PyPI - bitwarden_workflow_linter - Versions diffs - 0.5.6__tar.gz → 0.7.0__tar.gz - Mend

bitwarden_workflow_linter 0.5.6tar.gz → 0.7.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (82) hide show

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/.github/workflows/enforce-labels.yml RENAMED Viewed

@@ -9,7 +9,7 @@ jobs:
     uses: bitwarden/gh-actions/.github/workflows/_enforce-labels.yml@main
   enforce-version-label:
-    if: "!(contains(github.event.pull_request.labels.*.name, 'version:major') || contains(github.event.pull_request.labels.*.name, 'version:minor') || contains(github.event.pull_request.labels.*.name, 'version:patch')) || contains(github.event.pull_request.labels.*.name, 'version:skip')"
+    if: "!(contains(github.event.pull_request.labels.*.name, 'version:major') || contains(github.event.pull_request.labels.*.name, 'version:minor') || contains(github.event.pull_request.labels.*.name, 'version:patch') || contains(github.event.pull_request.labels.*.name, 'version:skip'))"
     name: Enforce version label
     runs-on: ubuntu-22.04

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 0.5.6
+Version: 0.7.0
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues
@@ -60,12 +60,20 @@ the below and create a `settings.yaml` in the directory that `bwwl` will be runn
 ```yaml
 enabled_rules:
-    - bitwarden_workflow_linter.rules.name_exists.RuleNameExists
-    - bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
-    - bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
-    - bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
-    - bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
-    - bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
+  - id: bitwarden_workflow_linter.rules.name_exists.RuleNameExists
+    level: error
+  - id: bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
+    level: error
+  - id: bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
+    level: error
+  - id: bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
+    level: warning
+  - id: bitwarden_workflow_linter.rules.run_actionlint.RunActionlint
+    level: warning
 approved_actions_path: default_actions.json
 ```
@@ -151,9 +159,9 @@ from ..utils import LintLevels, Settings
 class RuleJobNameExists(Rule):
-    def __init__(self, settings: Settings = None) -> None:
+    def __init__(self, settings: Settings = None, lint_level: Optional[LintLevels] = LintLevels.ERROR) -> None:
         self.message = "name must exist"
-        self.on_fail: LintLevels = LintLevels.ERROR
+        self.on_fail: LintLevels = lint_level
         self.compatibility: List[Union[Workflow, Job, Step]] = [Job]
         self.settings: Settings = settings

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/README.md RENAMED Viewed

@@ -34,12 +34,20 @@ the below and create a `settings.yaml` in the directory that `bwwl` will be runn
 ```yaml
 enabled_rules:
-    - bitwarden_workflow_linter.rules.name_exists.RuleNameExists
-    - bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
-    - bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
-    - bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
-    - bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
-    - bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
+  - id: bitwarden_workflow_linter.rules.name_exists.RuleNameExists
+    level: error
+  - id: bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
+    level: error
+  - id: bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
+    level: error
+  - id: bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
+    level: warning
+  - id: bitwarden_workflow_linter.rules.run_actionlint.RunActionlint
+    level: warning
 approved_actions_path: default_actions.json
 ```
@@ -125,9 +133,9 @@ from ..utils import LintLevels, Settings
 class RuleJobNameExists(Rule):
-    def __init__(self, settings: Settings = None) -> None:
+    def __init__(self, settings: Settings = None, lint_level: Optional[LintLevels] = LintLevels.ERROR) -> None:
         self.message = "name must exist"
-        self.on_fail: LintLevels = LintLevels.ERROR
+        self.on_fail: LintLevels = lint_level
         self.compatibility: List[Union[Workflow, Job, Step]] = [Job]
         self.settings: Settings = settings

bitwarden_workflow_linter-0.7.0/settings.yaml ADDED Viewed

@@ -0,0 +1,21 @@
+enabled_rules:
+  - id: bitwarden_workflow_linter.rules.name_exists.RuleNameExists
+    level: error
+  - id: bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
+    level: error
+  - id: bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
+    level: error
+#   - id: bitwarden_workflow_linter.rules.step_approved.RuleStepUsesApproved
+#     level: error
+  - id: bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
+    level: warning
+  - id: bitwarden_workflow_linter.rules.run_actionlint.RunActionlint
+    level: warning
+  - id: bitwarden_workflow_linter.rules.check_pr_target.RuleCheckPrTarget
+    level: warning
+approved_actions_path: default_actions.json

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/__about__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
-__version__ = "0.5.6"
+__version__ = "0.7.0"

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/default_actions.json RENAMED Viewed

@@ -121,8 +121,8 @@
   },
   "actions/upload-artifact": {
     "name": "actions/upload-artifact",
-    "sha": "b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882",
-    "version": "v4.4.3"
+    "sha": "65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08",
+    "version": "v4.6.0"
   },
   "actions/upload-pages-artifact": {
     "name": "actions/upload-pages-artifact",
@@ -221,8 +221,8 @@
   },
   "docker/build-push-action": {
     "name": "docker/build-push-action",
-    "sha": "48aba3b46d1b1fec4febb7c5d0c644b249a11355",
-    "version": "v6.10.0"
+    "sha": "67a2d409c0a876cbe6b11854e3e25193efe4e62d",
+    "version": "v6.12.0"
   },
   "docker/login-action": {
     "name": "docker/login-action",
@@ -274,6 +274,11 @@
     "sha": "cc4fc85e6b35bafd578d5ffbc76a5518407e1af0",
     "version": "v4.2.1"
   },
+  "gradle/wrapper-validation-action": {
+    "name": "gradle/wrapper-validation-action",
+    "sha": "f9c9c575b8b21b6485636a91ffecd10e558c62f6",
+    "version": "v3.5.0"
+  },
   "hashicorp/setup-packer": {
     "name": "hashicorp/setup-packer",
     "sha": "1aa358be5cf73883762b302a3a03abd66e75b232",

bitwarden_workflow_linter-0.7.0/src/bitwarden_workflow_linter/default_settings.yaml ADDED Viewed

@@ -0,0 +1,21 @@
+enabled_rules:
+  - id: bitwarden_workflow_linter.rules.name_exists.RuleNameExists
+    level: error
+  - id: bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
+    level: error
+  - id: bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
+    level: error
+#   - id: bitwarden_workflow_linter.rules.step_approved.RuleStepUsesApproved
+#     level: error
+  - id: bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
+    level: error
+  - id: bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
+    level: warning
+  - id: bitwarden_workflow_linter.rules.run_actionlint.RunActionlint
+    level: warning
+  - id: bitwarden_workflow_linter.rules.check_pr_target.RuleCheckPrTarget
+    level: warning
+approved_actions_path: default_actions.json

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/load.py RENAMED Viewed

@@ -11,7 +11,7 @@ from .models.job import Job
 from .models.step import Step
 from .models.workflow import Workflow
 from .rule import Rule
-from .utils import Settings
+from .utils import Settings, LintLevels
 yaml = YAML()
@@ -127,13 +127,14 @@ class Rules:
         """
         # [TODO]: data resiliency
         for rule in settings.enabled_rules:
-            module_name = rule.split(".")
+            rule_id = rule["id"]
+            module_name = rule_id.split(".")
             module_name = ".".join(module_name[:-1])
-            rule_name = rule.split(".")[-1]
+            rule_name = rule_id.split(".")[-1]
             try:
                 rule_class = getattr(importlib.import_module(module_name), rule_name)
-                rule_inst = rule_class(settings=settings)
+                rule_inst = rule_class(settings=settings, lint_level=lint_level(rule["level"]))
                 if Workflow in rule_inst.compatibility:
                     self.workflow.append(rule_inst)
@@ -157,3 +158,21 @@ class Rules:
         for rule in self.step:
             print(f" - {type(rule).__name__}")
         print("========================\n")
+def lint_level(level: str) -> LintLevels:
+    """Convert a string to a LintLevels enum.
+    Args:
+      level:
+        The string representation of the LintLevels enum
+    Returns:
+      The LintLevels enum value
+    """
+    if level == "error":
+        return LintLevels.ERROR
+    elif level == "warning":
+        return LintLevels.WARNING
+    else:
+        return LintLevels.NONE

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/models/job.py RENAMED Viewed

@@ -23,6 +23,7 @@ class Job:
     key: Optional[str] = None
     name: Optional[str] = None
     env: Optional[CommentedMap] = None
+    needs: Optional[List[str]] = None
     steps: Optional[List[Step]] = None
     uses: Optional[str] = None
     uses_path: Optional[str] = None
@@ -32,6 +33,13 @@ class Job:
     )
     outputs: Optional[CommentedMap] = None
+    @classmethod
+    def parse_needs(cls: Self, value):
+        """Parser to make all needs values lists that can be searched by linter."""
+        if isinstance(value, str):
+            return [value]
+        return value
     @classmethod
     def init(cls: Self, key: str, data: CommentedMap) -> Self:
         """Custom dataclass constructor to map job data to a Job."""
@@ -40,6 +48,7 @@ class Job:
             "name": data["name"] if "name" in data else None,
             "runs-on": data["runs-on"] if "runs-on" in data else None,
             "env": data["env"] if "env" in data else None,
+            "needs": Job.parse_needs(data["needs"]) if "needs" in data else None,
             "outputs": data["outputs"] if "outputs" in data else None,
         }

bitwarden_workflow_linter-0.7.0/src/bitwarden_workflow_linter/rules/check_pr_target.py ADDED Viewed

@@ -0,0 +1,81 @@
+"""A Rule to enforce check-run is run when workflow uses pull_request_target."""
+from typing import Optional, Tuple
+from ..models.workflow import Workflow
+from ..rule import Rule
+from ..utils import LintLevels, Settings
+class RuleCheckPrTarget(Rule):
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.NONE) -> None:
+        """
+        To ensure pull_request_target is safe to use, the check-run step is added
+        to all jobs as a dependency.
+        Once a branch is pushed to Github, it already opens up a vulnerability
+        even if the check-run scan fails to detect this.
+        In order to prevent a vulnerable branch from being used for an attack
+        prior to being caught through vetting, all pull_request_target workflows
+        should only be run by users with appropriate permissions.
+        This greatly reduces the risk as community contributors can't use a fork to run a compromised workflow that uses pull_request_target.
+        """
+        self.message = "A check-run job must be included as a direct job dependency when pull_request_target is used and the workflow may only apply to runs on the main branch"
+        self.on_fail = lint_level
+        self.compatibility = [Workflow]
+        self.settings = settings
+    def targets_main_branch(self, obj:Workflow) -> bool:
+        if obj.on["pull_request_target"].get("branches"):
+            branches_list = obj.on["pull_request_target"].get("branches")
+            if isinstance(branches_list, str):
+                branches_list = [branches_list]
+            if any(branch != 'main' for branch in branches_list):
+                return False
+        else:
+            return False
+        return True
+    def has_check_run(self, obj: Workflow) -> Tuple[bool, str]:
+        for name, job in obj.jobs.items():
+            if job.uses == "bitwarden/gh-actions/.github/workflows/check-run.yml@main":
+                return True, name
+        return False, ""
+    def check_run_required(self, obj:Workflow, check_job:str) -> list:
+        missing_jobs = []
+        for job in list(obj.jobs.keys()):
+            if job is not check_job:
+                job_list = obj.jobs[job].needs
+                if job_list:
+                    if check_job not in job_list:
+                        missing_jobs.append(job)
+                else:
+                    missing_jobs.append(job)
+        return missing_jobs
+    def fn(self, obj: Workflow) -> Tuple[bool, str]:
+        Errors = []
+        if obj.on.get("pull_request_target"):
+            result, check_job = self.has_check_run(obj)
+            main_branch_only = self.targets_main_branch(obj)
+            if not main_branch_only:
+                Errors.append("Workflows using pull_request_target can only target the main branch")
+            if result:
+                missing_jobs = self.check_run_required(obj, check_job)
+                if missing_jobs:
+                    job_list = ', '.join(missing_jobs)
+                    message = f"Check-run is missing from the following jobs in the workflow: {job_list}"
+                    Errors.append(message)
+            else:
+                message = f"A check-run job must be included as a direct job dependency when pull_request_target is used"
+                Errors.append(message)
+            if Errors:
+                self.message = "\n".join(Errors)
+                return False, f"{self.message}"
+            else:
+                return True, ""
+        else:
+            return True, ""

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/job_environment_prefix.py RENAMED Viewed

@@ -22,16 +22,18 @@ class RuleJobEnvironmentPrefix(Rule):
     visible when debugging a shell Step.
     """
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.NONE) -> None:
         """RuleJobEnvironmentPrefix constructor to override the Rule class.
         Args:
           settings:
             A Settings object that contains any default, overridden, or custom settings
             required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
         """
         self.message = "Job environment vars should start with an underscore:"
-        self.on_fail = LintLevels.ERROR
+        self.on_fail = lint_level
         self.compatibility = [Job]
         self.settings = settings

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/name_capitalized.py RENAMED Viewed

@@ -16,16 +16,18 @@ class RuleNameCapitalized(Rule):
     A simple standard to help keep uniformity in naming.
     """
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.NONE) -> None:
         """Constructor for RuleNameCapitalized to override the Rule class.
         Args:
           settings:
             A Settings object that contains any default, overridden, or custom settings
             required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
         """
         self.message = "name must capitalized"
-        self.on_fail = LintLevels.ERROR
+        self.on_fail = lint_level
         self.settings = settings
     def fn(self, obj: Union[Workflow, Job, Step]) -> Tuple[bool, str]:

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/name_exists.py RENAMED Viewed

@@ -19,16 +19,18 @@ class RuleNameExists(Rule):
     It also helps with uniformity of runs.
     """
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.NONE) -> None:
         """Constructor for RuleNameCapitalized to override Rule class.
         Args:
           settings:
             A Settings object that contains any default, overridden, or custom settings
             required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
         """
         self.message = "name must exist"
-        self.on_fail = LintLevels.ERROR
+        self.on_fail = lint_level
         self.settings = settings
     def fn(self, obj: Union[Workflow, Job, Step]) -> Tuple[bool, str]:

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/pinned_job_runner.py RENAMED Viewed

@@ -15,16 +15,18 @@ class RuleJobRunnerVersionPinned(Rule):
     breaking the majority of our pipelines, we pin the versions.
     """
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.NONE) -> None:
         """Constructor for RuleJobRunnerVersionPinned to override Rule class.
         Args:
           settings:
             A Settings object that contains any default, overridden, or custom settings
             required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
         """
         self.message = "Workflow runner must be pinned"
-        self.on_fail = LintLevels.ERROR
+        self.on_fail = lint_level
         self.compatibility = [Job]
         self.settings = settings

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/run_actionlint.py RENAMED Viewed

@@ -71,9 +71,9 @@ please check your package installer or manually install it",
 class RunActionlint(Rule):
     """Rule to run actionlint as part of workflow linter V2."""
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.NONE) -> None:
         self.message = "Actionlint must pass without errors"
-        self.on_fail = LintLevels.WARNING
+        self.on_fail = lint_level
         self.compatibility = [Workflow]
         self.settings = settings

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/step_approved.py RENAMED Viewed

@@ -15,15 +15,17 @@ class RuleStepUsesApproved(Rule):
     check against.
     """
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.NONE) -> None:
         """Constructor for RuleStepUsesApproved to override Rule class.
         Args:
           settings:
             A Settings object that contains any default, overridden, or custom settings
             required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
         """
-        self.on_fail = LintLevels.ERROR
+        self.on_fail = lint_level
         self.compatibility = [Step]
         self.settings = settings

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/step_pinned.py RENAMED Viewed

@@ -23,15 +23,17 @@ class RuleStepUsesPinned(Rule):
     updated.
     """
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.ERROR) -> None:
         """Constructor for RuleStepUsesPinned to override base Rule.
         Args:
           settings:
             A Settings object that contains any default, overridden, or custom settings
             required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
         """
-        self.on_fail = LintLevels.ERROR
+        self.on_fail = lint_level
         self.compatibility = [Step]
         self.settings = settings

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/rules/underscore_outputs.py RENAMED Viewed

@@ -17,16 +17,18 @@ class RuleUnderscoreOutputs(Rule):
     A simple standard to ensure uniformity in naming.
     """
-    def __init__(self, settings: Optional[Settings] = None) -> None:
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.ERROR) -> None:
         """Constructor for RuleUnderscoreOutputs to override the Rule class.
         Args:
           settings:
             A Settings object that contains any default, overridden, or custom settings
             required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
         """
         self.message = "outputs with more than one word should use an underscore"
-        self.on_fail = LintLevels.WARNING
+        self.on_fail = lint_level
         self.compatibility = [Workflow, Job, Step]
         self.settings = settings

{bitwarden_workflow_linter-0.5.6 → bitwarden_workflow_linter-0.7.0}/src/bitwarden_workflow_linter/utils.py RENAMED Viewed

@@ -111,12 +111,12 @@ SettingsFromFactory = TypeVar("SettingsFromFactory", bound="Settings")
 class Settings:
     """Class that contains configuration-as-code for any portion of the app."""
-    enabled_rules: list[str]
+    enabled_rules: list[dict[str, str]]
     approved_actions: dict[str, Action]
     def __init__(
         self,
-        enabled_rules: Optional[list[str]] = None,
+        enabled_rules: Optional[list[dict[str, str]]] = None,
         approved_actions: Optional[dict[str, dict[str, str]]] = None,
     ) -> None:
         """Settings object that can be overridden in settings.py.

bitwarden_workflow_linter-0.7.0/tests/rules/test_check_pr_target.py ADDED Viewed

@@ -0,0 +1,276 @@
+"""Test src/bitwarden_workflow_linter/rules/check_pr_target."""
+import pytest
+from ruamel.yaml import YAML
+from src.bitwarden_workflow_linter.load import WorkflowBuilder
+from src.bitwarden_workflow_linter.rules.check_pr_target import (
+    RuleCheckPrTarget,
+)
+yaml = YAML()
+message = "A check-run job must be included as a direct job dependency when pull_request_target is used and the workflow may only apply to runs on the main branch"
+@pytest.fixture(name="correct_workflow")
+def fixture_correct_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types: [opened, synchronize]
+    branches:
+      - 'main'
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+  quality:
+    name: Quality scan
+    needs: check-run
+    steps:
+      - run: echo test
+  dependent-job:
+     name: Another Dependent Job
+     needs:
+       - quality
+       - check-run
+     steps:
+       - run: echo another dependent job
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="no_check_workflow")
+def fixture_no_check_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types: [opened, synchronize]
+    branches:
+      - 'main'
+jobs:
+  job-key:
+    runs-on: ubuntu-22.04
+    steps:
+      - run: echo test
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="no_needs_workflow")
+def fixture_no_needs_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types: [opened, synchronize]
+    branches: main
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+  job-key:
+    runs-on: ubuntu-22.04
+    steps:
+      - run: echo test
+  quality:
+    name: Quality scan
+    steps:
+      - run: echo test
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="no_target_workflow")
+def fixture_no_target_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+jobs:
+  job-key:
+    runs-on: ubuntu-22.04
+    steps:
+      - run: echo test
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="dependent_missing_check_workflow")
+def dependent_missing_check_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types: [opened, synchronize]
+    branches:
+      - 'main'
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+  quality:
+    name: Quality scan
+    needs: check-run
+    steps:
+      - run: echo test
+  dependent-job:
+     name: Another Dependent Job
+     needs:
+       - quality
+     steps:
+       - run: echo another dependent job
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="no_branches_workflow")
+def fixture_no_branches_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types: [opened, synchronize]
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+  quality:
+    name: Quality scan
+    needs: check-run
+    steps:
+      - run: echo test
+  dependent-job:
+     name: Another Dependent Job
+     needs:
+       - quality
+       - check-run
+     steps:
+       - run: echo another dependent job
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="bad_branches_workflow")
+def fixture_bad_branches_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types: [opened, synchronize]
+    branches:
+      - 'main'
+      - 'not main'
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+  quality:
+    name: Quality scan
+    needs: check-run
+    steps:
+      - run: echo test
+  dependent-job:
+     name: Another Dependent Job
+     needs:
+       - quality
+       - check-run
+     steps:
+       - run: echo another dependent job
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="two_failures_workflow")
+def fixture_two_failures_workflow():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types: [opened, synchronize]
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/some-other-repo/.github/workflows/check-run.yml@main
+  quality:
+    name: Quality scan
+    needs: check-run
+    steps:
+      - run: echo test
+  dependent-job:
+     name: Another Dependent Job
+     needs:
+       - quality
+       - check-run
+     steps:
+       - run: echo another dependent job
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+@pytest.fixture(name="rule")
+def fixture_rule():
+    return RuleCheckPrTarget()
+def test_rule_on_correct_workflow(rule, correct_workflow):
+    result, message = rule.fn(correct_workflow)
+    assert result is True
+    assert message == ""
+def test_rule_on_no_checkworkflow(rule, no_check_workflow):
+    result, message = rule.fn(no_check_workflow)
+    assert result is False
+    assert message == message
+def test_rule_on_no_target_workflow(rule, no_target_workflow):
+    result, message = rule.fn(no_target_workflow)
+    assert result is True
+    assert message == ""
+def test_rule_on_jobs_without_needs(rule, no_needs_workflow):
+    result, message = rule.fn(no_needs_workflow)
+    assert result is False
+    assert message == message, "check-run is missing from the following jobs in the workflow: quality"
+def test_rule_on_dependencies_without_check(rule, dependent_missing_check_workflow):
+    result, message = rule.fn(dependent_missing_check_workflow)
+    assert result is False
+    assert message == message, "check-run is missing from the following jobs in the workflow: dependent-job"
+def test_rule_on_no_branches_workflow(rule, no_branches_workflow):
+    result, message = rule.fn(no_branches_workflow)
+    assert result is False
+    assert message == "Workflows using pull_request_target can only target the main branch"
+def test_rule_on_only_target_main(rule, bad_branches_workflow):
+    result, message = rule.fn(bad_branches_workflow)
+    assert result is False
+    assert message == "Workflows using pull_request_target can only target the main branch"
+def test_rule_on_two_failures(rule, two_failures_workflow):
+    result, message = rule.fn(two_failures_workflow)
+    assert result is False
+    assert message == "Workflows using pull_request_target can only target the main branch\nA check-run job must be included as a direct job dependency when pull_request_target is used"

bitwarden_workflow_linter-0.5.6/settings.yaml DELETED Viewed

@@ -1,11 +0,0 @@
-enabled_rules:
-  - bitwarden_workflow_linter.rules.name_exists.RuleNameExists
-  - bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
-  - bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
-  - bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
-#   - bitwarden_workflow_linter.rules.step_approved.RuleStepUsesApproved
-  - bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
-  - bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
-  - bitwarden_workflow_linter.rules.run_actionlint.RunActionlint
-approved_actions_path: default_actions.json

bitwarden_workflow_linter-0.5.6/src/bitwarden_workflow_linter/default_settings.yaml DELETED Viewed

@@ -1,11 +0,0 @@
-enabled_rules:
-  - bitwarden_workflow_linter.rules.name_exists.RuleNameExists
-  - bitwarden_workflow_linter.rules.name_capitalized.RuleNameCapitalized
-  - bitwarden_workflow_linter.rules.pinned_job_runner.RuleJobRunnerVersionPinned
-  - bitwarden_workflow_linter.rules.job_environment_prefix.RuleJobEnvironmentPrefix
-#   - bitwarden_workflow_linter.rules.step_approved.RuleStepUsesApproved
-  - bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
-  - bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
-  - bitwarden_workflow_linter.rules.run_actionlint.RunActionlint
-approved_actions_path: default_actions.json