Validate LavaMoat config in parallel (#19589)

The LavaMoat policies and allow-scripts configuration are now validated
in parallel. They are still only validated for release candidate
branches and the `master` branch.

.circleci/config.yml

@@ -30,6 +30,12 @@ rc_branch_only: &rc_branch_only
       only:
         - /^Version-v(\d+)[.](\d+)[.](\d+)/
 
+rc_or_master_branch_only: &rc_or_master_branch_only
+  filters:
+    branches:
+      only:
+        - /^Version-v(\d+)[.](\d+)[.](\d+)|master/
+
 workflows:
   test_and_release:
     jobs:
@@ -50,11 +56,19 @@ workflows:
       - test-yarn-dedupe:
           requires:
             - prep-deps
-      - validate-lavamoat-config:
+      - validate-lavamoat-allow-scripts:
-          filters:
+          <<: *rc_or_master_branch_only
-            branches:
+          requires:
-              only:
+            - prep-deps
-                - /^Version-v(\d+)[.](\d+)[.](\d+)|master/
+      - validate-lavamoat-policy-build:
+          <<: *rc_or_master_branch_only
+          requires:
+            - prep-deps
+      - validate-lavamoat-policy-webapp:
+          <<: *rc_or_master_branch_only
+          matrix:
+            parameters:
+              build-type: [main, beta, flask, mmi, desktop]
           requires:
             - prep-deps
       - prep-build:
@@ -162,7 +176,9 @@ workflows:
             - prep-build-flask
       - all-tests-pass:
           requires:
-            - validate-lavamoat-config
+            - validate-lavamoat-allow-scripts
+            - validate-lavamoat-policy-build
+            - validate-lavamoat-policy-webapp
             - test-lint
             - test-lint-shellcheck
             - test-lint-lockfile
@@ -329,7 +345,7 @@ jobs:
             - node_modules
             - build-artifacts
 
-  validate-lavamoat-config:
+  validate-lavamoat-allow-scripts:
     executor: node-browsers-medium-plus
     steps:
       - checkout
@@ -337,12 +353,39 @@ jobs:
           at: .
       - run:
           name: Validate allow-scripts config
-          command: |
+          command: yarn allow-scripts auto
-            .circleci/scripts/validate-allow-scripts.sh
       - run:
-          name: Validate LavaMoat policy
+          name: Check working tree
-          command: |
+          command: .circleci/scripts/check-working-tree.sh
-            .circleci/scripts/validate-lavamoat-policy.sh
+
+  validate-lavamoat-policy-build:
+    executor: node-browsers-medium-plus
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - run:
+          name: Validate LavaMoat build policy
+          command: yarn lavamoat:build:auto
+      - run:
+          name: Check working tree
+          command: .circleci/scripts/check-working-tree.sh
+
+  validate-lavamoat-policy-webapp:
+    executor: node-browsers-medium-plus
+    parameters:
+      build-type:
+        type: string
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - run:
+          name: Validate LavaMoat << parameters.build-type >>  policy
+          command: yarn lavamoat:webapp:auto:ci '--build-types=<< parameters.build-type >>'
+      - run:
+          name: Check working tree
+          command: .circleci/scripts/check-working-tree.sh
 
   prep-build:
     executor: node-browsers-medium-plus

.circleci/scripts/check-working-tree.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+
+if ! git diff --exit-code
+then
+  echo "Working tree dirty"
+  exit 1
+fi

.circleci/scripts/validate-allow-scripts.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-set -u
-set -o pipefail
-
-yarn allow-scripts auto
-
-if git diff --exit-code
-then
-  echo "allow-scripts configuration is up-to-date"
-else
-  echo "allow-scripts configuration requires updates"
-  exit 1
-fi

.circleci/scripts/validate-lavamoat-policy.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-set -u
-set -o pipefail
-
-yarn lavamoat:auto:ci
-
-if git diff --exit-code
-then
-  echo "LavaMoat policy is up-to-date"
-else
-  echo "LavaMoat policy requires updates"
-  exit 1
-fi

package.json

@@ -85,7 +85,6 @@
     "lavamoat:webapp:auto": "node ./development/generate-lavamoat-policies.js --devMode=true",
     "lavamoat:webapp:auto:ci": "node ./development/generate-lavamoat-policies.js --parallel=false",
     "lavamoat:auto": "yarn lavamoat:build:auto && yarn lavamoat:webapp:auto",
-    "lavamoat:auto:ci": "yarn lavamoat:build:auto && yarn lavamoat:webapp:auto:ci",
     "ts-migration:dashboard:build": "ts-node development/ts-migration-dashboard/scripts/build-app.ts",
     "ts-migration:dashboard:deploy": "gh-pages --dist development/ts-migration-dashboard/build/final --remote ts-migration-dashboard",
     "ts-migration:dashboard:watch": "yarn ts-migration:dashboard:build --watch",