Check:links and insecure HTTP usage (#120)

Author: soumeh01

.devcontainer/ubuntu-24.04/.p10k.zsh

@@ -1399,7 +1399,7 @@
 
   # Use POWERLEVEL9K_KUBECONTEXT_CONTENT_EXPANSION to specify the content displayed by kubecontext
   # segment. Parameter expansions are very flexible and fast, too. See reference:
-  # http://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion.
+  # https://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion.
   #
   # Within the expansion the following parameters are always available:
   #
@@ -1618,7 +1618,7 @@
 
   # Use POWERLEVEL9K_GOOGLE_APP_CRED_CONTENT_EXPANSION to specify the content displayed by
   # google_app_cred segment. Parameter expansions are very flexible and fast, too. See reference:
-  # http://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion.
+  # https://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion.
   #
   # You can use the following parameters in the expansion. Each of them corresponds to one of the
   # fields in the JSON file pointed to by GOOGLE_APPLICATION_CREDENTIALS.

.github/workflows/ci.yml

@@ -70,6 +70,9 @@ jobs:
       - name: Check copyright
         run: npm run copyright:check
 
+      - name: Check links for insecure http URLs (only changed files)
+        run: npm run check:links -- -m false
+
       - name: Lint check
         run: npm run lint
 

.github/workflows/nightly.yml

@@ -22,6 +22,24 @@ defaults:
     shell: bash
 
 jobs:
+  validate-links:
+    name: Validate Markdown Links
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Validate Links
+        uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1.1.2
+        with:
+          use-quiet-mode: 'no'
+          use-verbose-mode: 'yes'
+          config-file: '.github/markdown-link-check.jsonc'
+
   build:
     if: github.repository == 'Open-CMSIS-Pack/vscode-cmsis-solution'
     permissions:

LICENSE

@@ -17,7 +17,7 @@ The full license text of applicable licenses is provided below.
 
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 

LICENSE-Apache-2.0

@@ -1,6 +1,6 @@
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 

package.json

@@ -5,7 +5,7 @@
   "version": "1.67.1",
   "preview": false,
   "publisher": "Arm",
-  "author": "Jens Reinecke <jens.reinecke@arm.com>",
+  "author": "Jonatan Antoni <jonatan.antoni@arm.com>",
   "license": "SEE LICENSE IN LICENSE",
   "main": "dist/extension.js",
   "repository": "https://github.com/Open-CMSIS-Pack/vscode-cmsis-solution",
@@ -42,7 +42,7 @@
   "scripts": {
     "preprepare": "npm run download:rpc-interface",
     "prepare": "concurrently npm:download:uv2csolution npm:download:debug-adapters npm:download:toolbox",
-    "clean": "git clean -f -x ./dist ./out ./tools",
+    "clean": "git clean -f -x ./dist ./out ./tools ./coverage ./e2e-report ./e2e-screenshots ./test-results",
     "prebuild": "npm run font",
     "build": "webpack --mode production",
     "prewatch": "npm run font",
@@ -68,7 +68,8 @@
     "font": "fantasticon",
     "lint:md": "markdownlint **/*.md -c ./.github/markdownlint.jsonc -i ./node_modules -i ./dist -i ./coverage -i ./tools -i ./test-data -i ./src/e2e-tests/data -i CHANGELOG.md",
     "copyright:check": "tsx scripts/copyright-manager.ts --mode=check",
-    "copyright:fix": "tsx scripts/copyright-manager.ts --mode=fix"
+    "copyright:fix": "tsx scripts/copyright-manager.ts --mode=fix",
+    "check:links": "tsx scripts/check-links.ts -i ./node_modules/** -i ./.github/** -c ./.github/markdown-link-check.jsonc"
   },
   "dependencies": {
     "@ant-design/icons": "^5.6.1",

scripts/check-links.ts

@@ -0,0 +1,193 @@
+#!npx tsx
+
+/**
+ * Copyright 2026 Arm Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ *Usage:
+ * check-links.ts [options]
+
+ * Options:
+ *     --version        Show version number                             [boolean]
+ * -c, --config         Path to markdown-link-check config file         [string]  [default: ".github/markdown-link-check.jsonc"]
+ * -i, --ignore         Directories to ignore                           [array]   [default: ["node_modules/**"]]
+ * -m, --checkMarkdown  Validate links in markdown files                [boolean] [default: true]
+ * -u, --checkHttp      Scan changed files for insecure http URLs       [boolean] [default: true]
+ * -h, --help           Show help                                       [boolean]
+ *
+ * Example usage:
+ *   npm run check:links
+ *   npm run check:links -- -i "./dist/**" -i "./coverage/**"
+ *   npm run check:links -- -c "./.github/markdown-link-check.jsonc"
+ *   npm run check:links -- -m false -i "./dist/**" -c "./.github/markdown-link-check.jsonc"
+ */
+
+import { execFile as execFileCallback } from "child_process";
+import { readFile as readFileCallback } from "fs";
+import { glob } from "glob";
+import { resolve } from "path";
+import { promisify } from "util";
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+const execFile = promisify(execFileCallback);
+const readFile = promisify(readFileCallback);
+
+
+async function getChangedFiles(): Promise<string[]> {
+    const changedFiles = new Set<string>();
+
+    const unstaged = await execFile("git", [
+        "diff",
+        "--name-only",
+        "--diff-filter=ACMR"
+    ]);
+    unstaged.stdout
+        .split(/\r?\n/)
+        .map((f) => f.trim())
+        .filter(Boolean)
+        .forEach((f) => changedFiles.add(f));
+
+    const staged = await execFile("git", [
+        "diff",
+        "--name-only",
+        "--diff-filter=ACMR",
+        "--cached"
+    ]);
+    staged.stdout
+        .split(/\r?\n/)
+        .map((f) => f.trim())
+        .filter(Boolean)
+        .forEach((f) => changedFiles.add(f));
+
+    // Explicitly include newly added files from the index.
+    const stagedAdded = await execFile("git", [
+        "diff",
+        "--name-only",
+        "--diff-filter=A",
+        "--cached"
+    ]);
+    stagedAdded.stdout
+        .split(/\r?\n/)
+        .map((f) => f.trim())
+        .filter(Boolean)
+        .forEach((f) => changedFiles.add(f));
+
+    return Array.from(changedFiles);
+}
+
+async function checkForInsecureUrls(files: string[]): Promise<void> {
+    const insecurePattern = /http:\/\//;
+
+    for (const file of files) {
+        try {
+            const content = await readFile(file, "utf8");
+
+            // Skip likely binary files.
+            if (content.includes("\0")) {
+                continue;
+            }
+
+            const lines = content.split(/\r?\n/);
+            for (let i = 0; i < lines.length; i++) {
+                if (!insecurePattern.test(lines[i])) {
+                    continue;
+                }
+
+                console.error(`Insecure URL found in ${file}:${i + 1}`);
+                console.error(`  ${lines[i].trim()}`);
+                process.exitCode = 1;
+            }
+        } catch {
+            // Ignore unreadable/non-text files.
+        }
+    }
+}
+
+async function main() {
+    const argv = yargs(hideBin(process.argv))
+        .option("config", {
+            alias: "c",
+            type: "string",
+            description: "Path to markdown-link-check config file",
+            default: ".github/markdown-link-check.jsonc",
+        })
+        .option("ignore", {
+            alias: "i",
+            type: "array",
+            description: "Directories to ignore",
+            default: ["node_modules/**"],
+        })
+        .option("checkMarkdown", {
+            alias: "m",
+            type: "boolean",
+            description: "Validate links in markdown files",
+            default: true,
+        })
+        .option("checkHttp", {
+            alias: "u",
+            type: "boolean",
+            description: "Scan changed files for insecure http URLs",
+            default: true,
+        })
+        .help()
+        .alias("help", "h")
+        .parseSync();
+
+    if (argv.checkMarkdown) {
+        const configPath = resolve(argv.config);
+        const mdFiles = await glob("**/*.md", {
+            ignore: argv.ignore as string[],
+        });
+
+        if (mdFiles.length === 0) {
+            console.log("No markdown files found.");
+        } else {
+            console.log(`Checking ${mdFiles.length} markdown file(s)...`);
+            for (const file of mdFiles) {
+                try {
+                    const { stdout } = await execFile(
+                        "npx", ["markdown-link-check", "-v", "-c", configPath, file], { shell: true }
+                    );
+                    console.log(stdout);
+                } catch (err: any) {
+                    console.error(`Error in file: ${file}`);
+                    console.error(err.stdout || err.message);
+                    process.exitCode = 1;
+                }
+            }
+        }
+    } else {
+        console.log("Skipping markdown link validation.");
+    }
+
+    if (argv.checkHttp) {
+        const changedFiles = await getChangedFiles();
+
+        if (changedFiles.length === 0) {
+            console.log("No changed files found for insecure URL check.");
+            return;
+        }
+
+        console.log(`Checking ${changedFiles.length} changed file(s) for insecure URLs...`);
+        await checkForInsecureUrls(changedFiles);
+    }
+}
+
+main().catch((error) => {
+    console.error(error);
+    process.exit(1);
+});