feat: run plugin-validator as part of CI (opt-in)

.github/workflows/cd.yml

@@ -185,7 +185,31 @@ on:
         type: string
         required: false
 
-      # Artifacts attestation for build provenance
+      # Feature toggle: plugin-validator
+      run-plugin-validator:
+        description: Whether to run plugin-validator.
+        type: boolean
+        required: false
+        default: false
+      plugin-validator-config:
+        description: |
+          Content of the plugin validator configuration file (yaml) to use.
+          It has higher priority than `plugin-validator-config-path` input.
+          If not provided, the action will look for the file specified in `plugin-validator-config-path` input instead.
+          If neither is provided, a default configuration will be used.
+        type: string
+        required: false
+        default: ""
+      plugin-validator-config-path:
+        description: |
+          Path to the plugin validator configuration file (yaml) to use.
+          It will be used only if `plugin-validator-config` input is not provided.
+          If not provided, a default configuration will be used.
+        type: string
+        required: false
+        default: ""
+
+      # Feature toggle: Artifacts attestation for build provenance
       attestation:
         description: Create a verifiable attestation for the plugin using Github OIDC.
         type: boolean
@@ -389,12 +413,20 @@ jobs:
     with:
       branch: ${{ inputs.branch }}
       plugin-directory: ${{ inputs.plugin-directory }}
+      plugin-version-suffix: ${{ needs.setup.outputs.plugin-version-suffix }}
+
       package-manager: ${{ inputs.package-manager }}
       npm-registry-auth: ${{ inputs.npm-registry-auth }}
+
       go-version: ${{ inputs.go-version }}
       go-setup-caching: ${{ inputs.go-setup-caching }}
       node-version: ${{ inputs.node-version }}
       golangci-lint-version: ${{ inputs.golangci-lint-version }}
+
+      run-plugin-validator: ${{ inputs.run-plugin-validator }}
+      plugin-validator-config: ${{ inputs.plugin-validator-config }}
+      plugin-validator-config-path: ${{ inputs.plugin-validator-config-path }}
+
       run-playwright: ${{ inputs.run-playwright }}
       run-playwright-docker: ${{ inputs.run-playwright-docker }}
       run-playwright-with-grafana-dependency: ${{ inputs.run-playwright-with-grafana-dependency }}
@@ -406,14 +438,17 @@ jobs:
       playwright-config: ${{ inputs.playwright-config }}
       playwright-grafana-url: ${{ inputs.playwright-grafana-url }}
       playwright-secrets: ${{ inputs.playwright-secrets }}
+
       run-trufflehog: ${{ inputs.run-trufflehog }}
       trufflehog-version: ${{ inputs.trufflehog-version }}
       trufflehog-include-detectors: ${{ inputs.trufflehog-include-detectors }}
       trufflehog-exclude-detectors: ${{ inputs.trufflehog-exclude-detectors }}
-      plugin-version-suffix: ${{ needs.setup.outputs.plugin-version-suffix }}
+
       frontend-secrets: ${{ inputs.frontend-secrets }}
       backend-secrets: ${{ inputs.backend-secrets }}
+
       environment: ${{ inputs.environment }}
+
       allow-unsigned: ${{ inputs.allow-unsigned }}
       signature-type: ${{ inputs.signature-type }}
 

.github/workflows/ci.yml

@@ -161,6 +161,30 @@ on:
         type: string
         required: false
 
+      # Feature toggle: plugin-validator
+      run-plugin-validator:
+        description: Whether to run plugin-validator.
+        type: boolean
+        required: false
+        default: false
+      plugin-validator-config:
+        description: |
+          Content of the plugin validator configuration file (yaml) to use.
+          It has higher priority than `plugin-validator-config-path` input.
+          If not provided, the action will look for the file specified in `plugin-validator-config-path` input instead.
+          If neither is provided, a default configuration will be used.
+        type: string
+        required: false
+        default: ""
+      plugin-validator-config-path:
+        description: |
+          Path to the plugin validator configuration file (yaml) to use.
+          It will be used only if `plugin-validator-config` input is not provided.
+          If not provided, a default configuration will be used.
+        type: string
+        required: false
+        default: ""
+
       # Options for building PRs. Those values should come from the PR event and should not be set manually.
       plugin-version-suffix:
         description: |
@@ -438,6 +462,58 @@ jobs:
           include-detectors: ${{ inputs.trufflehog-include-detectors }}
           exclude-detectors: ${{ inputs.trufflehog-exclude-detectors }}
 
+      - name: plugin-validator
+        if: ${{ inputs.run-plugin-validator == true }}
+        run: |
+          if [ -n "${PLUGIN_VALIDATOR_CONFIG}" ]; then
+            # User-provided configuration content
+            echo "Using provided plugin-validator configuration content."
+            PLUGIN_VALIDATOR_CONFIG_PATH=".plugin-validator.yaml"
+            echo "${PLUGIN_VALIDATOR_CONFIG}" > ${PLUGIN_VALIDATOR_CONFIG_PATH}
+          elif [ -n "${PLUGIN_VALIDATOR_CONFIG_PATH}" ]; then
+            # User-provided configuration file path
+            echo "Using plugin-validator configuration file at path: ${PLUGIN_VALIDATOR_CONFIG_PATH}"
+            if [ ! -f "${PLUGIN_VALIDATOR_CONFIG_PATH}" ]; then
+              echo "::error title=plugin-validator: missing config file::${PLUGIN_VALIDATOR_CONFIG_PATH} configuration file is missing."
+              exit 1
+            fi
+          else
+            # Default hardcoded configuration
+            PLUGIN_VALIDATOR_CONFIG_PATH=".plugin-validator.yaml"
+            echo "${PLUGIN_VALIDATOR_CONFIG_PATH} configuration file is missing. Providing a default one as fallback."
+            cat <<EOF > "${PLUGIN_VALIDATOR_CONFIG_PATH}"
+          global:
+            enabled: true
+          EOF
+          fi
+
+          echo "Using configuration:"
+          cat "${PLUGIN_VALIDATOR_CONFIG_PATH}"
+
+          # Create an empty dir for mounting it instead of node_modules, otherwise some validator analyzers
+          # will recurse into the plugin's directory (including node_modules).
+          mkdir -p /tmp/empty
+
+          # Do not run clamav because it takes too long
+          docker run --name=plugin-validator --pull=always \
+            -v "$PWD/${PLUGIN_VALIDATOR_CONFIG_PATH}:/workspace/.plugin-validator.yaml:ro" \
+            -v "$PWD/dist-artifacts:/workspace/dist-artifacts:ro" \
+            -v "$PWD/${PLUGIN_DIRECTORY}:/workspace" \
+            -v "/tmp/empty:/workspace/node_modules" \
+            -e SKIP_CLAMAV=1 \
+            grafana/plugin-validator-cli \
+            -ghaOutput \
+            -config=/workspace/.plugin-validator.yaml \
+            -sourceCodeUri=file:///workspace \
+            "/workspace/dist-artifacts/${UNIVERSAL_ZIP}"
+          exit "$(docker inspect plugin-validator --format='{{.State.ExitCode}}')"
+        env:
+          UNIVERSAL_ZIP: ${{ steps.universal-zip.outputs.zip }}
+          PLUGIN_VALIDATOR_CONFIG: ${{ inputs.plugin-validator-config }}
+          PLUGIN_VALIDATOR_CONFIG_PATH: ${{ inputs.plugin-validator-config-path }}
+          PLUGIN_DIRECTORY: ${{ inputs.plugin-directory }}
+        shell: bash
+
       - name: Define outputs
         id: outputs
         run: |

.github/workflows/test-ci.yml

@@ -59,3 +59,5 @@ jobs:
 
       # TODO: enable in a follow-up PR
       run-playwright: false
+
+      run-plugin-validator: true