Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Rodin
|
4b96231b32 |
+11
-9
@@ -3,19 +3,21 @@
|
||||
## Language & Dependencies
|
||||
|
||||
- Target the latest stable Go release.
|
||||
- Prefer Go standard library; approved third-party packages allowed (see below).
|
||||
- **STRICT ALLOWLIST:** Only packages listed below may be imported. No exceptions.
|
||||
|
||||
### Approved Third-Party Packages
|
||||
|
||||
| Package | Use Case | Notes |
|
||||
|---------|----------|-------|
|
||||
| `gopkg.in/yaml.v3` | YAML parsing | Persona files, config |
|
||||
| `github.com/google/go-cmp` | Test comparisons | `cmp.Diff` for readable diffs |
|
||||
| Package | Use Case |
|
||||
|---------|----------|
|
||||
| `gopkg.in/yaml.v3` | YAML parsing (persona files, config) |
|
||||
| `github.com/google/go-cmp` | Test comparisons (`cmp.Diff`) |
|
||||
|
||||
To add a new dependency:
|
||||
1. Open a PR with justification (why stdlib is insufficient)
|
||||
2. Package must be well-maintained, widely used, minimal transitive deps
|
||||
3. Update this table when approved
|
||||
**Any import not in this table or the Go standard library is forbidden.**
|
||||
|
||||
To request a new dependency:
|
||||
1. Open a PR that ONLY updates this table with justification
|
||||
2. Requires explicit approval from Aaron
|
||||
3. After merge, a separate PR may use the package
|
||||
|
||||
## Error Handling
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
.PHONY: build test test-integration lint clean coverage
|
||||
.PHONY: build test test-integration lint clean coverage check-deps
|
||||
|
||||
build:
|
||||
go build -o review-bot ./cmd/review-bot/
|
||||
@@ -12,9 +12,15 @@ test-integration:
|
||||
lint:
|
||||
go vet ./...
|
||||
|
||||
check-deps:
|
||||
@./scripts/check-deps.sh
|
||||
|
||||
clean:
|
||||
rm -f review-bot
|
||||
|
||||
coverage:
|
||||
go test -coverprofile=coverage.out ./...
|
||||
go tool cover -func=coverage.out
|
||||
|
||||
# Precommit runs all checks required before pushing
|
||||
precommit: check-deps lint test
|
||||
|
||||
Executable
+61
@@ -0,0 +1,61 @@
|
||||
#!/bin/bash
|
||||
# check-deps.sh - Enforces the strict dependency allowlist from CONVENTIONS.md
|
||||
# Exit 1 if any unapproved import is found.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Approved third-party packages (from CONVENTIONS.md)
|
||||
ALLOWED=(
|
||||
"gopkg.in/yaml.v3"
|
||||
"github.com/google/go-cmp"
|
||||
)
|
||||
|
||||
# Build regex pattern from allowed list
|
||||
ALLOWED_PATTERN=""
|
||||
for pkg in "${ALLOWED[@]}"; do
|
||||
if [ -z "$ALLOWED_PATTERN" ]; then
|
||||
ALLOWED_PATTERN="$pkg"
|
||||
else
|
||||
ALLOWED_PATTERN="$ALLOWED_PATTERN|$pkg"
|
||||
fi
|
||||
done
|
||||
|
||||
# Get all imports from go.mod (excluding the module itself and stdlib)
|
||||
IMPORTS=$(go list -m all 2>/dev/null | tail -n +2 | awk '{print $1}' || true)
|
||||
|
||||
if [ -z "$IMPORTS" ]; then
|
||||
echo "✅ No external dependencies"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
VIOLATIONS=""
|
||||
while IFS= read -r import; do
|
||||
# Skip empty lines
|
||||
[ -z "$import" ] && continue
|
||||
|
||||
# Check if import matches any allowed pattern (prefix match for subpackages)
|
||||
MATCHED=false
|
||||
for allowed in "${ALLOWED[@]}"; do
|
||||
if [[ "$import" == "$allowed" ]] || [[ "$import" == "$allowed/"* ]]; then
|
||||
MATCHED=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$MATCHED" = false ]; then
|
||||
VIOLATIONS="$VIOLATIONS\n - $import"
|
||||
fi
|
||||
done <<< "$IMPORTS"
|
||||
|
||||
if [ -n "$VIOLATIONS" ]; then
|
||||
echo "❌ UNAPPROVED DEPENDENCIES DETECTED"
|
||||
echo -e "The following imports are not in the allowlist:$VIOLATIONS"
|
||||
echo ""
|
||||
echo "To add a dependency:"
|
||||
echo " 1. Open a PR that ONLY updates CONVENTIONS.md"
|
||||
echo " 2. Get explicit approval from Aaron"
|
||||
echo " 3. After merge, use the package in a separate PR"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "✅ All dependencies are approved"
|
||||
Reference in New Issue
Block a user