Skip to content

feat: run plugin-validator as part of CI (opt-in) #366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 34 commits into
base: main
Choose a base branch
from
Open

feat: run plugin-validator as part of CI (opt-in) #366

wants to merge 34 commits into from

Conversation

@xnyo
Copy link
Collaborator

@xnyo xnyo commented Nov 3, 2025
edited
Loading

Part of #354.

Example runs can be found in the smoke tests for this PR, which have been updated to run the validator.

For example: https://github.com/grafana/plugin-ci-workflows/actions/runs/19139877974/job/54701694400?pr=366

(see the annotations at the top)

@xnyo xnyo self-assigned this Nov 3, 2025
@xnyo xnyo added the enhancement New feature or request label Nov 3, 2025
@xnyo xnyo moved this from 📬 Triage to 🧑‍💻 In development in Plugins Platform / Grafana Community Nov 3, 2025
@xnyo xnyo mentioned this pull request Nov 5, 2025
Merged
@xnyo xnyo marked this pull request as ready for review November 7, 2025 12:33
@xnyo xnyo requested review from a team as code owners November 7, 2025 12:33
@xnyo xnyo requested review from academo, s4kh and toddtreece November 7, 2025 12:33
@xnyo xnyo moved this from 🧑‍💻 In development to 🔬 In review in Plugins Platform / Grafana Community Nov 7, 2025
@xnyo xnyo requested a review from briangann November 7, 2025 12:33
academo
academo reviewed Nov 7, 2025
View reviewed changes
academo
academo reviewed Nov 7, 2025
View reviewed changes
academo
academo reviewed Nov 7, 2025
View reviewed changes
.github/workflows/ci.yml Outdated
echo "${PLUGIN_VALIDATOR_CONFIG_FILE}" > .plugin-validator.yaml
PLUGIN_VALIDATOR_CONFIG_PATH=.plugin-validator.yaml
cat ${PLUGIN_VALIDATOR_CONFIG_PATH}
elif [ -f "${PLUGIN_VALIDATOR_CONFIG_PATH}" ]; then
Copy link
Contributor

@academo academo Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can silently fail, because if the user defined a value here but the file doesn't exits we are now going to use the default,

maybe if the user defines a path (not empty var) and it doesn't exist (-f) we fail?

Copy link
Collaborator Author

@xnyo xnyo Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I have changed the inputs so they are considered in the following order:

  1. Raw yaml config content (if set) has the highest priority
  2. Then, config file path (if set) is checked. If the file doesn't exist, it now errors out rather than falling back to the hardcoded config. If it's a directory, it errors out as well
  3. If neither of the above is provided, the default hardcoded config is used instead

academo
academo reviewed Nov 7, 2025
View reviewed changes
academo
academo reviewed Nov 7, 2025
View reviewed changes
academo
academo reviewed Nov 7, 2025
View reviewed changes
academo
academo reviewed Nov 7, 2025
View reviewed changes
.github/workflows/ci.yml
mkdir -p /tmp/empty
# Do not run clamav because it takes too long (and because it would scan node_modules as well)
docker run --name=plugin-validator --pull=always \
Copy link
Contributor

@academo academo Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we are not going to run clamav we might benefit from using npx directly which can be faster than pulling and running the whole docker image? just see if that might speed up things

Copy link
Collaborator Author

@xnyo xnyo Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about semgrep, osv-scanner and gosec? The readme specifies they should be installed:

https://github.com/grafana/plugin-validator?tab=readme-ov-file#security-tools

I am not sure about osv-scanner because it looks like it's being used as a library and it should work even if it's not installed on the system.

semgrep requires the executable: https://github.com/grafana/plugin-validator/blob/e985ef06cef56f260ed0af03fa08b94f495e952a/pkg/analysis/passes/coderules/coderules.go#L95

gosec too: https://github.com/grafana/plugin-validator/blob/e985ef06cef56f260ed0af03fa08b94f495e952a/pkg/analysis/passes/gosec/gosec.go#L43

Copy link
Contributor

@academo academo Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are correct. semgrep and gosect require system install. osv-scanner uses the go library so works via npx

@xnyo xnyo requested a review from academo November 10, 2025 11:29
academo
academo reviewed Nov 10, 2025
View reviewed changes
@xnyo xnyo requested a review from academo November 11, 2025 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@academo academo academo approved these changes

@toddtreece toddtreece Awaiting requested review from toddtreece toddtreece is a code owner automatically assigned from grafana/plugins-platform-backend

@s4kh s4kh Awaiting requested review from s4kh s4kh is a code owner automatically assigned from grafana/plugins-platform-backend

@briangann briangann Awaiting requested review from briangann

Assignees

@xnyo xnyo

Labels

enhancement New feature or request

Projects

Plugins Platform / Grafana Community
Status: 🔬 In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xnyo @academo