semgrep
diff --git a/‎.github/workflows/check-generated.yaml‎
Lines changed: 16 additions & 17 deletions b/‎.github/workflows/check-generated.yaml‎
Lines changed: 16 additions & 17 deletions
diff --git a/‎.github/workflows/lint.yaml‎
Lines changed: 31 additions & 25 deletions b/‎.github/workflows/lint.yaml‎
Lines changed: 31 additions & 25 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 33 additions & 31 deletions b/‎Makefile‎
Lines changed: 33 additions & 31 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 4 deletions b/‎README.md‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎scripts/check-backwards-compatibility‎
Lines changed: 6 additions & 5 deletions b/‎scripts/check-backwards-compatibility‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎scripts/validate.py‎
Lines changed: 82 additions & 0 deletions b/‎scripts/validate.py‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎semgrep-interfaces.opam‎
Lines changed: 1 addition & 11 deletions b/‎semgrep-interfaces.opam‎
Lines changed: 1 addition & 11 deletions
diff --git a/‎tests/.gitignore‎
Lines changed: 0 additions & 2 deletions b/‎tests/.gitignore‎
Lines changed: 0 additions & 2 deletions
@@ -13,27 +13,26 @@ concurrency:
 jobs:
   check-generated:
     runs-on: ubuntu-latest
-    container: returntocorp/ocaml:alpine
     steps:
       - name: Checkout tree
-        uses: actions/checkout@v4
-
-      - name: Setup
-        shell: bash
-        run: |
-          git config --global --add safe.directory "$(pwd)"
-          opam init --disable-sandboxing --yes
-          eval $(opam env)
-          apk add py3-pip
-          pip install check-jsonschema mypy --break-system-packages
-          make setup
-
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - uses: semgrep/setup-ocaml@ce6a88f72f48e02a172c93eb93177b21659e7032
+        with:
+          cache-prefix: v1
+          ocaml-compiler: 5.3.0
+          opam-pin: false
+          save-opam-post-run: true
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
+        with:
+          enable-cache: auto
+          python-version: "3.11"
+          version: 0.9.26
       - name: Regenerate files
         shell: bash
-        run: |
-          eval $(opam env)
-          make
-
+        run: make
       - name: Check for changes
         run: |
           git diff --exit-code || {
 
@@ -16,51 +16,57 @@ permissions:
 jobs:
   compatibility:
     runs-on: ubuntu-latest
-    container: returntocorp/ocaml:alpine
     steps:
     - name: Checkout tree
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
       with:
         fetch-depth: 0
         fetch-tags: true
-
+    - uses: semgrep/setup-ocaml@ce6a88f72f48e02a172c93eb93177b21659e7032
+      with:
+        cache-prefix: v1
+        ocaml-compiler: 5.3.0
+        opam-pin: false
+        save-opam-post-run: true
+    - name: install deps
+      run: make setup
     - name: atddiff all supported tags
       id: diff
       shell: bash
       run: |
         set -x
-
         git config --global --add safe.directory "$(pwd)"
-
-        # github actions sets HOME=/home/github where we don't have an opam env
-        eval $(HOME=/root opam env)
-        apk add jq
-
-        # check / print version of atddiff
-        atddiff --version
-
-        # run the checks
-        echo -ne 'Backwards compatibility summary:\n\n```' > summary-00-header.txt
-        echo '```' >> summary-20-footer.txt
-
         # fail if check command fails
         set -o pipefail
-        ./scripts/check-backwards-compatibility | tee summary-10-body.txt
+        # make it easier for people to check compatibility
+        make test-schema-validation > summary.txt
 
-    - uses: marocchino/sticky-pull-request-comment@v2
+    - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405
       if: ${{ !cancelled() }}
       with:
         header: diff-summary
-        path: summary-*.txt
+        path: summary.txt
 
   mypy:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout tree
-      uses: actions/checkout@v4
-
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+    - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
+      with:
+        enable-cache: auto
+        python-version: "3.11"
+        version: 0.9.26
     - name: Run mypy on semgrep_output_v1.py
-      run: |
-        pip install mypy
-        rm __init__.py # because dir has a - in it
-        mypy semgrep_output_v1.py
+      run: make typecheck
+
+  schema-validation:
+    - name: Checkout tree
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+    - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
+      with:
+        enable-cache: auto
+        python-version: "3.11"
+        version: 0.9.26
+    - name: check schema compatible
+      run: make test-schema-validation
@@ -10,3 +10,7 @@ Language
 # Generated by ./scripts/check-backwards-compatibility
 before.txt
 after.txt
+
+*.ast.json
+
+typecheck
@@ -42,67 +42,69 @@ build: $(FILES)
 # need atdpy >= 2.12.0 for semgrep_metric.py
 # need atdpy >= 2.11.0 to support parametrized types
 %.py: %.atd
-	atdpy $<
+	opam exec -- atdpy $<
 
 # -j-defaults is for producing '"field" = []' instead of omitting the field
 # if it's defined as '~field: item list'.
 # This allows us to produce the same JSON output with pysemgrep and osemgrep
 # since atdpy keeps it simple and will always output '"field" = []'.
 %_j.ml %_j.mli: %.atd
-	atdgen -j -j-std -j-defaults $<
+	opam exec -- atdgen -j -j-std -j-defaults $<
 
 %_t.ml %_t.mli: %.atd
-	atdgen -t $<
+	opam exec -- atdgen -t $<
 
 # need atdts >= 2.13.0
 %.ts: %.atd
-	atdts $<
+	opam exec -- atdts $<
 
 # need atdcat >= 2.6.0
 semgrep_output_$(VER).jsonschema: semgrep_output_$(VER).atd
-	atdcat -jsonschema cli_output $< > $@
+	opam exec -- atdcat -jsonschema cli_output $< > $@
 
 semgrep_output_$(VER).proto: semgrep_output_$(VER).jsonschema
 	scripts/jsonschema2protobuf.py $< semgrep_output_$(VER) > $@
 
 # The call to ocamlc is just to typecheck the generated OCaml files
 Language.ml Language.mli lang.json: generate.py
-	mypy generate
+	uvx mypy generate
 	./generate
-	ocamlc -o Language Language.mli Language.ml
+	opam exec -- ocamlc -o Language Language.mli Language.ml
 
 .PHONY: clean
 clean:
 	rm -f $(FILES) Language
 
+.PHONY: dev-setup
+dev-setup:
+	opam switch create semgrep-interfaces-dev 5.3.0
+	$(MAKE) setup
+
 # This takes a while but ensures we use the correct versions of the atd tools.
 .PHONY: setup
 setup:
-	opam update -y
 	opam install -y --deps-only ./semgrep-interfaces.opam
-	# Please install check-jsonschema (Python tool) if this fails:
-	check-jsonschema --version
-
-.PHONY: setup-PYTHON
-setup-PYTHON:
-	pip install check-jsonschema
-	pip install mypy
+	jq --version > /dev/null || (echo "jq is required to run the tests" && exit 1)
+
+.PHONY: test-backwards-compatibility
+test-backwards-compatibility:
+	opam exec -- ./scripts/check-backwards-compatibility
+
+.PHONY: test-schema-validation
+test-schema-validation:
+	uv run ./scripts/validate.py rule_schema_v1.yaml tests/jsonschema/rules
+
+# putting these files in their own dir is a workaround so we don't have to
+# delete __init__.py. running mypy normally doesn't work since the folder name
+# has a - in it which isn't allowed
+# TODO? rename the repo to semgrep_interfaces to avoid this hack?
+.PHONY: typecheck
+typecheck:
+	mkdir -p typecheck
+	ln -s ../semgrep_output_v1.py typecheck/semgrep_output_v1.py
+	ln -s ../semgrep_metrics.py typecheck/semgrep_metrics.py
+	uvx mypy@1.19.1 -p typecheck
 
 # The tests require semgrep-core, among other things.
 .PHONY: test
-test:
-	$(MAKE) -C tests
-
-###############################################################################
-# Pad's targets
-###############################################################################
-
-pr:
-	git push origin `git rev-parse --abbrev-ref HEAD`
-	hub pull-request -b main -r returntocorp/pa
-
-push:
-	git push origin `git rev-parse --abbrev-ref HEAD`
-
-merge:
-	A=`git rev-parse --abbrev-ref HEAD` && git checkout main && git pull && git branch -D $$A
+test: test-backwards-compatibility test-schema-validation typecheck
@@ -10,10 +10,9 @@ This repository is meant to be used as a submodule.
 You may need to install opam and mypy as pre-requisites for contributing to this repository.
 
 To update an interface:
-1. Run `make setup`
-2. Run `eval $(opam env)`
-3. Make changes to the appropriate .atd file or edit `generate.py`
-4. Run `make`. This will propagate that change to the respective .py, .ts, .ml, etc.
+1. Run `make dev-setup`
+2. Make changes to the appropriate .atd file or edit `generate.py`
+3. Run `make`. This will propagate that change to the respective .py, .ts, .ml, etc.
 
 ---
 
 
@@ -15,18 +15,19 @@ set -euo pipefail
 version_url="https://semgrep.dev/api/check-version"
 min_version=$(curl -s "$version_url" | jq -r '.versions.minimum')
 if [[ -z "$min_version" ]]; then
-  echo "Failed to obtain minimum supported version from $version_url" >&2
-  exit 1
+    echo "Failed to obtain minimum supported version from $version_url" >&2
+    exit 1
 fi
 
+printf "Backwards compatibility summary:\n"
 minimum="v${min_version}"
 tags=$(git log --simplify-by-decoration --pretty=format:%D "${minimum}^!" origin/main | grep -o 'tag: [^,)]\+' | sed 's/^tag: //' | sort -n)
 
 checked=("dummy")
 errors=0
 for tag in $tags; do
     commit=$(git rev-list -n 1 "$tag")
-    if [[ "${checked[*]}" =~ "$commit" ]]; then
+    if [[ "${checked[*]}" =~ $commit ]]; then
         echo "Skipping $tag because commit $commit has already been checked"
         continue
     fi
@@ -50,7 +51,7 @@ for tag in $tags; do
     atddiff_options="--exit-success --no-locations --backward --types ci_scan_complete,ci_scan_complete_response,ci_scan_failure,ci_scan_results,ci_scan_results_response,cli_output,datetime,deployment_response,diff_files,partial_scan_result,scan_config,scan_request,scan_response,tests_result"
 
     git difftool --trust-exit-code -x "atddiff $atddiff_options" -y \
-        "$tag" "origin/main" -- semgrep_output_v1.atd > before.txt
+        "$tag" "origin/main" -- semgrep_output_v1.atd >before.txt
     # The exit code is 0 if atddiff's exit code is 0, and it's an
     # unspecified nonzero value if atddiff's exit code is not 0 (but
     # not the same nonzero value!)
@@ -61,7 +62,7 @@ for tag in $tags; do
         exit 1
     fi
     git difftool --trust-exit-code -x "atddiff $atddiff_options" -y \
-        "$tag" "HEAD" -- semgrep_output_v1.atd > after.txt
+        "$tag" "HEAD" -- semgrep_output_v1.atd >after.txt
     ret=$?
     if [[ "$ret" -ne 0 ]]; then
         echo "ERROR: atddiff had an error: git difftool exit $ret"
 
@@ -0,0 +1,82 @@
+# /// script
+# requires-python = ">=3.12"
+# dependencies = [
+#     "jsonschema>=4.0.0",
+#     "pyyaml>=6.0",
+# ]
+# ///
+"""
+Use a JSON Schema validator to check input files that should pass or fail.
+
+A file with the .ok.yaml extension is expected to pass validation.
+A file with the .fail.yaml extension is expected to fail.
+"""
+
+import glob
+import json
+import sys
+from pathlib import Path
+
+import yaml
+from jsonschema import ValidationError, validate
+
+
+def load_schema(schema_path: str) -> dict:
+    text = Path(schema_path).read_text()
+    if schema_path.endswith(".yaml") or schema_path.endswith(".yml"):
+        return yaml.safe_load(text)
+    return json.loads(text)
+
+
+def load_instance(instance_path: str) -> object:
+    text = Path(instance_path).read_text()
+    if instance_path.endswith(".yaml") or instance_path.endswith(".yml"):
+        return yaml.safe_load(text)
+    return json.loads(text)
+
+
+def validate_file(schema: dict, instance_path: str) -> bool:
+    """Returns True if validation passes, False if it fails."""
+    instance = load_instance(instance_path)
+    try:
+        validate(instance=instance, schema=schema)
+        return True
+    except ValidationError:
+        return False
+
+
+def main() -> None:
+    if len(sys.argv) != 3:
+        print(f"Usage: {sys.argv[0]} <schema_file> <input_dir>", file=sys.stderr)
+        sys.exit(2)
+
+    schema_file = sys.argv[1]
+    input_dir = sys.argv[2]
+
+    schema = load_schema(schema_file)
+
+    exit_code = 0
+
+    # Check well-formed files
+    ok_files = sorted(glob.glob(f"{input_dir}/*.ok.yaml"))
+    for input_file in ok_files:
+        if validate_file(schema, input_file):
+            print(f"OK: {input_file}")
+        else:
+            print(f"*** {input_file}: should have passed validation", file=sys.stderr)
+            exit_code = 1
+
+    # Check that malformed files are detected
+    fail_files = sorted(glob.glob(f"{input_dir}/*.fail.yaml"))
+    for input_file in fail_files:
+        if validate_file(schema, input_file):
+            print(f"*** {input_file}: should have failed validation", file=sys.stderr)
+            exit_code = 1
+        else:
+            print(f"XFAIL (failed as expected): {input_file}")
+
+    sys.exit(exit_code)
+
+
+if __name__ == "__main__":
+    main()
@@ -17,15 +17,5 @@ depends: [
   "atdpy" {>= "3.0.0"}
   "atdts" {>= "2.13.0"}
   "atdgen" {>= "3.0.1"}
-]
-
-#TODO: we don't build on ubuntu or debian ever, and they are not packages there,
-# so let's just ignore it for now
-#["check-jsonschema"] {os-family = "debian"}
-#["check-jsonschema"] {os-family = "ubuntu"}
-depexts: [
-   ["check-jsonschema"] {os-distribution = "alpine"}
-   ["check-jsonschema"] {os = "macos" & os-distribution = "homebrew"}
-   ["check-jsonschema"] {os = "macos" & os-distribution = "macports"}
-   ["check-jsonschema"] {os = "win32" & os-distribution = "macports"}
+  "conf-jq"
 ]