Extra fun thing to do: print a message describing why the decision was made and how to resolve the error in the failure message of your test!
 - https://docs.bazel.build/versions/main/be/shell.html#sh_test
The canonical example in my mind is any kind of autofix-able linter, where there's some kind of patch (or more nuanced autofix) that the linter can generate on-the-spot for you. With a sh_test construct (or any other test), you generally find yourself printing out some command that the user can run to fix things, which in a sufficiently large codebase can get really frustrating. (The worst offenders of this that I remember dealing with at Google were when generated code/artifacts had to be checked into the repo instead of getting being wired into the build system because <insert hermeticity problem> and a large-scale change you were doing looked at one of them the wrong way...)
(My company - https://trunk.io - is actually building a universal linter as part of our product offering, and we already have a system to write custom linters with varying levels of sophistication that can plug into both your IDE and CI system!)
Been there. It's unfortunate because there are `genrule()`s for this very reason. But, definitely. Linting is very important and trunk looks great! But linting and config validation are very different use cases. At a previous company I had test that loaded a set of configs from repo and made sure all of them were valid with app level logic. It was crude but helpful. Trunk would be ideal.
Also, question, have you thought of writing your own linter+autoformatter with treesitter? Are you planning to expand into other tooling?
Understandably so, especially when you might need, say, an AWS permission to actually validate a config (or are there other distinctions between the two that I'm not thinking of?)
I wasn't previously aware of treesitter, but it definitely looks like the type of thing we eventually want to do!
One of the things we currently do is run our own daemon and LSP proxy, so that we can share functionality between the CLI version of our tool and the VSCode extension. Right now we treat most linters as CLI black boxes, but we're looking at moving to treat more of them as LSP servers (we currently do this with eslint, but don't yet with ones like clangd or tflint).
And there is indeed more that we're building out! The other product that we're actively prototyping (and dogfooding) is our merge queue: https://trunk.io/products/merge.
Long-term, the vision for Trunk is to make development overall a more seamless experience, by actually tying together the various disparate tools that solve individual problems that we run into.
I’ve yet to see a good answer to this problem though as each approach has upsides/downsides and no one ever ends up happy in a large enough team. Good luck.
> Either you just fail and ask the user to resubmit or you fix up the formatting on their behalf.
We only apply autofixes when running on the user's machine; when running on CI, as you point out, we only show them because of Git's decentralized nature here.
> The secondary problem is that the lint tool chain running locally sometimes doesn’t version match what’s in CI which poses a set of problems too, although in practice I think that’s raised as a concern only by teams that don’t establish good hygiene of checking in the set of tools (maintenance of multiple platforms is real there though).
We've built out our own system for managing (mostly) hermetic toolchain installs, and require users to version their linters in their trunk.yaml configuration right now. (There are some open questions here around how we handle version skew between our toolchain version and the system-installed toolchain version.)
We're also well aware of the problems that emerge as you scale to a larger team; hierarchical configs are one of the things that we've discussed but are waiting until we have more traction to flesh out. (All of us working on the linter side have experience setting tech direction for orgs of 100+ engineers).
I use tools like `jq`  or `yq`  all the time for CI checks. One useful check, is we have a configuration file stored as several hundred lines of YAML. Its a nice thing to maintain a sorted order for that, so we have a git pre-commit hook that runs the following:
> yq eval --inplace '.my_key|= sort' my_file.yaml
Of course, a pre-commit hook or CI both work. There's pros and cons of both. For our team, the pre-commit hook is a low enough level of effort, and doesn't require a CI check for something that executes in milliseconds.
"Too many exclamation marks"
> Three shall be the number thou shalt count, and the number of the counting shall be three. Four shalt thou not count, neither count thou two, excepting that thou then proceed to three. Five is right out.
!!41 === true
!!0 === false
I recommend git grep, which is comparable in speed to ripgrep, since it ignores non-tracked files and searches the object storage directly. It is also able to run in parallel.
For Android specifically: Gradle and Android Studio both support a powerful linting framework (to the level that it can provide auto-fixes to the IDE). It's better to provide an in-editor to guide your contributors before it hits CI, then have CI nag if they didn't fix the in-editor warnings/errors:
Some examples of custom lint rules and the default rules which Android Studio runs:
A CI config is just a big job that invokes a bunch of tools like "go build" or "npm test", which is exactly what a shell script is too. I would get rid of the YAML and use shell for the whole thing :)
Shell does have some problems, like needing to be more parallel, incremental, and reproducible, but the YAML-based CI systems all have those problems too.
Related: http://www.oilshell.org/blog/2021/04/build-ci-comments.html#... (and the entire post)
No reason to wait for the CI. There's also the risk of broken intermediary commits unless the CI check each and every commit in isolation.
It denies all pushes which doesn't meet the specified requirements with an error message, and the end user has to re-do the commit and push again.
This is likely how your authorization is done today already.
The alternative would be a pre-commit hook, but that runs when crafting the commit, and under the control of the end user. That can make for a better user experience since it runs even earlier in the process but isn't necessarily secure. Of course, one can have both.
Disclaimer: I work on trunk :)
Edit: ah.. forgot the whole point.. In Next Generation Shell (author here) this doesn't happen: ngs -e '$(grep ...).not()' does right thing. grep exit code 0 becomes 1, 1 becomes 0, 2 becomes 240 (exception)
I’m also using grep in CI as a simple but effectieve check on dependency violations in some codebases.
For example you could configure a Docker Compose health check to curl an endpoint for a 200 in production but in development override the health check command to call /bin/true so you don't get log spam in development from your health check while ensuring the health check still passes since /bin/true is an extremely minimal command that returns an exit code of 0. This can be controlled by a single environment variable too, no changes needed to your docker-compose.yml file.
I covered this pattern in a recent DockerCon talk at https://nickjanetakis.com/blog/best-practices-around-product....
(grep -q notwanted /hay/stack ; test $? == 1) && echo "No violations found"
Consider what would happen if your unit test framework couldn’t compile the test files and failed with an error. Isn’t that also a test failure?
To address this: many CI pipelines allow you to specify which exot codes to succeed and fail on per job, or if it doesn't the one liner will need some boolean logic to check the exit code.