Merge pull request 'docs: allow approved third-party packages' (#59 ) from allow-deps into main

docs: strict dependency allowlist with CI enforcement
2026-05-10 21:07:10 +00:00
2 changed files with 7 additions and 13 deletions
@@ -14,7 +14,7 @@

 **Any import not in this table or the Go standard library is forbidden.**

-Only *direct* dependencies (listed in go.mod without `// indirect`) are checked against this allowlist. Transitive dependencies pulled in by approved packages are implicitly allowed.
+Transitive dependencies of approved packages are automatically allowed.

 To request a new dependency:
 1. Open a PR that ONLY updates this table
@@ -23,8 +23,7 @@ if [ ! -f "$CONVENTIONS_FILE" ]; then
    exit 1
 fi

-# Parse approved packages from CONVENTIONS.md table
-# Note: uses Bash process substitution (< <(...)) for the loop
+# Parse approved packages from CONVENTIONS.md table using awk (POSIX-compatible)
 # Format: | `package` | use case | scope |
 declare -A ALLOWED_PROD=()
 declare -A ALLOWED_TEST=()
@@ -34,8 +33,7 @@ while IFS= read -r line; do
    pkg=$(echo "$line" | awk -F'|' '{gsub(/^[[:space:]]*`|`[[:space:]]*$/, "", $2); print $2}')
    scope=$(echo "$line" | awk -F'|' '{gsub(/^[[:space:]]+|[[:space:]]+$/, "", $4); print tolower($4)}')
    
-    # Accept packages starting with letter or digit (e.g., 9fans.net/go)
-    if [ -n "$pkg" ] && [ "$pkg" != "Package" ] && [[ "$pkg" =~ ^[[:alnum:]] ]]; then
+    if [ -n "$pkg" ] && [ "$pkg" != "Package" ] && [[ "$pkg" =~ ^[a-zA-Z] ]]; then
        if [[ "$scope" == *"test"* ]]; then
            ALLOWED_TEST["$pkg"]=1
        else
@@ -71,12 +69,8 @@ matches_allowlist() {
 }

 # Get direct module dependencies from go.mod
-# Capture stderr separately to avoid mixing error messages with package list
-GO_LIST_STDERR=$(mktemp)
-trap 'rm -f "$GO_LIST_STDERR"' EXIT
-DIRECT_IMPORTS=$(go list -m -f '{{if and (not .Indirect) (not .Main)}}{{.Path}}{{end}}' all 2>"$GO_LIST_STDERR") || {
-    echo "❌ Failed to list dependencies:"
-    cat "$GO_LIST_STDERR"
+DIRECT_IMPORTS=$(go list -m -f '{{if and (not .Indirect) (not .Main)}}{{.Path}}{{end}}' all 2>&1) || {
+    echo "❌ Failed to list dependencies: $DIRECT_IMPORTS"
    exit 1
 }
 DIRECT_IMPORTS=$(echo "$DIRECT_IMPORTS" | grep -v '^$' || true)
@@ -112,8 +106,8 @@ PROD_IMPORTS=$(go list -deps -f '{{if not .Standard}}{{.ImportPath}}{{end}}' ./.

 TEST_ONLY_IN_PROD=""
 for test_pkg in "${!ALLOWED_TEST[@]}"; do
-    # Match exact package or subpackages (pkg or pkg/...)
-    if echo "$PROD_IMPORTS" | grep -qE "^${test_pkg}(/|$)"; then
+    # Use word-boundary matching: exact match or followed by /
+    if echo "$PROD_IMPORTS" | grep -qE "^${test_pkg}(/|\$|$)"; then
        TEST_ONLY_IN_PROD="${TEST_ONLY_IN_PROD}  - ${test_pkg} (marked 'test only' but used in production code)"$'\n'
    fi
 done