authzed · tstirrat15 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -13,11 +13,11 @@ jobs:
     name: "Lint & Publish Draft/Branch"
     runs-on: "ubuntu-latest"
     steps:
-      - uses: "actions/checkout@v3"
+      - uses: "actions/checkout@v4"
       - uses: "authzed/actions/yaml-lint@main"
-      - uses: "bufbuild/buf-setup-action@v1.32.2"
+      - uses: "bufbuild/buf-setup-action@v1.47.2"
         with:
-          version: "1.30.0"
+          github_token: "${{ github.token }}"
       - uses: "bufbuild/buf-lint-action@v1"
       - uses: "bufbuild/buf-breaking-action@v1"
         if: "github.event_name == 'pull_request'"

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,10 +9,10 @@ jobs:
     name: "Push BSR tag"
     runs-on: "ubuntu-latest"
     steps:
-      - uses: "actions/checkout@v3"
-      - uses: "bufbuild/buf-setup-action@v1.32.2"
+      - uses: "actions/checkout@v4"
+      - uses: "bufbuild/buf-setup-action@v1.47.2"
         with:
-          version: "1.30.0"
+          github_token: "${{ github.token }}"
       - name: "push release name to BSR"
         run:
           "buf push --tag ${{ github.ref_name }}"

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: "https://github.com/bufbuild/buf"
-    rev: "v1.6.0"
+    rev: "v1.47.2"
     hooks:
       - id: "buf-lint"
   - repo: "https://github.com/adrienverge/yamllint.git"

diff --git a/authzed/api/materialize/v0/watchpermissions.proto b/authzed/api/materialize/v0/watchpermissions.proto
@@ -4,8 +4,8 @@ package authzed.api.materialize.v0;
 import "authzed/api/v1/core.proto";
 
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0";
-option java_package = "com.authzed.api.materialize.v0";
 option java_multiple_files = true;
+option java_package = "com.authzed.api.materialize.v0";
 
 service WatchPermissionsService {
   // WatchPermissions returns a stream of PermissionChange events for the given permissions.

diff --git a/authzed/api/materialize/v0/watchpermissionsets.proto b/authzed/api/materialize/v0/watchpermissionsets.proto
@@ -4,8 +4,8 @@ package authzed.api.materialize.v0;
 import "authzed/api/v1/core.proto";
 
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0";
-option java_package = "com.authzed.api.materialize.v0";
 option java_multiple_files = true;
+option java_package = "com.authzed.api.materialize.v0";
 
 service WatchPermissionSetsService {
   // WatchPermissionSets returns a stream of changes to the sets which can be used to compute the watched permissions.
@@ -55,7 +55,7 @@ service WatchPermissionSetsService {
   // and the revision token from the last LookupPermissionSets response.
   rpc LookupPermissionSets(LookupPermissionSetsRequest) returns (stream LookupPermissionSetsResponse) {}
 }
-  
+
 message WatchPermissionSetsRequest {
   // optional_starting_after is used to specify the SpiceDB revision to start watching from.
   // If not specified, the watch will start from the current SpiceDB revision time of the request ("head revision").
@@ -152,21 +152,21 @@ message PermissionSetChange {
 }
 
 message SetReference {
-    // object_type is the type of object in a permission set
-    string object_type = 1;
-    // object_id is the ID of a permission set
-    string object_id = 2;
-    // permission_or_relation is the permission or relation referenced by this permission set
-    string permission_or_relation = 3;
+  // object_type is the type of object in a permission set
+  string object_type = 1;
+  // object_id is the ID of a permission set
+  string object_id = 2;
+  // permission_or_relation is the permission or relation referenced by this permission set
+  string permission_or_relation = 3;
 }
 
 message MemberReference {
-    // object_type is the type of object of a permission set member
-    string object_type = 1;
-    // object_id is the ID of a permission set member
-    string object_id = 2;
-    // optional_permission_or_relation is the permission or relation referenced by this permission set member
-    string optional_permission_or_relation = 3;
+  // object_type is the type of object of a permission set member
+  string object_type = 1;
+  // object_id is the ID of a permission set member
+  string object_id = 2;
+  // optional_permission_or_relation is the permission or relation referenced by this permission set member
+  string optional_permission_or_relation = 3;
 }
 
 // LookupPermissionSetsRequired is a signal that the consumer should perform a LookupPermissionSets call because

diff --git a/authzed/api/v0/core.proto b/authzed/api/v0/core.proto
@@ -1,11 +1,12 @@
 syntax = "proto3";
 package authzed.api.v0;
 
+import "buf/validate/validate.proto";
+import "validate/validate.proto";
+
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v0";
 option java_package = "com.authzed.api.v0";
 
-import "validate/validate.proto";
-
 message RelationTuple {
   // Each tupleset specifies keys of a set of relation tuples. The set can
   // include a single tuple key, or all tuples with a given object ID or
@@ -18,41 +19,80 @@ message RelationTuple {
   // doc:12345#writer#* (all tuples with direct write relationship with the
   // document) doc:#writer#group:eng#member (all tuples that eng group has write
   // relationship)
-  ObjectAndRelation object_and_relation = 1
-      [ (validate.rules).message.required = true ];
-  User user = 2 [ (validate.rules).message.required = true ];
+  ObjectAndRelation object_and_relation = 1 [
+    (validate.rules).message.required = true,
+    (buf.validate.field).required = true
+  ];
+  User user = 2 [
+    (validate.rules).message.required = true,
+    (buf.validate.field).required = true
+  ];
 }
 
 message ObjectAndRelation {
-  string namespace = 1 [ (validate.rules).string = {
-    pattern : "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$",
-    max_bytes : 128,
-  } ];
-  string object_id = 2 [ (validate.rules).string = {
-    pattern : "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$",
-    max_bytes : 128,
-  } ];
-  string relation = 3 [ (validate.rules).string = {
-    pattern : "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$",
-    max_bytes : 64,
-  } ];
+  string namespace = 1 [
+    (validate.rules).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    },
+    (buf.validate.field).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    }
+  ];
+  string object_id = 2 [
+    (validate.rules).string = {
+      pattern: "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$"
+      max_bytes: 128
+    },
+    (buf.validate.field).string = {
+      pattern: "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$"
+      max_bytes: 128
+    }
+  ];
+  string relation = 3 [
+    (validate.rules).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    },
+    (buf.validate.field).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    }
+  ];
 }
 
 message RelationReference {
-  string namespace = 1 [ (validate.rules).string = {
-    pattern : "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$",
-    max_bytes : 128,
-  } ];
-  string relation = 3 [ (validate.rules).string = {
-    pattern : "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$",
-    max_bytes : 64,
-  } ];
+  string namespace = 1 [
+    (validate.rules).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    },
+    (buf.validate.field).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    }
+  ];
+  string relation = 3 [
+    (validate.rules).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    },
+    (buf.validate.field).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    }
+  ];
 }
 
 message User {
   oneof user_oneof {
     option (validate.required) = true;
+    option (buf.validate.oneof).required = true;
 
-    ObjectAndRelation userset = 2 [ (validate.rules).message.required = true ];
+    ObjectAndRelation userset = 2 [
+      (validate.rules).message.required = true,
+      (buf.validate.field).required = true
+    ];
   }
-}
+}
diff --git a/authzed/api/v0/developer.proto b/authzed/api/v0/developer.proto
@@ -1,11 +1,11 @@
 syntax = "proto3";
 package authzed.api.v0;
 
+import "authzed/api/v0/core.proto";
+
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v0";
 option java_package = "com.authzed.api.v0";
 
-import "authzed/api/v0/core.proto";
-
 service DeveloperService {
   rpc EditCheck(EditCheckRequest) returns (EditCheckResponse) {}
   rpc Validate(ValidateRequest) returns (ValidateResponse) {}
@@ -126,7 +126,7 @@ message DeveloperError {
   uint32 column = 3;
   Source source = 4;
   ErrorKind kind = 5;
-  
+
   repeated string path = 6;
 
   // context holds the context for the error. For schema issues, this will be the