|
| 1 | +#!/usr/bin/env bash |
| 2 | +set -euo pipefail |
| 3 | + |
| 4 | +DRY_RUN=false |
| 5 | +VIOLATIONS=0 |
| 6 | + |
| 7 | +usage() { |
| 8 | + cat <<EOF |
| 9 | +Usage: $(basename "$0") [--dry-run] [--help] |
| 10 | +
|
| 11 | +Scans git diffs for temporary debug/test configuration values that should not be merged to master. |
| 12 | +
|
| 13 | +Options: |
| 14 | + --dry-run Scan the current working tree diff (git diff HEAD) and report findings without failing |
| 15 | + --help Print this usage message |
| 16 | +
|
| 17 | +Without flags, scans staged changes (git diff --cached) and exits 1 if any patterns found. |
| 18 | +
|
| 19 | +Output format: WARNING: <file>:<line>: <description of debug flag> |
| 20 | +EOF |
| 21 | +} |
| 22 | + |
| 23 | +for arg in "$@"; do |
| 24 | + case "$arg" in |
| 25 | + --dry-run) DRY_RUN=true ;; |
| 26 | + --help) usage; exit 0 ;; |
| 27 | + *) echo "Unknown argument: $arg" >&2; usage >&2; exit 1 ;; |
| 28 | + esac |
| 29 | +done |
| 30 | + |
| 31 | +if $DRY_RUN; then |
| 32 | + DIFF=$(git diff HEAD) |
| 33 | +else |
| 34 | + DIFF=$(git diff --cached) |
| 35 | +fi |
| 36 | + |
| 37 | +if [[ -z "$DIFF" ]]; then |
| 38 | + exit 0 |
| 39 | +fi |
| 40 | + |
| 41 | +# Parse unified diff, tracking current file and line numbers |
| 42 | +current_file="" |
| 43 | +current_line=0 |
| 44 | + |
| 45 | +warn() { |
| 46 | + local file="$1" |
| 47 | + local line="$2" |
| 48 | + local msg="$3" |
| 49 | + echo "WARNING: $file:$line: $msg" |
| 50 | + VIOLATIONS=$((VIOLATIONS + 1)) |
| 51 | +} |
| 52 | + |
| 53 | +# Process diff line by line |
| 54 | +while IFS= read -r line; do |
| 55 | + # Track current file from diff header |
| 56 | + if [[ "$line" =~ ^\+\+\+\ b/(.+)$ ]]; then |
| 57 | + current_file="${BASH_REMATCH[1]}" |
| 58 | + current_line=0 |
| 59 | + continue |
| 60 | + fi |
| 61 | + |
| 62 | + # Track line numbers from hunk headers |
| 63 | + if [[ "$line" =~ ^@@\ -[0-9]+(,[0-9]+)?\ \+([0-9]+)(,[0-9]+)?\ @@.* ]]; then |
| 64 | + current_line="${BASH_REMATCH[2]}" |
| 65 | + # Subtract 1 because we'll increment before checking added lines |
| 66 | + current_line=$((current_line - 1)) |
| 67 | + continue |
| 68 | + fi |
| 69 | + |
| 70 | + # Skip removed lines and diff metadata |
| 71 | + if [[ "$line" =~ ^- ]] || [[ "$line" =~ ^(diff|index|---) ]]; then |
| 72 | + continue |
| 73 | + fi |
| 74 | + |
| 75 | + # Count context and added lines |
| 76 | + if [[ "$line" =~ ^(\+| ) ]]; then |
| 77 | + current_line=$((current_line + 1)) |
| 78 | + fi |
| 79 | + |
| 80 | + # Only check added lines (starting with +) |
| 81 | + if [[ ! "$line" =~ ^\+ ]]; then |
| 82 | + continue |
| 83 | + fi |
| 84 | + |
| 85 | + content="${line:1}" # Strip leading + |
| 86 | + |
| 87 | + [[ -z "$current_file" ]] && continue |
| 88 | + |
| 89 | + # Pattern 1: .gitlab-ci.yml and .gitlab/**/*.yml |
| 90 | + if [[ "$current_file" == ".gitlab-ci.yml" || "$current_file" == .gitlab/*.yml || "$current_file" == .gitlab/**/*.yml ]]; then |
| 91 | + # NON_DEFAULT_JVMS set to true |
| 92 | + if echo "$content" | grep -qE 'NON_DEFAULT_JVMS\s*:\s*"?true"?'; then |
| 93 | + warn "$current_file" "$current_line" "NON_DEFAULT_JVMS set to true (debug/temporary CI flag)" |
| 94 | + fi |
| 95 | + # Hardcoded branch names in if: or only: conditions (not master, main, release/*) |
| 96 | + if echo "$content" | grep -qE '^\s*(if|only)\s*:' ; then |
| 97 | + if echo "$content" | grep -qE '(if|only)\s*:.*\$CI_COMMIT_BRANCH\s*==\s*"[^"]*"' || \ |
| 98 | + echo "$content" | grep -qE "(if|only)\s*:.*refs/heads/[^\s]*"; then |
| 99 | + # Check it's not master/main/release |
| 100 | + if ! echo "$content" | grep -qE '(master|main|release/)'; then |
| 101 | + warn "$current_file" "$current_line" "Hardcoded branch name in CI condition (not master/main/release/*)" |
| 102 | + fi |
| 103 | + fi |
| 104 | + fi |
| 105 | + # Also check for hardcoded branch refs in only/if without $CI_COMMIT_BRANCH syntax |
| 106 | + if echo "$content" | grep -qE '^\s*-\s*[a-zA-Z0-9_/.-]+$'; then |
| 107 | + branch_val=$(echo "$content" | grep -oE '[a-zA-Z0-9_/.-]+$') |
| 108 | + if [[ -n "$branch_val" ]] && ! echo "$branch_val" | grep -qE '^(master|main|release/.*)$'; then |
| 109 | + # This is too broad, skip |
| 110 | + : |
| 111 | + fi |
| 112 | + fi |
| 113 | + fi |
| 114 | + |
| 115 | + # Pattern 2: .github/workflows/*.yaml |
| 116 | + if [[ "$current_file" == .github/workflows/*.yaml || "$current_file" == .github/workflows/*.yml ]]; then |
| 117 | + if echo "$content" | grep -qE '^\s*if\s*:'; then |
| 118 | + # Check for hardcoded branch names that are not master/main/release |
| 119 | + if echo "$content" | grep -qE "github\.ref\s*==\s*'refs/heads/[^']*'|github\.ref_name\s*==\s*'[^']*'"; then |
| 120 | + if ! echo "$content" | grep -qE "(master|main|release/)"; then |
| 121 | + warn "$current_file" "$current_line" "Hardcoded branch name in GitHub Actions if condition (not master/main/release/*)" |
| 122 | + fi |
| 123 | + fi |
| 124 | + fi |
| 125 | + fi |
| 126 | + |
| 127 | + # Pattern 3: **/*.groovy and **/*.java test files |
| 128 | + if [[ "$current_file" == *.groovy || "$current_file" == *.java ]]; then |
| 129 | + if echo "$content" | grep -qF -- '-Ddd.trace.debug=true'; then |
| 130 | + warn "$current_file" "$current_line" "-Ddd.trace.debug=true found in test configuration (debug flag)" |
| 131 | + fi |
| 132 | + fi |
| 133 | + |
| 134 | + # Pattern 4: **/*.gradle and **/*.gradle.kts |
| 135 | + if [[ "$current_file" == *.gradle || "$current_file" == *.gradle.kts ]]; then |
| 136 | + # Commented-out apply plugin: or id( lines |
| 137 | + if echo "$content" | grep -qE '^\s*//\s*(apply plugin:|id\()'; then |
| 138 | + warn "$current_file" "$current_line" "Commented-out plugin declaration (suggests temporary disable)" |
| 139 | + fi |
| 140 | + fi |
| 141 | + |
| 142 | +done <<< "$DIFF" |
| 143 | + |
| 144 | +if [[ $VIOLATIONS -gt 0 ]]; then |
| 145 | + echo "" |
| 146 | + echo "Found $VIOLATIONS debug flag violation(s)." |
| 147 | + if ! $DRY_RUN; then |
| 148 | + exit 1 |
| 149 | + fi |
| 150 | +fi |
| 151 | + |
| 152 | +exit 0 |
0 commit comments