Google Git
Sign in
fuchsia / shac-project / shac / 426b05fac6fab71fa78befcfab86c530062646c6
commit426b05fac6fab71fa78befcfab86c530062646c6[log] [tgz]
authorOliver Newman <olivernewman@google.com>Wed Sep 13 15:38:55 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Sep 13 15:38:55 2023 +0000
tree3625e032abf15fc532890a7b2182ce4df8318d84
parentce2f0cff74c384f56457b1959fac40e9bab1b16a [diff]
[engine] Expose runtime-configurable variables to checks

Makes a new `ctx.vars.get()` field available to checks that is used to
retrieve optional runtime-configurable values passed into shac via
`--var name=value` command-line flags.

In order to be set at runtime, a var must be declared beforehand in
shac.textproto with an optional default value. Centralizating the list
of allowed variables differs from the strategies taken by lucicfg and
GN, which both allow any file to declare arbitrary runtime-configurable
variables. However, that approach makes it much harder to discover the
list of allowed variables, and makes it much easier to add new
runtime-configurable variables.

A proliferation of runtime-configurable variables is not desired for
shac because it would open the door to divergence between local
workflows and CI, e.g. if CI sets many variables to non-default values
then it would become difficult to accurately reproduce CI results
locally. Therefore, vars should only be used when absolutely necessary
and only for passing through opaque parameters rather than tweaking
behavior. The most immediate use case is for passing in the path to a
repository's build directory into shac so shac can run executables and
read artifacts from the build directory.

Bug: 82386
Change-Id: I18cacfc8d9800e4d784c108389e697b5d6b12bc1
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/915494
Reviewed-by: Anthony Fandrianto <atyfto@google.com>
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
Commit-Queue: Auto-Submit <auto-submit@fuchsia-infra.iam.gserviceaccount.com>
18 files changed
tree: 3625e032abf15fc532890a7b2182ce4df8318d84
  1. .github/
  2. checks/
  3. doc/
  4. images/
  5. internal/
  6. scripts/
  7. vendor/
  8. .gitignore
  9. AUTHORS
  10. codecov.yml
  11. CONTRIBUTING.md
  12. go.mod
  13. go.sum
  14. LICENSE
  15. main.go
  16. OWNERS
  17. PATENTS
  18. README.md
  19. shac.star
  20. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.