Add protovalidate as alternative to protoc-gen-validate

.github/workflows/lint.yaml

@@ -8,34 +8,25 @@ on:
   pull_request:
     branches:
       - "*"
+    types:
+      # This makes the buf checks run again when attributes of the PRs change.
+      - "ready_for_review"
+      - "labeled"
+      - "unlabeled"
+      # These are the defaults
+      - "opened"
+      - "synchronize"
+      - "reopened"
+
+
 jobs:
   lint:
     name: "Lint & Publish Draft/Branch"
     runs-on: "ubuntu-latest"
     steps:
-      - uses: "actions/checkout@v3"
+      - uses: "actions/checkout@v4"
       - uses: "authzed/actions/yaml-lint@main"
-      - uses: "bufbuild/buf-setup-action@v1.32.2"
+      - uses: "bufbuild/buf-action@v1"
         with:
-          version: "1.30.0"
-      - uses: "bufbuild/buf-lint-action@v1"
-      - uses: "bufbuild/buf-breaking-action@v1"
-        if: "github.event_name == 'pull_request'"
-        env:
-          BUF_INPUT_HTTPS_USERNAME: "${{ github.actor }}"
-          BUF_INPUT_HTTPS_PASSWORD: "${{ github.token }}"
-        with:
-          against: "https://github.com/authzed/api.git#branch=main"
-          buf_token: "${{ secrets.BUF_REGISTRY_TOKEN }}"
-      - name: "Push to BSR a Draft"
-        if: "github.event_name == 'push' && github.ref == 'refs/heads/main'"
-        shell: "bash"
-        env:
-          BUF_TOKEN: "${{ secrets.BUF_REGISTRY_TOKEN }}"
-        run: "buf push --draft ${{ github.sha }}"
-      - name: "Push to BSR a Branch"
-        if: "github.event_name == 'push' && github.ref != 'refs/heads/main'"
-        shell: "bash"
-        env:
-          BUF_TOKEN: "${{ secrets.BUF_REGISTRY_TOKEN }}"
-        run: "buf push --branch ${{ github.sha }}"
+          token: "${{ secrets.BUF_REGISTRY_TOKEN }}"
+          breaking_against: "https://github.com/authzed/api.git#branch=main"

.github/workflows/release.yaml

@@ -9,12 +9,8 @@ jobs:
     name: "Push BSR tag"
     runs-on: "ubuntu-latest"
     steps:
-      - uses: "actions/checkout@v3"
-      - uses: "bufbuild/buf-setup-action@v1.32.2"
+      - uses: "actions/checkout@v4"
+      - uses: "bufbuild/buf-action@v1"
         with:
-          version: "1.30.0"
-      - name: "push release name to BSR"
-        run:
-          "buf push --tag ${{ github.ref_name }}"
-        env:
-          BUF_TOKEN: "${{ secrets.BUF_REGISTRY_TOKEN }}"
+          token: "${{ secrets.BUF_REGISTRY_TOKEN }}"
+          breaking_against: "https://github.com/authzed/api.git#branch=main"

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: "https://github.com/bufbuild/buf"
-    rev: "v1.6.0"
+    rev: "v1.47.2"
     hooks:
       - id: "buf-lint"
   - repo: "https://github.com/adrienverge/yamllint.git"

authzed/api/materialize/v0/watchpermissions.proto

@@ -4,8 +4,8 @@ package authzed.api.materialize.v0;
 import "authzed/api/v1/core.proto";
 
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0";
-option java_package = "com.authzed.api.materialize.v0";
 option java_multiple_files = true;
+option java_package = "com.authzed.api.materialize.v0";
 
 service WatchPermissionsService {
   // WatchPermissions returns a stream of PermissionChange events for the given permissions.

authzed/api/materialize/v0/watchpermissionsets.proto

@@ -4,8 +4,8 @@ package authzed.api.materialize.v0;
 import "authzed/api/v1/core.proto";
 
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0";
-option java_package = "com.authzed.api.materialize.v0";
 option java_multiple_files = true;
+option java_package = "com.authzed.api.materialize.v0";
 
 service WatchPermissionSetsService {
   // WatchPermissionSets returns a stream of changes to the sets which can be used to compute the watched permissions.
@@ -55,7 +55,7 @@ service WatchPermissionSetsService {
   // and the revision token from the last LookupPermissionSets response.
   rpc LookupPermissionSets(LookupPermissionSetsRequest) returns (stream LookupPermissionSetsResponse) {}
 }
-  
+
 message WatchPermissionSetsRequest {
   // optional_starting_after is used to specify the SpiceDB revision to start watching from.
   // If not specified, the watch will start from the current SpiceDB revision time of the request ("head revision").
@@ -154,21 +154,21 @@ message PermissionSetChange {
 }
 
 message SetReference {
-    // object_type is the type of object in a permission set
-    string object_type = 1;
-    // object_id is the ID of a permission set
-    string object_id = 2;
-    // permission_or_relation is the permission or relation referenced by this permission set
-    string permission_or_relation = 3;
+  // object_type is the type of object in a permission set
+  string object_type = 1;
+  // object_id is the ID of a permission set
+  string object_id = 2;
+  // permission_or_relation is the permission or relation referenced by this permission set
+  string permission_or_relation = 3;
 }
 
 message MemberReference {
-    // object_type is the type of object of a permission set member
-    string object_type = 1;
-    // object_id is the ID of a permission set member
-    string object_id = 2;
-    // optional_permission_or_relation is the permission or relation referenced by this permission set member
-    string optional_permission_or_relation = 3;
+  // object_type is the type of object of a permission set member
+  string object_type = 1;
+  // object_id is the ID of a permission set member
+  string object_id = 2;
+  // optional_permission_or_relation is the permission or relation referenced by this permission set member
+  string optional_permission_or_relation = 3;
 }
 
 // LookupPermissionSetsRequired is a signal that the consumer should perform a LookupPermissionSets call because

authzed/api/v0/core.proto

@@ -1,11 +1,12 @@
 syntax = "proto3";
 package authzed.api.v0;
 
+import "buf/validate/validate.proto";
+import "validate/validate.proto";
+
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v0";
 option java_package = "com.authzed.api.v0";
 
-import "validate/validate.proto";
-
 message RelationTuple {
   // Each tupleset specifies keys of a set of relation tuples. The set can
   // include a single tuple key, or all tuples with a given object ID or
@@ -18,41 +19,80 @@ message RelationTuple {
   // doc:12345#writer#* (all tuples with direct write relationship with the
   // document) doc:#writer#group:eng#member (all tuples that eng group has write
   // relationship)
-  ObjectAndRelation object_and_relation = 1
-      [ (validate.rules).message.required = true ];
-  User user = 2 [ (validate.rules).message.required = true ];
+  ObjectAndRelation object_and_relation = 1 [
+    (validate.rules).message.required = true,
+    (buf.validate.field).required = true
+  ];
+  User user = 2 [
+    (validate.rules).message.required = true,
+    (buf.validate.field).required = true
+  ];
 }
 
 message ObjectAndRelation {
-  string namespace = 1 [ (validate.rules).string = {
-    pattern : "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$",
-    max_bytes : 128,
-  } ];
-  string object_id = 2 [ (validate.rules).string = {
-    pattern : "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$",
-    max_bytes : 128,
-  } ];
-  string relation = 3 [ (validate.rules).string = {
-    pattern : "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$",
-    max_bytes : 64,
-  } ];
+  string namespace = 1 [
+    (validate.rules).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    },
+    (buf.validate.field).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    }
+  ];
+  string object_id = 2 [
+    (validate.rules).string = {
+      pattern: "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$"
+      max_bytes: 128
+    },
+    (buf.validate.field).string = {
+      pattern: "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$"
+      max_bytes: 128
+    }
+  ];
+  string relation = 3 [
+    (validate.rules).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    },
+    (buf.validate.field).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    }
+  ];
 }
 
 message RelationReference {
-  string namespace = 1 [ (validate.rules).string = {
-    pattern : "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$",
-    max_bytes : 128,
-  } ];
-  string relation = 3 [ (validate.rules).string = {
-    pattern : "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$",
-    max_bytes : 64,
-  } ];
+  string namespace = 1 [
+    (validate.rules).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    },
+    (buf.validate.field).string = {
+      pattern: "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$"
+      max_bytes: 128
+    }
+  ];
+  string relation = 3 [
+    (validate.rules).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    },
+    (buf.validate.field).string = {
+      pattern: "^(\\.\\.\\.|[a-z][a-z0-9_]{1,62}[a-z0-9])$"
+      max_bytes: 64
+    }
+  ];
 }
 
 message User {
   oneof user_oneof {
     option (validate.required) = true;
+    option (buf.validate.oneof).required = true;
 
-    ObjectAndRelation userset = 2 [ (validate.rules).message.required = true ];
+    ObjectAndRelation userset = 2 [
+      (validate.rules).message.required = true,
+      (buf.validate.field).required = true
+    ];
   }
-}
+}

authzed/api/v0/developer.proto

@@ -1,11 +1,11 @@
 syntax = "proto3";
 package authzed.api.v0;
 
+import "authzed/api/v0/core.proto";
+
 option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v0";
 option java_package = "com.authzed.api.v0";
 
-import "authzed/api/v0/core.proto";
-
 service DeveloperService {
   rpc EditCheck(EditCheckRequest) returns (EditCheckResponse) {}
   rpc Validate(ValidateRequest) returns (ValidateResponse) {}
@@ -126,7 +126,7 @@ message DeveloperError {
   uint32 column = 3;
   Source source = 4;
   ErrorKind kind = 5;
-  
+
   repeated string path = 6;
 
   // context holds the context for the error. For schema issues, this will be the