@intentius/chant-lexicon-gitlab 0.0.16 → 0.0.22

package/src/lint/post-synth/wgl023.ts

@@ -0,0 +1,51 @@
+/**
+ * WGL023: Overly Broad Rules
+ *
+ * Flags jobs with a single rule that has only `when: always` and no
+ * conditions (no `if:`, `changes:`, etc.). This effectively disables
+ * all pipeline filtering for the job, which is usually unintended.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl023: PostSynthCheck = {
+  id: "WGL023",
+  description: "Overly broad rules — job with only when: always rule (no conditions)",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props?.rules || !Array.isArray(props.rules)) continue;
+
+      const rules = props.rules as Array<Record<string, unknown>>;
+      if (rules.length !== 1) continue;
+
+      const rule = rules[0];
+      const ruleProps = (rule.props as Record<string, unknown> | undefined) ?? rule;
+
+      const when = ruleProps.when;
+      const hasIf = !!ruleProps.if;
+      const hasChanges = !!ruleProps.changes;
+      const hasExists = !!ruleProps.exists;
+
+      if (when === "always" && !hasIf && !hasChanges && !hasExists) {
+        diagnostics.push({
+          checkId: "WGL023",
+          severity: "info",
+          message: `Job "${entityName}" has a single rule with only "when: always" — this disables all pipeline filtering. Consider adding conditions or removing rules entirely.`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgl024.test.ts

@@ -0,0 +1,77 @@
+import { describe, test, expect } from "bun:test";
+import { DECLARABLE_MARKER, type Declarable } from "@intentius/chant/declarable";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { wgl024 } from "./wgl024";
+
+class MockJob implements Declarable {
+  readonly [DECLARABLE_MARKER] = true as const;
+  readonly lexicon = "gitlab";
+  readonly entityType = "GitLab::CI::Job";
+  readonly kind = "resource" as const;
+  readonly props: Record<string, unknown>;
+
+  constructor(props: Record<string, unknown> = {}) {
+    this.props = props;
+  }
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WGL024: Manual Without allow_failure", () => {
+  test("check metadata", () => {
+    expect(wgl024.id).toBe("WGL024");
+    expect(wgl024.description).toContain("Manual");
+  });
+
+  test("flags manual job without allow_failure", () => {
+    const entities = new Map<string, Declarable>([
+      ["manualDeploy", new MockJob({ script: ["deploy.sh"], when: "manual" })],
+    ]);
+    const diags = wgl024.check(makeCtx(entities));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("manualDeploy");
+    expect(diags[0].message).toContain("block");
+  });
+
+  test("does not flag manual job with allow_failure: true", () => {
+    const entities = new Map<string, Declarable>([
+      ["manualDeploy", new MockJob({ script: ["deploy.sh"], when: "manual", allow_failure: true })],
+    ]);
+    const diags = wgl024.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag non-manual job", () => {
+    const entities = new Map<string, Declarable>([
+      ["autoJob", new MockJob({ script: ["test"] })],
+    ]);
+    const diags = wgl024.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags manual job with allow_failure: false", () => {
+    const entities = new Map<string, Declarable>([
+      ["manualJob", new MockJob({ script: ["test"], when: "manual", allow_failure: false })],
+    ]);
+    const diags = wgl024.check(makeCtx(entities));
+    expect(diags).toHaveLength(1);
+  });
+
+  test("no diagnostics on empty entities", () => {
+    const diags = wgl024.check(makeCtx(new Map()));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgl024.ts

@@ -0,0 +1,46 @@
+/**
+ * WGL024: Manual Without allow_failure
+ *
+ * Warns about jobs with `when: manual` that don't set `allow_failure: true`.
+ * Without it, the manual job blocks the pipeline from progressing past
+ * its stage until someone manually triggers it.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl024: PostSynthCheck = {
+  id: "WGL024",
+  description: "Manual without allow_failure — manual jobs block pipeline without allow_failure: true",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props) continue;
+
+      // Check top-level when: manual
+      const isManual = props.when === "manual";
+      if (!isManual) continue;
+
+      // Check allow_failure
+      const allowFailure = props.allow_failure ?? props.allowFailure;
+      if (allowFailure !== true) {
+        diagnostics.push({
+          checkId: "WGL024",
+          severity: "warning",
+          message: `Job "${entityName}" has when: manual but no allow_failure: true — this will block the pipeline`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgl025.test.ts

@@ -0,0 +1,85 @@
+import { describe, test, expect } from "bun:test";
+import { DECLARABLE_MARKER, type Declarable } from "@intentius/chant/declarable";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { wgl025 } from "./wgl025";
+
+class MockJob implements Declarable {
+  readonly [DECLARABLE_MARKER] = true as const;
+  readonly lexicon = "gitlab";
+  readonly entityType = "GitLab::CI::Job";
+  readonly kind = "resource" as const;
+  readonly props: Record<string, unknown>;
+
+  constructor(props: Record<string, unknown> = {}) {
+    this.props = props;
+  }
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WGL025: Missing Cache Key", () => {
+  test("check metadata", () => {
+    expect(wgl025.id).toBe("WGL025");
+    expect(wgl025.description).toContain("cache");
+  });
+
+  test("flags cache without key", () => {
+    const entities = new Map<string, Declarable>([
+      ["buildJob", new MockJob({
+        script: ["npm build"],
+        cache: { paths: ["node_modules/"] },
+      })],
+    ]);
+    const diags = wgl025.check(makeCtx(entities));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("buildJob");
+  });
+
+  test("does not flag cache with key", () => {
+    const entities = new Map<string, Declarable>([
+      ["buildJob", new MockJob({
+        script: ["npm build"],
+        cache: { key: "$CI_COMMIT_REF_SLUG", paths: ["node_modules/"] },
+      })],
+    ]);
+    const diags = wgl025.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag job without cache", () => {
+    const entities = new Map<string, Declarable>([
+      ["testJob", new MockJob({ script: ["npm test"] })],
+    ]);
+    const diags = wgl025.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("handles cache as declarable with props", () => {
+    const entities = new Map<string, Declarable>([
+      ["buildJob", new MockJob({
+        script: ["npm build"],
+        cache: { props: { key: "my-cache", paths: ["node_modules/"] } },
+      })],
+    ]);
+    const diags = wgl025.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostics on empty entities", () => {
+    const diags = wgl025.check(makeCtx(new Map()));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgl025.ts

@@ -0,0 +1,49 @@
+/**
+ * WGL025: Missing Cache Key
+ *
+ * Warns about `cache:` without `key:`. Without an explicit key, GitLab
+ * uses `default` as the key, which causes cache collisions between
+ * unrelated jobs sharing the same runner.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl025: PostSynthCheck = {
+  id: "WGL025",
+  description: "Missing cache key — cache without key causes collisions",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props?.cache) continue;
+
+      // Cache can be a single object or an array
+      const caches = Array.isArray(props.cache) ? props.cache : [props.cache];
+
+      for (const cache of caches) {
+        const cacheObj = cache as Record<string, unknown>;
+        const cacheProps = (cacheObj.props as Record<string, unknown> | undefined) ?? cacheObj;
+
+        if (!cacheProps.key) {
+          diagnostics.push({
+            checkId: "WGL025",
+            severity: "warning",
+            message: `Job "${entityName}" has cache without a key — this causes cache collisions between jobs`,
+            entity: entityName,
+            lexicon: "gitlab",
+          });
+          break; // One diagnostic per job is enough
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgl026.test.ts

@@ -0,0 +1,87 @@
+import { describe, test, expect } from "bun:test";
+import { DECLARABLE_MARKER, type Declarable } from "@intentius/chant/declarable";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { wgl026 } from "./wgl026";
+
+class MockJob implements Declarable {
+  readonly [DECLARABLE_MARKER] = true as const;
+  readonly lexicon = "gitlab";
+  readonly entityType = "GitLab::CI::Job";
+  readonly kind = "resource" as const;
+  readonly props: Record<string, unknown>;
+
+  constructor(props: Record<string, unknown> = {}) {
+    this.props = props;
+  }
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WGL026: Privileged Services Without TLS", () => {
+  test("check metadata", () => {
+    expect(wgl026.id).toBe("WGL026");
+    expect(wgl026.description).toContain("TLS");
+  });
+
+  test("flags DinD service without TLS cert dir", () => {
+    const entities = new Map<string, Declarable>([
+      ["buildImage", new MockJob({
+        script: ["docker build ."],
+        services: [{ name: "docker:dind" }],
+      })],
+    ]);
+    const diags = wgl026.check(makeCtx(entities));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("buildImage");
+    expect(diags[0].message).toContain("TLS");
+  });
+
+  test("does not flag DinD service with TLS cert dir in job variables", () => {
+    const entities = new Map<string, Declarable>([
+      ["buildImage", new MockJob({
+        script: ["docker build ."],
+        services: [{ name: "docker:dind" }],
+        variables: { DOCKER_TLS_CERTDIR: "/certs" },
+      })],
+    ]);
+    const diags = wgl026.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag non-DinD service", () => {
+    const entities = new Map<string, Declarable>([
+      ["testJob", new MockJob({
+        script: ["npm test"],
+        services: [{ name: "postgres:15" }],
+      })],
+    ]);
+    const diags = wgl026.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag job without services", () => {
+    const entities = new Map<string, Declarable>([
+      ["simpleJob", new MockJob({ script: ["test"] })],
+    ]);
+    const diags = wgl026.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostics on empty entities", () => {
+    const diags = wgl026.check(makeCtx(new Map()));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgl026.ts

@@ -0,0 +1,67 @@
+/**
+ * WGL026: Privileged Services Without TLS
+ *
+ * Warns about Docker-in-Docker (DinD) services that don't set
+ * DOCKER_TLS_CERTDIR. Running DinD without TLS exposes the Docker
+ * daemon on an unencrypted socket.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+const DIND_IMAGES = ["docker:dind", "docker:stable-dind"];
+
+function isDindImage(image: string): boolean {
+  return DIND_IMAGES.some((dind) => image.includes(dind));
+}
+
+export const wgl026: PostSynthCheck = {
+  id: "WGL026",
+  description: "Privileged services without TLS — DinD services without DOCKER_TLS_CERTDIR",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props?.services || !Array.isArray(props.services)) continue;
+
+      for (const service of props.services) {
+        let imageName: string | undefined;
+        let serviceVars: Record<string, unknown> | undefined;
+
+        if (typeof service === "string") {
+          imageName = service;
+        } else if (typeof service === "object" && service !== null) {
+          const svc = service as Record<string, unknown>;
+          const svcProps = (svc.props as Record<string, unknown> | undefined) ?? svc;
+          imageName = svcProps.name as string | undefined;
+          serviceVars = svcProps.variables as Record<string, unknown> | undefined;
+        }
+
+        if (!imageName || !isDindImage(imageName)) continue;
+
+        // Check if DOCKER_TLS_CERTDIR is set in service variables or job variables
+        const jobVars = props.variables as Record<string, unknown> | undefined;
+        const hasTLS = serviceVars?.DOCKER_TLS_CERTDIR !== undefined ||
+          jobVars?.DOCKER_TLS_CERTDIR !== undefined;
+
+        if (!hasTLS) {
+          diagnostics.push({
+            checkId: "WGL026",
+            severity: "warning",
+            message: `Job "${entityName}" uses DinD service without DOCKER_TLS_CERTDIR — the Docker daemon will be unencrypted`,
+            entity: entityName,
+            lexicon: "gitlab",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgl027.test.ts

@@ -0,0 +1,84 @@
+import { describe, test, expect } from "bun:test";
+import { DECLARABLE_MARKER, type Declarable } from "@intentius/chant/declarable";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { wgl027 } from "./wgl027";
+
+class MockJob implements Declarable {
+  readonly [DECLARABLE_MARKER] = true as const;
+  readonly lexicon = "gitlab";
+  readonly entityType = "GitLab::CI::Job";
+  readonly kind = "resource" as const;
+  readonly props: Record<string, unknown>;
+
+  constructor(props: Record<string, unknown> = {}) {
+    this.props = props;
+  }
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WGL027: Empty Script", () => {
+  test("check metadata", () => {
+    expect(wgl027.id).toBe("WGL027");
+    expect(wgl027.description).toContain("Empty script");
+  });
+
+  test("flags empty script array", () => {
+    const entities = new Map<string, Declarable>([
+      ["emptyJob", new MockJob({ script: [] })],
+    ]);
+    const diags = wgl027.check(makeCtx(entities));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("emptyJob");
+  });
+
+  test("flags script with only empty strings", () => {
+    const entities = new Map<string, Declarable>([
+      ["blankJob", new MockJob({ script: ["", "  "] })],
+    ]);
+    const diags = wgl027.check(makeCtx(entities));
+    expect(diags).toHaveLength(1);
+  });
+
+  test("flags empty string script", () => {
+    const entities = new Map<string, Declarable>([
+      ["strJob", new MockJob({ script: "" })],
+    ]);
+    const diags = wgl027.check(makeCtx(entities));
+    expect(diags).toHaveLength(1);
+  });
+
+  test("does not flag valid script", () => {
+    const entities = new Map<string, Declarable>([
+      ["validJob", new MockJob({ script: ["npm test"] })],
+    ]);
+    const diags = wgl027.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag job without script", () => {
+    const entities = new Map<string, Declarable>([
+      ["triggerJob", new MockJob({ trigger: "other-project" })],
+    ]);
+    const diags = wgl027.check(makeCtx(entities));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostics on empty entities", () => {
+    const diags = wgl027.check(makeCtx(new Map()));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgl027.ts

@@ -0,0 +1,54 @@
+/**
+ * WGL027: Empty Script
+ *
+ * Detects jobs with `script: []` or scripts containing only empty strings.
+ * GitLab rejects jobs with empty scripts at pipeline validation time.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl027: PostSynthCheck = {
+  id: "WGL027",
+  description: "Empty script — jobs with empty or blank script entries",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props) continue;
+
+      const script = props.script;
+      if (script === undefined || script === null) continue;
+
+      let isEmpty = false;
+
+      if (Array.isArray(script)) {
+        if (script.length === 0) {
+          isEmpty = true;
+        } else if (script.every((s) => typeof s === "string" && s.trim() === "")) {
+          isEmpty = true;
+        }
+      } else if (typeof script === "string" && script.trim() === "") {
+        isEmpty = true;
+      }
+
+      if (isEmpty) {
+        diagnostics.push({
+          checkId: "WGL027",
+          severity: "error",
+          message: `Job "${entityName}" has an empty script — GitLab will reject this pipeline`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};