Introduce a ruletype release_phase field and set it to alpha for all …

…ruletypes (#145)

* Introduce a ruletype state field and set it to alpha for all current ruletypes

Signed-off-by: Radoslav Dimitrov <[email protected]>

* Add a workflow check that ensures ruletype state is set

Signed-off-by: Radoslav Dimitrov <[email protected]>

* Rename state to release_phase

Signed-off-by: Radoslav Dimitrov <[email protected]>

---------

Signed-off-by: Radoslav Dimitrov <[email protected]>

.github/workflows/lint.yaml

@@ -21,3 +21,42 @@ jobs:
 
       - name: Lint Rule Types
         run: go run github.com/stacklok/minder/cmd/dev@latest ruletype lint -r rule-types/github --skip-rego
+
+      - name: Ensure rule type release_phase is set
+        run: |
+          # Directory containing YAML files
+          DIRECTORY="rule-types/github"
+
+          # Allowed values for the "release_phase" field
+          ALLOWED_VALUES=("alpha" "beta" "ga" "deprecated")
+
+          # Iterate over all YAML files in the directory
+          for file in "$DIRECTORY"/*.yaml; do
+            echo "Checking file: $file"
+
+            # Extract the value of the "release_phase" field
+            release_phase_value=$(yq e '.release_phase' "$file")
+
+            # Check if the "release_phase" field is null or missing
+            if [ "$release_phase_value" == "null" ] || [ -z "$release_phase_value" ]; then
+              echo "Error: The file '$file' does not have the 'release_phase' field set or it is empty."
+              exit 1
+            else
+              # Validate if the "release_phase" value is one of the allowed values
+              is_valid=false
+              for allowed_value in "${ALLOWED_VALUES[@]}"; do
+                if [ "$release_phase_value" == "$allowed_value" ]; then
+                  is_valid=true
+                  break
+                fi
+              done
+
+              if [ "$is_valid" == false ]; then
+                echo "Error: The file '$file' has an invalid 'release_phase' value: $release_phase_value"
+                echo "       Allowed values are: ${ALLOWED_VALUES[*]}"
+                exit 1
+              else
+                echo "The file '$file' has a valid 'release_phase' field set to: $release_phase_value"
+              fi
+            fi
+          done

rule-types/github/actions_check_default_permissions.yaml

@@ -1,4 +1,5 @@
 version: v1
+release_phase: alpha
 type: rule-type
 name: actions_check_default_permissions
 severity:

rule-types/github/actions_check_pinned_tags.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: actions_check_pinned_tags
 severity:

rule-types/github/allowed_selected_actions.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: allowed_selected_actions
 severity:

rule-types/github/artifact_attestation_slsa.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: artifact_attestation_slsa
 context:

rule-types/github/artifact_signature.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: artifact_signature
 severity:

rule-types/github/automatic_branch_deletion.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: automatic_branch_deletion
 severity:

rule-types/github/branch_protection_allow_deletions.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_allow_deletions
 severity:

rule-types/github/branch_protection_allow_force_pushes.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_allow_force_pushes
 severity:

rule-types/github/branch_protection_allow_fork_syncing.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_allow_fork_syncing
 severity:

rule-types/github/branch_protection_enabled.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_enabled
 severity:

rule-types/github/branch_protection_enforce_admins.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_enforce_admins
 severity:

rule-types/github/branch_protection_lock_branch.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_lock_branch
 severity:

rule-types/github/branch_protection_require_conversation_resolution.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_conversation_resolution
 severity:

rule-types/github/branch_protection_require_linear_history.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_linear_history
 severity:

rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_pull_request_approving_review_count
 severity:

rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_pull_request_code_owners_review
 severity:

rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_pull_request_dismiss_stale_reviews
 severity:

rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_pull_request_last_push_approval
 severity:

rule-types/github/branch_protection_require_pull_requests.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_pull_requests
 severity:

rule-types/github/branch_protection_require_signatures.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: branch_protection_require_signatures
 severity:

rule-types/github/codeql_enabled.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: codeql_enabled
 severity:

rule-types/github/default_workflow_permissions.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: default_workflow_permissions
 severity:

rule-types/github/dependabot_configured.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: dependabot_configured
 severity:

rule-types/github/dockerfile_no_latest_tag.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: dockerfile_no_latest_tag
 severity:

rule-types/github/github_actions_allowed.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: github_actions_allowed
 severity:

rule-types/github/invisible_characters_check.yaml

@@ -1,4 +1,5 @@
 version: v1
+release_phase: alpha
 type: rule-type
 name: invisible_characters_check
 severity:

rule-types/github/license.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: license
 severity:

rule-types/github/mixed_scripts_check.yaml

@@ -1,4 +1,5 @@
 version: v1
+release_phase: alpha
 type: rule-type
 name: mixed_scripts_check
 severity:

rule-types/github/no_binaries_in_repo.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: no_binaries_in_repo
 severity:

rule-types/github/no_open_security_advisories.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: no_open_security_advisories
 severity:

rule-types/github/pr_trusty_check.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: pr_trusty_check
 severity:

rule-types/github/pr_vulnerability_check.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: pr_vulnerability_check
 severity:

rule-types/github/repo_action_allow_list.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: repo_action_allow_list
 severity:

rule-types/github/repo_workflow_access_level.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: repo_workflow_access_level
 severity:

rule-types/github/scorecard_enabled.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: scorecard_enabled
 severity:

rule-types/github/secret_push_protection.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: secret_push_protection
 severity:

rule-types/github/secret_scanning.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: secret_scanning
 severity:

rule-types/github/security_insights.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: security_insights
 severity:

rule-types/github/security_insights_dep_policy.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: security_insights_dep_policy
 severity:

rule-types/github/security_policy.yaml

@@ -1,4 +1,5 @@
 version: v1
+release_phase: alpha
 type: rule-type
 name: security_policy
 severity:

rule-types/github/trivy_action_enabled.yaml

@@ -1,5 +1,6 @@
 ---
 version: v1
+release_phase: alpha
 type: rule-type
 name: trivy_action_enabled
 severity: