linter/rules: add version-streamed-runtime-dependencies

Dentrax · Dentrax · commit d6bcc38fae2a · 2025-03-16T13:06:50.000+03:00
Adds version-streamed-runtime-dependencies rule to check that
given runtime dependencies are using the version-streamed subpackages
rather than 'provides:'.

Signed-off-by: Dentrax &lt;furkan.turkal@chainguard.dev&gt;
diff --git a/pkg/lint/rules.go b/pkg/lint/rules.go
@@ -27,6 +27,13 @@ var (
 	// Be stricter than Go to promote consistency and avoid homograph attacks
 	reValidHostname = regexp.MustCompile(`^[a-z0-9][a-z0-9\.\-]+\.[a-z]{2,6}$`)
 
+	// This regex captures a string that ends with a semantic version (semver) suffix.
+	// It returns two groups:
+	// - Group 1: The prefix part of the string before the semver.
+	// - Group 2: The semver (major.minor or major.minor.patch).
+	// If there is no semver suffix, the string will not match.
+	reVersionStream = regexp.MustCompile(`^(.*?)-(\d+\.\d+(?:\.\d+)?)$`)
+
 	forbiddenRepositories = []string{
 		"https://packages.wolfi.dev/os",
 	}
@@ -468,6 +475,37 @@ var AllRules = func(l *Linter) Rules { //nolint:gocyclo
 				return err
 			},
 		},
+		{
+			Name:        "version-streamed-runtime-dependencies",
+			Description: "version-streamed packages must provide versioned runtime dependencies of its subpackage names instead of 'provides'",
+			Severity:    SeverityError,
+			LintFunc: func(c config.Configuration) error {
+				if !reVersionStream.MatchString(c.Package.Name) {
+					return nil
+				}
+				providesSet := make(map[string]struct{})
+				for _, subpkg := range c.Subpackages {
+					for _, prov := range subpkg.Dependencies.Provides {
+						namePart := strings.SplitN(prov, "=", 2)[0]
+						providesSet[namePart] = struct{}{}
+					}
+				}
+				var invalid []string
+				for _, dep := range c.Package.Dependencies.Runtime {
+					// Skip cases where the provides: might be like: ${{package.name}}-foo=${{package.full-version}}
+					if strings.Contains(dep, c.Package.Name) {
+						continue
+					}
+					if _, ok := providesSet[dep]; ok {
+						invalid = append(invalid, dep)
+					}
+				}
+				if len(invalid) > 0 {
+					return fmt.Errorf("version-streamed package must use versioned runtime dependencies for its subpackages: %s", strings.Join(invalid, ", "))
+				}
+				return nil
+			},
+		},
 	}
 }
 
diff --git a/pkg/lint/rules_test.go b/pkg/lint/rules_test.go
@@ -451,6 +451,42 @@ func TestLinter_Rules(t *testing.T) {
 			wantErr: false,
 			matches: 1,
 		},
+		{
+			file:        "version-streamed-package-invalid-runtime-dependencies-1.2.yaml",
+			minSeverity: SeverityWarning,
+			want: EvalResult{
+				File: "version-streamed-package-invalid-runtime-dependencies-1.2",
+				Errors: EvalRuleErrors{
+					{
+						Rule: Rule{
+							Name:     "version-streamed-runtime-dependencies",
+							Severity: SeverityError,
+						},
+						Error: fmt.Errorf("[version-streamed-runtime-dependencies]: version-streamed package must use versioned runtime dependencies for its subpackages: version-streamed-package-invalid-runtime-dependencies-foo (ERROR)"),
+					},
+				},
+			},
+			wantErr: false,
+			matches: 1,
+		},
+		{
+			file:        "version-streamed-package-invalid-runtime-dependencies-1.2.yaml",
+			minSeverity: SeverityWarning,
+			want: EvalResult{
+				File: "version-streamed-package-invalid-runtime-dependencies-1.2",
+				Errors: EvalRuleErrors{
+					{
+						Rule: Rule{
+							Name:     "version-streamed-runtime-dependencies",
+							Severity: SeverityError,
+						},
+						Error: fmt.Errorf("[version-streamed-runtime-dependencies]: version-streamed package must use versioned runtime dependencies for its subpackages: version-streamed-package-invalid-runtime-dependencies-foo (ERROR)"),
+					},
+				},
+			},
+			wantErr: false,
+			matches: 1,
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/pkg/lint/testdata/files/version-streamed-package-invalid-runtime-dependencies-1.2.yaml b/pkg/lint/testdata/files/version-streamed-package-invalid-runtime-dependencies-1.2.yaml
@@ -0,0 +1,32 @@
+package:
+  name: version-streamed-package-invalid-runtime-dependencies-1.2
+  version: 1.2.3
+  epoch: 0
+  description: "a version-package with non-streamed runtime dependencies"
+  dependencies:
+    runtime:
+      - version-streamed-package-invalid-runtime-dependencies-foo # NOK
+      - ${{package.name}}-bar # OK
+
+pipeline:
+  - runs: echo "test"
+
+subpackages:
+  - name: ${{package.name}}-foo
+    description: "a subpackage with provides that doesn't contain the version stream"
+    pipeline:
+      - runs: echo "test"
+    dependencies:
+      provides:
+        - version-streamed-package-invalid-runtime-dependencies-foo=${{package.full-version}}
+
+  - name: ${{package.name}}-bar
+    description: "a subpackage with provides that does contain the version stream"
+    pipeline:
+      - runs: echo "test"
+    dependencies:
+      provides:
+        - ${{package.name}}-bar=${{package.full-version}}
+
+update:
+  enabled: true
