new GHA does basic validation for component version PR labels

Author: sarasvoss

.github/workflows/internal_on_pr_validate_component_version.yml

@@ -0,0 +1,93 @@
+name: Validate PR Version Labels
+
+on:
+  pull_request:
+    branches: [main]
+    types:
+      - opened
+      - synchronize
+      - edited
+      - labeled # important to catch version label additions
+      - unlabeled
+      - reopened
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  validate-version-labels:
+    name: Validate PR Version Labels
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Get all labels from PR
+        id: get_labels
+        run: |
+          echo "## PR Labels" >> "$GITHUB_STEP_SUMMARY"
+
+          ## Newline separated list of all labels on the PR
+          all_labels=$(jq -r '.pull_request.labels[].name' < "$GITHUB_EVENT_PATH" 2>/dev/null || true)
+
+          if [ -z "$all_labels" ]; then
+            echo "- (none)" >> "$GITHUB_STEP_SUMMARY"
+            echo "::error title=No Labels::No Labels were found on this PR. A version label is required."
+            exit 1
+          else
+            while IFS= read -r lbl; do
+            [ -z "$lbl" ] && continue
+            echo "- \`$lbl\`" >> "$GITHUB_STEP_SUMMARY"
+            done <<< "$all_labels"
+          fi
+
+          echo "$all_labels" > all_labels.txt
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+
+      - name: Label Validation
+        id: validate
+        run: node scripts/internal-ci/validate-version-labels.js all_labels.txt
+
+      - name: Validation Summary
+        if: ${{ always() }}
+        env:
+          NO_LABELS: ${{ steps.get_labels.outcome == 'failure' }}
+          IS_VALID: ${{ steps.validate.outputs.isValid }}
+          VALIDATION_MESSAGE: ${{ steps.validate.outputs.validationMessage }}
+          INVALID_VERSION_LABELS: ${{ steps.validate.outputs.invalidVersionLabels }}
+          HAS_UNTRACKED_VERSION: ${{ steps.validate.outputs.hasUntrackedVersion }}
+          COMPONENT_VERSION_LABELS: ${{ steps.validate.outputs.componentVersionLabels }}
+        run: |
+          echo "## Validation Outcome" >> "$GITHUB_STEP_SUMMARY"
+
+          if [ "${{ env.NO_LABELS }}" === "true" ]; then
+            echo "❌ No labels found on the PR. Add at least one version label." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+          if [ "${{ env.IS_VALID }}" === "false" ]; then
+            echo "❌ Version label validation failed." >> "$GITHUB_STEP_SUMMARY"
+            if [ -n "${{ env.VALIDATION_MESSAGE }}" ]; then
+              echo "${{ env.VALIDATION_MESSAGE }}" >> "$GITHUB_STEP_SUMMARY"
+            fi
+            if [ -n "${{ env.INVALID_VERSION_LABELS }}" ]; then
+              echo "Invalid version labels: ${{ env.INVALID_VERSION_LABELS }}" >> "$GITHUB_STEP_SUMMARY"
+            fi
+          else
+            echo "✅ Version label validation passed." >> "$GITHUB_STEP_SUMMARY"
+          fi
+          echo "Untraced Version: $HAS_UNTRACKED_VERSION" >> "$GITHUB_STEP_SUMMARY"
+          if [ -n "$COMPONENT_VERSIONS" ]; then
+            echo "### Component Versions" >> "$GITHUB_STEP_SUMMARY"
+            echo "$COMPONENT_VERSION_LABELS" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Tags
+        run: |
+          echo "## Tags" >> "$GITHUB_STEP_SUMMARY"
+          echo "TODO: Output expected tag generation results here" >> "$GITHUB_STEP_SUMMARY"

.github/workflows/internal_on_push_ci.yml

@@ -0,0 +1,52 @@
+name: Internal CI
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write # needed if reporter is github-pr-check or github-check
+
+jobs:
+  internal-ci:
+    name: Internal CI
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Dependency Audit
+        run: npm audit
+
+      - name: Test
+        run: npm test
+
+      - name: Lint Check
+        run: npm run lint:check
+
+      - name: Format Check
+        run: npm run format:check
+
+  semgrep:
+    uses: ./.github/workflows/run_semgrep_scan.yml
+    secrets: inherit
+    with:
+      commit_identifier: $${{ github.sha }}
+      cancel_in_progress: true
+      semgrep_config: 'p/default'
+      fail_severity: 'error'
+      scan_mode: 'diff'
+      pr_filter_mode: 'added'
+      pr_reporter: 'github-pr-review'

.husky/pre-commit

@@ -1,10 +1 @@
-npm audit
-npm test
-
-npm run lint:fix
-npm run format:fix
-
-npm run lint:check
-npm run format:check
-
-npm run scan
+npm run ci

eslint.config.mjs

@@ -24,4 +24,12 @@ export default defineConfig([
     language: 'json/json5',
     extends: ['json/recommended'],
   },
+  {
+    files: ['**/*.test.js'],
+    languageOptions: {
+      globals: {
+        ...globals.jest,
+      },
+    },
+  },
 ]);

package.json

@@ -27,8 +27,9 @@
     "audit": "npm audit --audit-level=high --omit=dev",
     "lint:check": "eslint *.js --ext .js,.json",
     "lint:fix": "eslint *.js --ext .js,.json --fix",
-    "format:check": "prettier --check './*.js' './*.mjs' './*.json' './*.md' '.github/actions/**/*.*'",
-    "format:fix": "prettier --write './*.js' './*.mjs' './*.json' './*.md' '.github/actions/**/*.*'",
-    "scan": "semgrep --config=p/ci --config=p/security-audit --config=p/javascript ./*.js ./*.mjs ./*.json .github/actions/"
+    "format:check": "prettier --check './*.js' './*.mjs' './*.json' './*.md' 'scripts/**/*.js' '.github/actions/**/*.*'",
+    "format:fix": "prettier --write './*.js' './*.mjs' './*.json' './*.md' 'scripts/**/*.js' '.github/actions/**/*.*'",
+    "scan": "semgrep --config=p/ci --config=p/security-audit --config=p/javascript ./*.js ./*.mjs ./*.json scripts/ .github/actions/",
+    "ci": "npm run audit && npm run test && npm run lint:check && npm run format:check && npm run scan"
   }
 }

scripts/internal-ci/validate-version-labels.js

@@ -0,0 +1,135 @@
+// validate-version-labels.js
+// Script to validate version labels for CI workflows
+//
+// Usage:
+//   node validate-version-labels.js <labels-file>
+//   echo -e "version:type/foo:v1.2.3\nversion:type/bar:v2.0.0\nother" | node scripts/internal-ci/validate-version-labels.js
+//
+// Inputs:
+//   - Newline-separated list of label strings (from file or stdin)
+//
+// Outputs:
+//   - Writes to $GITHUB_OUTPUT variable:
+//       isValid: true/false
+//       validationMessage: detailed message of validation errors
+//       invalidVersionLabels: comma-separated list of invalid version labels
+//       hasUntrackedVersion: true/false if untracked version label is present
+//       componentVersionLabels: comma-separated list of valid component version labels
+//   - Exits with code 1 on validation failure, 0 on success
+
+const fs = require('fs');
+
+// Returns an array of normalized, trimmed, non-empty label strings
+function getLabelArray(rawLabels) {
+  return rawLabels
+    .split('\n')
+    .map(l => l.trim().toLowerCase())
+    .filter(Boolean);
+}
+
+const versionLabelPrefix = 'version:';
+const untrackedLabel = `${versionLabelPrefix}untracked`; // Special label for untracked versions, 'version:untracked'
+const semverPattern = 'v\\d+\\.\\d+\\.\\d+'; // Semantic versioning pattern vX.Y.Z, e.g., v1.2.3
+// Pattern for valid version label: version:component-type/component-name:vX.Y.Z where type and name correspond to the path of the component under the ./github directory
+const componentVersionRegEx = new RegExp(
+  `^${versionLabelPrefix}[a-z0-9_-]+\/[a-z0-9_-]+:${semverPattern}$`
+);
+
+function getVersionLabelArray(labels) {
+  return labels.filter(label => label.startsWith(versionLabelPrefix));
+}
+
+function getInvalidVersionLabels(versionLabels) {
+  return versionLabels.filter(
+    label => label !== untrackedLabel && !componentVersionRegEx.test(label)
+  );
+}
+
+function getComponentVersionLabels(versionLabels) {
+  return versionLabels.filter(label => componentVersionRegEx.test(label));
+}
+
+function basicValidate(invalidVersionLabels, componentVersionLabels, hasUntrackedVersion) {
+  const hasVersionLabels =
+    invalidVersionLabels.length + componentVersionLabels.length + (hasUntrackedVersion ? 1 : 0) > 0;
+  const hasInvalidVersionLabels = invalidVersionLabels.length > 0;
+  const hasConflictingVersions = hasUntrackedVersion && componentVersionLabels.length > 0;
+
+  let basicValidationMessage = '';
+  if (!hasVersionLabels) {
+    basicValidationMessage = '- No version labels found. At least one version label is required.';
+  }
+  if (hasInvalidVersionLabels) {
+    basicValidationMessage += '- Invalid version labels found.\n';
+  }
+  if (hasConflictingVersions) {
+    basicValidationMessage +=
+      '- Conflicting version labels found: both untracked and component version labels present.\n';
+  }
+
+  return {
+    isValid: hasVersionLabels && !hasInvalidVersionLabels && !hasConflictingVersions,
+    basicValidationMessage: basicValidationMessage.trim(),
+  };
+}
+
+// Main entry
+if (require.main === module) {
+  // Accept labels from stdin or as a file argument
+  let rawLabels = '';
+  if (process.argv.length > 2) {
+    rawLabels = fs.readFileSync(process.argv[2], 'utf8');
+  } else {
+    rawLabels = fs.readFileSync(0, 'utf8'); // Read from stdin
+  }
+
+  const labels = getLabelArray(rawLabels);
+  console.log('Normalized Labels:', labels);
+
+  const versionLabels = getVersionLabelArray(labels);
+
+  const invalidVersionLabels = getInvalidVersionLabels(versionLabels);
+  const componentVersionLabels = getComponentVersionLabels(versionLabels);
+  const hasUntrackedVersion = versionLabels.includes(untrackedLabel);
+
+  // Validate
+  let { isValid, basicValidationMessage } = basicValidate(
+    invalidVersionLabels,
+    componentVersionLabels,
+    hasUntrackedVersion
+  );
+
+  const validationMessage = (
+    basicValidationMessage ?? '✅ Version labels validation passed.'
+  ).replace(/\n/g, '\\n');
+
+  // write outputs for use in later steps
+  const githubOutput = process.env.GITHUB_OUTPUT;
+  if (githubOutput) {
+    fs.appendFileSync(githubOutput, `isValid=${isValid}\n`);
+    fs.appendFileSync(githubOutput, `validationMessage=${validationMessage}\n`);
+    fs.appendFileSync(githubOutput, `invalidVersionLabels=${invalidVersionLabels.join(',')}\n`);
+    fs.appendFileSync(githubOutput, `hasUntrackedVersion=${hasUntrackedVersion}\n`);
+    fs.appendFileSync(githubOutput, `componentVersionLabels=${componentVersionLabels.join(',')}\n`);
+  }
+
+  // Set exit code based on validation
+  if (!isValid) {
+    console.error('::error title=Version Label Validation::' + validationMessage);
+    process.exit(1);
+  }
+
+  console.log(validationMessage);
+  process.exit(0);
+}
+
+module.exports = {
+  getLabelArray,
+  getVersionLabelArray,
+  getInvalidVersionLabels,
+  getComponentVersionLabels,
+  basicValidate,
+  versionLabelPrefix,
+  untrackedLabel,
+  componentVersionRegEx,
+};