filecoin-project · rvagg · Dec 18, 2024 · Nov 27, 2024 · Nov 28, 2024 · Nov 28, 2024
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,101 @@
+name: Dependency Check
+
+on:
+  pull_request:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/dependency-check.yml'
+
+jobs:
+  dependency-check:
+    runs-on: ubuntu-latest
+    name: Dependency Check
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+      - id: dependencies
+        env:
+          ALLOWED: |
+            [
+              {
+                "Path": "github.com/filecoin-project/go-data-transfer/v2",
+                "Version": "v2.0.0-rc7",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "github.com/filecoin-project/go-state-types",
+                "Version": "v0.16.0-dev",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "github.com/syndtr/goleveldb",
+                "Version": "v1.0.1-0.20210819022825-2ae1ddf74ef7",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "github.com/xorcare/golden",
+                "Version": "v0.6.1-0.20191112154924-b87f686d7542",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "github.com/xordataexchange/crypt",
+                "Version": "v0.0.3-0.20170626215501-b2862e3d0a77",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "github.com/yugabyte/pgx/v5",
+                "Version": "v5.5.3-yb-2",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "go.dedis.ch/kyber/v4",
+                "Version": "v4.0.0-pre2.0.20240924132404-4de33740016e",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "gopkg.in/check.v1",
+                "Version": "v1.0.0-20201130134442-10cb98267c6c",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "gopkg.in/tomb.v1",
+                "Version": "v1.0.0-20141024135613-dd632973f1e7",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "honnef.co/go/tools",
+                "Version": "v0.0.1-2020.1.4",
+                "Reason": "unknown"
+              },
+              {
+                "Path": "github.com/quic-go/webtransport-go",
+                "Version": "v0.8.1-0.20241018022711-4ac2c9250e66",
+                "Reason": "unknown"
+              }
+            ]
+        run: |
+          echo "unreleased<<EOF" >> $GITHUB_OUTPUT
+          go list -m -json all |
+            jq -s '
+              (
+                map({Path: .Path, Version: .Version}) |
+                map(select(.Version | test("^v\\d+\\.\\d+\\.\\d+-")?)) |
+                map(select(.Version | test("^v0\\.0\\.0-")? | not))
+              ) - (
+                env.ALLOWED | fromjson |
+                map({Path: .Path, Version: .Version})
+              )
+            ' | tee -a $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+      - if: steps.dependencies.outputs.unreleased != '[]'
+        env:
+          MESSAGE: |
+            A new unreleased dependency was discovered in this PR. Please do one of the options in [dependency management conventions](https://github.com/filecoin-project/lotus/blob/master/CONTRIBUTING.md#dependency-management)
+
+            Unreleased dependencies:
+            ${{steps.dependencies.outputs.unreleased}}
+        run: |
+          echo "::error::${MESSAGE//$'\n'/%0A}"
+          exit 1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -49,7 +49,7 @@ Note that this is enforced with https://github.com/filecoin-project/lotus/blob/m
 
 ## CHANGELOG Management
 
-To expedite the release process, the CHANGELOG is built-up incrementally.  
+To expedite the release process, the CHANGELOG is built-up incrementally.
 We enforce that each PR updates CHANGELOG.md or signals that the change doesn't need it.
 If the PR affects users (e.g., new feature, bug fix, system requirements change), update the CHANGELOG.md and add details to the UNRELEASED section.
 If the change does not require a CHANGELOG.md entry, do one of the following:
@@ -58,6 +58,14 @@ If the change does not require a CHANGELOG.md entry, do one of the following:
 
 Note that this is enforced with https://github.com/filecoin-project/lotus/blob/master/.github/workflows/changelog.yml
 
+## Dependency Management
+
+We enforce that each dependency on an unreleased version of a package, as long as said package has any released versions (i.e. it is not a `v0.0.0`), is explicitly documented in the `ALLOWED` list stored in [.github/workflows/dependency-check.yml](.github/workflows/dependency-check.yml).
+If you are adding such a dependency, please add it to the `ALLOWED` list.
+Please note that this requirement applies both to direct and indirect dependencies.
+
+Note that this is enforced with https://github.com/filecoin-project/lotus/blob/master/.github/workflows/dependency-check.yml
+
 ## Markdown Conventions
 We optimize our markdown files for viewing on GitHub. That isn't to say other syntaxes can't be used, but that is the flavor we focus on and at the minimum don't want to break.