docs: strict dependency allowlist with CI enforcement
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 15s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 28s
CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m40s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m48s
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 15s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 28s
CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m40s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m48s
STRICT ALLOWLIST policy: Only packages explicitly listed in CONVENTIONS.md may be imported. No exceptions. ## Changes - Updates CONVENTIONS.md with strict allowlist language - Adds scripts/check-deps.sh to enforce the allowlist - Adds 'make check-deps' and 'make precommit' targets - CI will fail if any unapproved dependency is detected ## Approved packages - gopkg.in/yaml.v3 — YAML parsing - github.com/google/go-cmp — test comparisons ## Process for new dependencies 1. Open a PR that ONLY updates CONVENTIONS.md 2. Requires explicit approval from Aaron 3. After merge, a separate PR may use the package
This commit is contained in:
Rodin
Executable
+61
@@ -0,0 +1,61 @@
|
||||
#!/bin/bash
|
||||
# check-deps.sh - Enforces the strict dependency allowlist from CONVENTIONS.md
|
||||
# Exit 1 if any unapproved import is found.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Approved third-party packages (from CONVENTIONS.md)
|
||||
ALLOWED=(
|
||||
"gopkg.in/yaml.v3"
|
||||
"github.com/google/go-cmp"
|
||||
)
|
||||
|
||||
# Build regex pattern from allowed list
|
||||
ALLOWED_PATTERN=""
|
||||
for pkg in "${ALLOWED[@]}"; do
|
||||
if [ -z "$ALLOWED_PATTERN" ]; then
|
||||
ALLOWED_PATTERN="$pkg"
|
||||
else
|
||||
ALLOWED_PATTERN="$ALLOWED_PATTERN|$pkg"
|
||||
fi
|
||||
done
|
||||
|
||||
# Get all imports from go.mod (excluding the module itself and stdlib)
|
||||
IMPORTS=$(go list -m all 2>/dev/null | tail -n +2 | awk '{print $1}' || true)
|
||||
|
||||
if [ -z "$IMPORTS" ]; then
|
||||
echo "✅ No external dependencies"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
VIOLATIONS=""
|
||||
while IFS= read -r import; do
|
||||
# Skip empty lines
|
||||
[ -z "$import" ] && continue
|
||||
|
||||
# Check if import matches any allowed pattern (prefix match for subpackages)
|
||||
MATCHED=false
|
||||
for allowed in "${ALLOWED[@]}"; do
|
||||
if [[ "$import" == "$allowed" ]] || [[ "$import" == "$allowed/"* ]]; then
|
||||
MATCHED=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$MATCHED" = false ]; then
|
||||
VIOLATIONS="$VIOLATIONS\n - $import"
|
||||
fi
|
||||
done <<< "$IMPORTS"
|
||||
|
||||
if [ -n "$VIOLATIONS" ]; then
|
||||
echo "❌ UNAPPROVED DEPENDENCIES DETECTED"
|
||||
echo -e "The following imports are not in the allowlist:$VIOLATIONS"
|
||||
echo ""
|
||||
echo "To add a dependency:"
|
||||
echo " 1. Open a PR that ONLY updates CONVENTIONS.md"
|
||||
echo " 2. Get explicit approval from Aaron"
|
||||
echo " 3. After merge, use the package in a separate PR"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "✅ All dependencies are approved"
|
||||
Reference in New Issue
Block a user