Add a ruletype for enforcing a file being present in a repo #227
Conversation
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
| Ensures that the repository contains a specific file and its content. | ||
|
|
||
| This rule is useful for enforcing the presence of various files in the repository, such as LICENSE, README, CONTRIBUTING, | ||
| CODE_OF_CONDUCT, Dependabot configuration files and many more. It can also be used to enforce the presence of specific |
There was a problem hiding this comment.
I suspect that Dependabot is trickier, because you probably want it to be adjusted based on the languages present. The others seem fairly likely to be consistent.
rule-types/common/enforce_file.yaml
Outdated
| file: | ||
| type: string | ||
| description: | | ||
| The file to enforce in the repository. | ||
| For example, LICENSE, README, CONTRIBUTING, .github/dependabot.yml, etc. | ||
| default: LICENSE | ||
| content: | ||
| type: string | ||
| description: | | ||
| The content to enforce in the file. | ||
| For example, the content of the LICENSE file. | ||
|
|
||
| Leave "" to only check for the presence of the license file. | ||
| required: | ||
| - file | ||
| - content |
There was a problem hiding this comment.
Question: right now, it looks like you'd end up needing to specify N copies of the rule for N different files.
What would you think of having a schema like the following?
| file: | |
| type: string | |
| description: | | |
| The file to enforce in the repository. | |
| For example, LICENSE, README, CONTRIBUTING, .github/dependabot.yml, etc. | |
| default: LICENSE | |
| content: | |
| type: string | |
| description: | | |
| The content to enforce in the file. | |
| For example, the content of the LICENSE file. | |
| Leave "" to only check for the presence of the license file. | |
| required: | |
| - file | |
| - content | |
| files: | |
| type: object | |
| additionalProperties: | |
| type: string | |
| description: | | |
| A mapping from file path to expected contents in the repository | |
| Set expected contents to "" (empty string) to check for file existence without | |
| checking file contents. | |
| default: | |
| required: | |
| - files |
| type: pull_request | ||
| pull_request: | ||
| title: "Ensure {{.Profile.file }} exists with the expected content" | ||
| body: | | ||
| This is a Minder automated pull request. | ||
|
|
||
| This pull request ensures that this repository contains the file {{.Profile.file}} with the expected content set by your organization. | ||
| contents: | ||
| - path: "{{.Profile.file}}" | ||
| action: replace | ||
| content: | | ||
| {{.Profile.content}} |
There was a problem hiding this comment.
Ah! This is a (current) reason not to use the object formulation -- we don't have a way to iterate over all the keys in the Profile.files map, correct?
There was a problem hiding this comment.
Exactly 👍 Of course, we can try to do that if we want. I was also thinking if I should try and make the path field optional for the pull request remediation type, but at the same time I like explicitly scoping it so you don't accidentally push another change. My concern for not looking at these is both will be considered breaking changes so I think it'll be out of scope for this one.
Co-authored-by: Evan Anderson <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
rdimitrov
force-pushed
the
enforce_file
branch
from
aa474b3 to
c247f61
Compare
The following PR creates a ruletype that lets you ensure you have a certain file in your repository, but also allows you to specify its expected content.
Depends on mindersec/minder#5216
This ruletype also implements OSPS-DO-02