fix(pipeline): avoid .github false negatives; analyze package-lock only with lockfile rules; bump module analysis cache schema

Author: KristjanESPERANTO

pipeline/workers/process-module.ts

@@ -829,7 +829,11 @@ async function analyzeModule(module: ModuleInput, config: ProcessModuleConfig):
           const fullPath = path.join(dir, entry.name);
           const relativePath = path.relative(baseDir, fullPath);
 
-          if (!relativePath.includes(".git") && !relativePath.includes("node_modules")) {
+          const pathSegments = relativePath.split(path.sep);
+          const isGitDir = pathSegments.includes(".git");
+          const isNodeModulesDir = pathSegments.includes("node_modules");
+
+          if (!isGitDir && !isNodeModulesDir) {
             if (entry.isDirectory()) {
               getAllFiles(fullPath, baseDir, files);
             } else {

scripts/check-modules/__tests__/module-analyzer.test.js

@@ -0,0 +1,112 @@
+import * as fsPromises from "node:fs/promises";
+import { analyzeModule } from "../../check-modules/module-analyzer.ts";
+import { strict as assert } from "node:assert";
+import { join } from "node:path";
+import { test } from "node:test";
+import { tmpdir } from "node:os";
+
+async function createTempModule() {
+  const root = await fsPromises.mkdtemp(join(tmpdir(), "module-analyzer-test-"));
+  await fsPromises.mkdir(join(root, ".github"), { recursive: true });
+
+  await fsPromises.writeFile(
+    join(root, "README.md"),
+    [
+      "# MMM-Remote-Control",
+      "",
+      "## Installation",
+      "git clone https://github.com/Jopyth/MMM-Remote-Control",
+      "",
+      "## Update",
+      "Update steps",
+      "",
+      "## Config",
+      "{",
+      "  module: \"MMM-Remote-Control\",",
+      "  config: {",
+      "    foo: true",
+      "  },",
+      "},",
+      ""
+    ].join("\n")
+  );
+
+  await fsPromises.writeFile(
+    join(root, "CHANGELOG.md"),
+    "XMLHttpRequest\nnpm run\ngit checkout\n"
+  );
+  await fsPromises.writeFile(join(root, "CODE_OF_CONDUCT.md"), "code of conduct");
+  await fsPromises.writeFile(join(root, "LICENSE.md"), "license");
+  await fsPromises.writeFile(join(root, "eslint.config.mjs"), "export default [];\n");
+  await fsPromises.writeFile(
+    join(root, "package.json"),
+    JSON.stringify(
+      {
+        devDependencies: { eslint: "^10.0.0" },
+        scripts: { lint: "eslint" }
+      },
+      null,
+      2
+    )
+  );
+  await fsPromises.writeFile(
+    join(root, "package-lock.json"),
+    `${JSON.stringify(
+      {
+        name: "x",
+        note: "jshint",
+        lockfileVersion: 2,
+        scripts: { test: "npm run lint" }
+      },
+      null,
+      2
+    )}\n`
+  );
+  await fsPromises.writeFile(join(root, ".github", "dependabot.yaml"), "version: 2\nupdates: []\n");
+
+  return root;
+}
+
+test("analyzer keeps .github files and applies only lockfile-specific package-lock rules", async () => {
+  const moduleRoot = await createTempModule();
+  const files = [
+    join(moduleRoot, "README.md"),
+    join(moduleRoot, "CHANGELOG.md"),
+    join(moduleRoot, "CODE_OF_CONDUCT.md"),
+    join(moduleRoot, "LICENSE.md"),
+    join(moduleRoot, "eslint.config.mjs"),
+    join(moduleRoot, "package.json"),
+    join(moduleRoot, "package-lock.json"),
+    join(moduleRoot, ".github", "dependabot.yaml")
+  ];
+
+  const result = await analyzeModule(
+    moduleRoot,
+    "MMM-Remote-Control",
+    "https://github.com/Jopyth/MMM-Remote-Control",
+    files
+  );
+
+  assert.equal(
+    result.issues.some(issue => issue.includes("There is no dependabot configuration file")),
+    false
+  );
+  assert.equal(
+    result.issues.some(issue => issue.includes("in file `CHANGELOG.md`")),
+    false
+  );
+  assert.equal(
+    result.issues.some(
+      issue => issue.includes("Found `jshint`") && issue.includes("in file `package-lock.json`")
+    ),
+    false
+  );
+  assert.equal(
+    result.issues.some(
+      issue => issue.includes("Found `\"lockfileVersion\": 2`") && issue.includes("in file `package-lock.json`")
+    ),
+    true
+  );
+
+  assert.ok(Array.isArray(result.issues));
+});

scripts/check-modules/module-analyzer.ts

@@ -331,17 +331,35 @@ export async function analyzeModule(
 ): Promise<AnalysisResult> {
   const issues: string[] = [];
 
-  // Filter out files in node_modules and .git
+  // Filter out files in node_modules and .git directories.
+  // Use path segments instead of substring matching so ".github" files are not excluded.
   const relevantFiles = files.filter(
-    (f) => !f.includes("node_modules") && !f.includes(".git")
+    (f) => {
+      const segments = f.split("/");
+      return !segments.includes("node_modules") && !segments.includes(".git");
+    }
   );
 
   // Check for each file
   for (const filePath of relevantFiles) {
     const content = await readFile(filePath, "utf-8").catch(() => "");
+    const filename = filePath.split("/").pop() ?? "";
+    const filenameLower = filename.toLowerCase();
+    const isChangelogFile = filenameLower === "changelog" || filenameLower.startsWith("changelog.");
+    const isPackageLockFile = filenameLower === "package-lock.json";
 
     // Check TEXT_RULES
     for (const [, rule] of Object.entries(TEXT_RULES)) {
+      // CHANGELOG entries are historical context and produce low-quality findings.
+      if (isChangelogFile) {
+        continue;
+      }
+
+      // lockfiles should only be checked via lockfile-specific rules.
+      if (isPackageLockFile) {
+        continue;
+      }
+
       if (content.includes(rule.pattern)) {
         issues.push(
           `${rule.category}: Found \`${rule.pattern}\` in file \`${filePath.split("/").pop()}\`: ${rule.description}`
@@ -367,7 +385,7 @@ export async function analyzeModule(
     }
 
     // Package-lock.json rules
-    if (filePath.endsWith("package-lock.json")) {
+    if (isPackageLockFile) {
       for (const [, rule] of Object.entries(PACKAGE_LOCK_RULES)) {
         if (content.includes(rule.pattern)) {
           issues.push(

scripts/shared/module-analysis-cache.ts

@@ -3,7 +3,7 @@ import { getCurrentCommit } from "./git.ts";
 import { resolve } from "node:path";
 import { stringifyDeterministic } from "./deterministic-output.ts";
 
-export const MODULE_ANALYSIS_CACHE_SCHEMA_VERSION = 4;
+export const MODULE_ANALYSIS_CACHE_SCHEMA_VERSION = 6;
 export const MODULE_ANALYSIS_CACHE_RELATIVE_PATH = "website/data/moduleCache.json";
 
 interface ModuleAnalysisCheckGroupsInput {