From 492038a31224b4031b82e5d1ba7d826e5a4821b3 Mon Sep 17 00:00:00 2001 From: Mark Stacey Date: Thu, 22 Jun 2023 18:40:32 -0230 Subject: [PATCH] Validate LavaMoat config in parallel (#19589) The LavaMoat policies and allow-scripts configuration are now validated in parallel. They are still only validated for release candidate branches and the `master` branch. --- .circleci/config.yml | 67 +++++++++++++++---- .circleci/scripts/check-working-tree.sh | 11 +++ .circleci/scripts/validate-allow-scripts.sh | 15 ----- .circleci/scripts/validate-lavamoat-policy.sh | 15 ----- package.json | 1 - 5 files changed, 66 insertions(+), 43 deletions(-) create mode 100755 .circleci/scripts/check-working-tree.sh delete mode 100755 .circleci/scripts/validate-allow-scripts.sh delete mode 100755 .circleci/scripts/validate-lavamoat-policy.sh diff --git a/.circleci/config.yml b/.circleci/config.yml index 823da67ad..e26983022 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -30,6 +30,12 @@ rc_branch_only: &rc_branch_only only: - /^Version-v(\d+)[.](\d+)[.](\d+)/ +rc_or_master_branch_only: &rc_or_master_branch_only + filters: + branches: + only: + - /^Version-v(\d+)[.](\d+)[.](\d+)|master/ + workflows: test_and_release: jobs: @@ -50,11 +56,19 @@ workflows: - test-yarn-dedupe: requires: - prep-deps - - validate-lavamoat-config: - filters: - branches: - only: - - /^Version-v(\d+)[.](\d+)[.](\d+)|master/ + - validate-lavamoat-allow-scripts: + <<: *rc_or_master_branch_only + requires: + - prep-deps + - validate-lavamoat-policy-build: + <<: *rc_or_master_branch_only + requires: + - prep-deps + - validate-lavamoat-policy-webapp: + <<: *rc_or_master_branch_only + matrix: + parameters: + build-type: [main, beta, flask, mmi, desktop] requires: - prep-deps - prep-build: @@ -162,7 +176,9 @@ workflows: - prep-build-flask - all-tests-pass: requires: - - validate-lavamoat-config + - validate-lavamoat-allow-scripts + - validate-lavamoat-policy-build + - validate-lavamoat-policy-webapp - test-lint - test-lint-shellcheck - test-lint-lockfile @@ -329,7 +345,7 @@ jobs: - node_modules - build-artifacts - validate-lavamoat-config: + validate-lavamoat-allow-scripts: executor: node-browsers-medium-plus steps: - checkout @@ -337,12 +353,39 @@ jobs: at: . - run: name: Validate allow-scripts config - command: | - .circleci/scripts/validate-allow-scripts.sh + command: yarn allow-scripts auto - run: - name: Validate LavaMoat policy - command: | - .circleci/scripts/validate-lavamoat-policy.sh + name: Check working tree + command: .circleci/scripts/check-working-tree.sh + + validate-lavamoat-policy-build: + executor: node-browsers-medium-plus + steps: + - checkout + - attach_workspace: + at: . + - run: + name: Validate LavaMoat build policy + command: yarn lavamoat:build:auto + - run: + name: Check working tree + command: .circleci/scripts/check-working-tree.sh + + validate-lavamoat-policy-webapp: + executor: node-browsers-medium-plus + parameters: + build-type: + type: string + steps: + - checkout + - attach_workspace: + at: . + - run: + name: Validate LavaMoat << parameters.build-type >> policy + command: yarn lavamoat:webapp:auto:ci '--build-types=<< parameters.build-type >>' + - run: + name: Check working tree + command: .circleci/scripts/check-working-tree.sh prep-build: executor: node-browsers-medium-plus diff --git a/.circleci/scripts/check-working-tree.sh b/.circleci/scripts/check-working-tree.sh new file mode 100755 index 000000000..5de67431a --- /dev/null +++ b/.circleci/scripts/check-working-tree.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +set -e +set -u +set -o pipefail + +if ! git diff --exit-code +then + echo "Working tree dirty" + exit 1 +fi diff --git a/.circleci/scripts/validate-allow-scripts.sh b/.circleci/scripts/validate-allow-scripts.sh deleted file mode 100755 index de45520ad..000000000 --- a/.circleci/scripts/validate-allow-scripts.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -e -set -u -set -o pipefail - -yarn allow-scripts auto - -if git diff --exit-code -then - echo "allow-scripts configuration is up-to-date" -else - echo "allow-scripts configuration requires updates" - exit 1 -fi diff --git a/.circleci/scripts/validate-lavamoat-policy.sh b/.circleci/scripts/validate-lavamoat-policy.sh deleted file mode 100755 index 177fabe0b..000000000 --- a/.circleci/scripts/validate-lavamoat-policy.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -e -set -u -set -o pipefail - -yarn lavamoat:auto:ci - -if git diff --exit-code -then - echo "LavaMoat policy is up-to-date" -else - echo "LavaMoat policy requires updates" - exit 1 -fi diff --git a/package.json b/package.json index f470e45d7..fae1202fe 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,6 @@ "lavamoat:webapp:auto": "node ./development/generate-lavamoat-policies.js --devMode=true", "lavamoat:webapp:auto:ci": "node ./development/generate-lavamoat-policies.js --parallel=false", "lavamoat:auto": "yarn lavamoat:build:auto && yarn lavamoat:webapp:auto", - "lavamoat:auto:ci": "yarn lavamoat:build:auto && yarn lavamoat:webapp:auto:ci", "ts-migration:dashboard:build": "ts-node development/ts-migration-dashboard/scripts/build-app.ts", "ts-migration:dashboard:deploy": "gh-pages --dist development/ts-migration-dashboard/build/final --remote ts-migration-dashboard", "ts-migration:dashboard:watch": "yarn ts-migration:dashboard:build --watch",