or not.
+    def ci?
+      !gitlab_helper.nil?
+    end
+
+    # @return [Array<String>] a list of filenames added in this MR.
+    def added_files
+      @added_files ||= if changes_from_api
+          changes_from_api.select { |file| file["new_file"] }.map { |file| file["new_path"] }
+        else
+          git.added_files.to_a
+        end
+    end
+
+    # @return [Array<String>] a list of filenames modifier in this MR.
+    def modified_files
+      @modified_files ||= if changes_from_api
+          changes_from_api.select { |file| !file["new_file"] && !file["deleted_file"] && !file["renamed_file"] }.map { |file| file["new_path"] }
+        else
+          git.modified_files.to_a
+        end
+    end
+
+    # @return [Array<String>] a list of filenames renamed in this MR.
+    def renamed_files
+      @renamed_files ||= if changes_from_api
+          changes_from_api.select { |file| file["renamed_file"] }.each_with_object([]) do |file, memo|
+            memo << { before: file["old_path"], after: file["new_path"] }
+          end
+        else
+          git.renamed_files.to_a
+        end
+    end
+
+    # @return [Array<String>] a list of filenames deleted in this MR.
+    def deleted_files
+      @deleted_files ||= if changes_from_api
+          changes_from_api.select { |file| file["deleted_file"] }.map { |file| file["new_path"] }
+        else
+          git.deleted_files.to_a
+        end
+    end
+
+    # @example
+    #   # Considering these changes:
+    #   # - A new_file.rb
+    #   # - D deleted_file.rb
+    #   # - M modified_file.rb
+    #   # - R renamed_file_before.rb -> renamed_file_after.rb
+    #   # it will return:
+    #
+    #   #=> ['new_file.rb', 'modified_file.rb', 'renamed_file_after.rb']
+    #
+    #
+    # @return [Array<String>] a list of all files that have been added, modified or renamed.
+    #   +modified_files+ might contain paths that already have been renamed,
+    #   so we need to remove them from the list.
+    def all_changed_files
+      Set.new
+        .merge(added_files)
+        .merge(modified_files)
+        .merge(renamed_files.map { |x| x[:after] })
+        .subtract(renamed_files.map { |x| x[:before] })
+        .to_a
+        .sort
+    end
+
+    # @param filename [String] A file name for which we want the diff.
+    #
+    # @example
+    #   # Considering changing a line in lib/gitlab/usage_data.rb, it will return:
+    #
+    #   ["--- a/lib/gitlab/usage_data.rb",
+    #    "+++ b/lib/gitlab/usage_data.rb",
+    #    "+      # Test change",
+    #    "-      # Old change"]
+    #
+    # @return [Array<String>] an array of changed lines in Git diff format.
+    def changed_lines(filename)
+      diff = diff_for_file(filename)
+      return [] unless diff
+
+      diff.split("\n").select { |line| %r{^[+-]}.match?(line) }
+    end
+
+    def release_automation?
+      gitlab_helper&.mr_author == RELEASE_TOOLS_BOT
+    end
+
+    # @param items [Array<String>] An array of items to transform into a bullet list.
+    #
+    # @example
+    #   markdown_list(%w[foo bar])
+    #   # => * foo
+    #        * bar
+    #
+    # @return [String] a bullet list for the given +items+. If there are more than 10 items, wrap the list in a +<details></details>+ block.
+    def markdown_list(items)
+      list = items.map { |item| "* `#{item}`" }.join("\n")
+
+      if items.size > 10
+        "\n<details>\n\n#{list}\n\n</details>\n"
+      else
+        list
+      end
+    end
+
+    # @param categories [{Regexp => Array<Symbol>}, {Array<Regexp> => Array<Symbol>}] A hash of the form +{ filename_regex => categories, [filename_regex, changes_regex] => categories }+.
+    #                   +filename_regex+ is the regex pattern to match file names. +changes_regex+ is the regex pattern to
+    #                   match changed lines in files that match +filename_regex+
+    #
+    # @return [{Symbol => Array<String>}] a hash of the type +{ category1: ["file1", "file2"], category2: ["file3", "file4"] }+
+    #   using filename regex (+filename_regex+) and specific change regex (+changes_regex+) from the given +categories+ hash.
+    def changes_by_category(categories)
+      all_changed_files.each_with_object(Hash.new { |h, k| h[k] = [] }) do |file, hash|
+        categories_for_file(file, categories).each { |category| hash[category] << file }
+      end
+    end
+
+    # @param categories [{Regexp => Array<Symbol>}, {Array<Regexp> => Array<Symbol>}] A hash of the form +{ filename_regex => categories, [filename_regex, changes_regex] => categories }+.
+    #                   +filename_regex+ is the regex pattern to match file names. +changes_regex+ is the regex pattern to
+    #                   match changed lines in files that match +filename_regex+
+    #
+    # @return [Gitlab::Dangerfiles::Changes] a +Gitlab::Dangerfiles::Changes+ object that represents the changes of an MR
+    #   using filename regex (+filename_regex+) and specific change regex (+changes_regex+) from the given +categories+ hash.
+    def changes(categories)
+      Gitlab::Dangerfiles::Changes.new([]).tap do |changes|
+        added_files.each do |file|
+          categories_for_file(file, categories).each { |category| changes << Gitlab::Dangerfiles::Change.new(file, :added, category) }
+        end
+
+        modified_files.each do |file|
+          categories_for_file(file, categories).each { |category| changes << Gitlab::Dangerfiles::Change.new(file, :modified, category) }
+        end
+
+        deleted_files.each do |file|
+          categories_for_file(file, categories).each { |category| changes << Gitlab::Dangerfiles::Change.new(file, :deleted, category) }
+        end
+
+        renamed_files.map { |x| x[:before] }.each do |file|
+          categories_for_file(file, categories).each { |category| changes << Gitlab::Dangerfiles::Change.new(file, :renamed_before, category) }
+        end
+
+        renamed_files.map { |x| x[:after] }.each do |file|
+          categories_for_file(file, categories).each { |category| changes << Gitlab::Dangerfiles::Change.new(file, :renamed_after, category) }
+        end
+      end
+    end
+
+    # @param filename [String] A file name.
+    # @param categories [{Regexp => Array<Symbol>}, {Array<Regexp> => Array<Symbol>}] A hash of the form +{ filename_regex => categories, [filename_regex, changes_regex] => categories }+.
+    #                   +filename_regex+ is the regex pattern to match file names. +changes_regex+ is the regex pattern to
+    #                   match changed lines in files that match +filename_regex+
+    #
+    # @return [Array<Symbol>] the categories a file is in, e.g., +[:frontend]+, +[:backend]+, or +%i[frontend engineering_productivity]+
+    #   using filename regex (+filename_regex+) and specific change regex (+changes_regex+) from the given +categories+ hash.
+    def categories_for_file(filename, categories)
+      _, categories = categories.find do |key, _|
+        filename_regex, changes_regex = Array(key)
+
+        found = filename_regex.match?(filename)
+        found &&= changed_lines(filename).any? { |changed_line| changes_regex.match?(changed_line) } if changes_regex
+
+        found
+      end
+
+      Array(categories || :unknown)
+    end
+
+    # @param category [Symbol] A category.
+    #
+    # @return [String] the GFM for a category label, making its best guess if it's not
+    #   a category we know about.
+    def label_for_category(category)
+      CATEGORY_LABELS.fetch(category, "~#{category}")
+    end
+
+    # @return [String] +""+ when not in the CI context, and the MR IID as a string otherwise.
+    def mr_iid
+      return "" unless ci?
+
+      gitlab_helper.mr_json["iid"].to_s
+    end
+
+    # @return [String] +`whoami`+ when not in the CI context, and the MR author username otherwise.
+    def mr_author
+      return `whoami`.strip unless ci?
+
+      gitlab_helper.mr_author
+    end
+
+    # @return [String] +""+ when not in the CI context, and the MR title otherwise.
+    def mr_title
+      return "" unless ci?
+
+      gitlab_helper.mr_json["title"]
+    end
+
+    # @return [String] +""+ when not in the CI context, and the MR URL otherwise.
+    def mr_web_url
+      return "" unless ci?
+
+      gitlab_helper.mr_json["web_url"]
+    end
+
+    # @return [Array<String>] +[]+ when not in the CI context, and the MR labels otherwise.
+    def mr_labels
+      return [] unless ci?
+
+      gitlab_helper.mr_labels
+    end
+
+    # @return [String] +`git rev-parse --abbrev-ref HEAD`+ when not in the CI context, and the MR source branch otherwise.
+    def mr_source_branch
+      return `git rev-parse --abbrev-ref HEAD`.strip unless ci?
+
+      gitlab_helper.mr_json["source_branch"]
+    end
+
+    # @return [String] +""+ when not in the CI context, and the MR target branch otherwise.
+    def mr_target_branch
+      return "" unless ci?
+
+      gitlab_helper.mr_json["target_branch"]
+    end
+
+    # @return [Boolean] +true+ when not in the CI context, and whether the MR is set to be squashed otherwise.
+    def squash_mr?
+      return true unless ci?
+
+      gitlab.mr_json["squash"]
+    end
+
+    # @return [Boolean] whether a MR is a Draft or not.
+    def draft_mr?
+      return false unless ci?
+
+      gitlab.mr_json["work_in_progress"]
+    end
+
+    # @return [Boolean] whether a MR is opened in the security mirror or not.
+    def security_mr?
+      mr_web_url.include?("/gitlab-org/security/")
+    end
+
+    # @return [Boolean] whether a MR title includes "cherry-pick" or not.
+    def cherry_pick_mr?
+      Gitlab::Dangerfiles::TitleLinting.has_cherry_pick_flag?(mr_title)
+    end
+
+    # @return [Boolean] whether a MR title includes "RUN ALL RSPEC" or not.
+    def run_all_rspec_mr?
+      Gitlab::Dangerfiles::TitleLinting.has_run_all_rspec_flag?(mr_title)
+    end
+
+    # @return [Boolean] whether a MR title includes "RUN AS-IF-FOSS" or not.
+    def run_as_if_foss_mr?
+      Gitlab::Dangerfiles::TitleLinting.has_run_as_if_foss_flag?(mr_title)
+    end
+
+    # @return [Boolean] whether a MR targets a stable branch or not.
+    def stable_branch?
+      /\A\d+-\d+-stable-ee/i.match?(mr_target_branch)
+    end
+
+    # Whether a MR has any database-scoped labels (i.e. +"database::*"+) set or not.
+    #
+    # @return [Boolean]
+    def has_database_scoped_labels?
+      mr_labels.any? { |label| label.start_with?("database::") }
+    end
+
+    # @return [Boolean] whether a MR has any CI-related changes (i.e. +".gitlab-ci.yml"+ or +".gitlab/ci/*"+) or not.
+    def has_ci_changes?
+      changed_files(%r{\A(\.gitlab-ci\.yml|\.gitlab/ci/)}).any?
+    end
+
+    # @param labels [Array<String>] An array of labels.
+    #
+    # @return [Boolean] whether a MR has the given +labels+ set or not.
+    def mr_has_labels?(*labels)
+      labels = labels.flatten.uniq
+
+      (labels & mr_labels) == labels
+    end
+
+    # @param labels [Array<String>] An array of labels.
+    # @param sep [String] A separator.
+    #
+    # @example
+    #   labels_list(["foo", "bar baz"], sep: "; ")
+    #    # => '~"foo"; ~"bar baz"'
+    #
+    # @return [String] the list of +labels+ ready for being used in a Markdown comment, separated by +sep+.
+    def labels_list(labels, sep: ", ")
+      labels.map { |label| %Q{~"#{label}"} }.join(sep)
+    end
+
+    # @deprecated Use {#quick_action_label} instead.
+    def prepare_labels_for_mr(labels)
+      quick_action_label(labels)
+    end
+
+    # @param labels [Array<String>] An array of labels.
+    #
+    # @example
+    #   quick_action_label(["foo", "bar baz"])
+    #    # => '/label ~"foo" ~"bar baz"'
+    #
+    # @return [String] a quick action to set the +given+ labels. Returns +""+ if +labels+ is empty.
+    def quick_action_label(labels)
+      return "" unless labels.any?
+
+      "/label #{labels_list(labels, sep: " ")}"
+    end
+
+    # @param regex [Regexp] A Regexp to match against.
+    #
+    # @return [Array<String>] changed files matching the given +regex+.
+    def changed_files(regex)
+      all_changed_files.grep(regex)
+    end
+
+    # @return [Array<String>] the group labels (i.e. +"group::*"+) set on the MR.
+    def group_label
+      mr_labels.find { |label| label.start_with?("group::") }
+    end
+
+    private
+
+    # @return [Danger::RequestSources::GitLab, nil] the +gitlab+ helper, or +nil+ when it's not available.
+    def gitlab_helper
+      # Unfortunately the following does not work:
+      # - respond_to?(:gitlab)
+      # - respond_to?(:gitlab, true)
+      gitlab
+    rescue NoMethodError
+      nil
+    end
+
+    # @param filename [String] A filename for which we want the diff.
+    #
+    # @return [String] the raw diff as a string for the given +filename+.
+    def diff_for_file(filename)
+      if changes_from_api
+        changes_hash = changes_from_api.find { |file| file["new_path"] == filename }
+        changes_hash["diff"] if changes_hash
+      else
+        git.diff_for_file(filename)&.patch
+      end
+    end
+
+    # Fetches MR changes from the API instead of Git (default).
+    #
+    # @return [Array<Hash>, nil]
+    def changes_from_api
+      return nil unless ci?
+      return nil if defined?(@force_changes_from_git)
+
+      @changes_from_api ||= gitlab_helper.mr_changes.to_h["changes"]
+    rescue
+      # Fallback to the Git strategy in any case
+      @force_changes_from_git = true
+      nil
+    end
+  end
+end