mirror of
https://github.com/openai/codex.git
synced 2026-05-03 21:01:55 +03:00
b77fe8fefe
## Why Once the repo-local lint exists, `codex-rs` needs to follow the checked-in convention and CI needs to keep it from drifting. This commit applies the fallback `/*param*/` style consistently across existing positional literal call sites without changing those APIs. The longer-term preference is still to avoid APIs that require comments by choosing clearer parameter types and call shapes. This PR is intentionally the mechanical follow-through for the places where the existing signatures stay in place. After rebasing onto newer `main`, the rollout also had to cover newly introduced `tui_app_server` call sites. That made it clear the first cut of the CI job was too expensive for the common path: it was spending almost as much time installing `cargo-dylint` and re-testing the lint crate as a representative test job spends running product tests. The CI update keeps the full workspace enforcement but trims that extra overhead from ordinary `codex-rs` PRs. ## What changed - keep a dedicated `argument_comment_lint` job in `rust-ci` - mechanically annotate remaining opaque positional literals across `codex-rs` with exact `/*param*/` comments, including the rebased `tui_app_server` call sites that now fall under the lint - keep the checked-in style aligned with the lint policy by using `/*param*/` and leaving string and char literals uncommented - cache `cargo-dylint`, `dylint-link`, and the relevant Cargo registry/git metadata in the lint job - split changed-path detection so the lint crate's own `cargo test` step runs only when `tools/argument-comment-lint/*` or `rust-ci.yml` changes - continue to run the repo wrapper over the `codex-rs` workspace, so product-code enforcement is unchanged Most of the code changes in this commit are intentionally mechanical comment rewrites or insertions driven by the lint itself. ## Verification - `./tools/argument-comment-lint/run.sh --workspace` - `cargo test -p codex-tui-app-server -p codex-tui` - parsed `.github/workflows/rust-ci.yml` locally with PyYAML --- * -> #14652 * #14651
96 lines
2.8 KiB
Rust
96 lines
2.8 KiB
Rust
use std::fs;
|
|
use std::path::PathBuf;
|
|
|
|
use anyhow::Context;
|
|
use anyhow::Result;
|
|
use clap::Parser;
|
|
use serde::Serialize;
|
|
|
|
use crate::Decision;
|
|
use crate::MatchOptions;
|
|
use crate::Policy;
|
|
use crate::PolicyParser;
|
|
use crate::RuleMatch;
|
|
|
|
/// Arguments for evaluating a command against one or more execpolicy files.
|
|
#[derive(Debug, Parser, Clone)]
|
|
pub struct ExecPolicyCheckCommand {
|
|
/// Paths to execpolicy rule files to evaluate (repeatable).
|
|
#[arg(short = 'r', long = "rules", value_name = "PATH", required = true)]
|
|
pub rules: Vec<PathBuf>,
|
|
|
|
/// Pretty-print the JSON output.
|
|
#[arg(long)]
|
|
pub pretty: bool,
|
|
|
|
/// Resolve absolute program paths against basename rules, gated by any
|
|
/// `host_executable()` definitions in the loaded policy files.
|
|
#[arg(long)]
|
|
pub resolve_host_executables: bool,
|
|
|
|
/// Command tokens to check against the policy.
|
|
#[arg(
|
|
value_name = "COMMAND",
|
|
required = true,
|
|
trailing_var_arg = true,
|
|
allow_hyphen_values = true
|
|
)]
|
|
pub command: Vec<String>,
|
|
}
|
|
|
|
impl ExecPolicyCheckCommand {
|
|
/// Load the policies for this command, evaluate the command, and render JSON output.
|
|
pub fn run(&self) -> Result<()> {
|
|
let policy = load_policies(&self.rules)?;
|
|
let matched_rules = policy.matches_for_command_with_options(
|
|
&self.command,
|
|
/*heuristics_fallback*/ None,
|
|
&MatchOptions {
|
|
resolve_host_executables: self.resolve_host_executables,
|
|
},
|
|
);
|
|
|
|
let json = format_matches_json(&matched_rules, self.pretty)?;
|
|
println!("{json}");
|
|
|
|
Ok(())
|
|
}
|
|
}
|
|
|
|
pub fn format_matches_json(matched_rules: &[RuleMatch], pretty: bool) -> Result<String> {
|
|
let output = ExecPolicyCheckOutput {
|
|
matched_rules,
|
|
decision: matched_rules.iter().map(RuleMatch::decision).max(),
|
|
};
|
|
|
|
if pretty {
|
|
serde_json::to_string_pretty(&output).map_err(Into::into)
|
|
} else {
|
|
serde_json::to_string(&output).map_err(Into::into)
|
|
}
|
|
}
|
|
|
|
pub fn load_policies(policy_paths: &[PathBuf]) -> Result<Policy> {
|
|
let mut parser = PolicyParser::new();
|
|
|
|
for policy_path in policy_paths {
|
|
let policy_file_contents = fs::read_to_string(policy_path)
|
|
.with_context(|| format!("failed to read policy at {}", policy_path.display()))?;
|
|
let policy_identifier = policy_path.to_string_lossy().to_string();
|
|
parser
|
|
.parse(&policy_identifier, &policy_file_contents)
|
|
.with_context(|| format!("failed to parse policy at {}", policy_path.display()))?;
|
|
}
|
|
|
|
Ok(parser.build())
|
|
}
|
|
|
|
#[derive(Serialize)]
|
|
#[serde(rename_all = "camelCase")]
|
|
struct ExecPolicyCheckOutput<'a> {
|
|
#[serde(rename = "matchedRules")]
|
|
matched_rules: &'a [RuleMatch],
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
decision: Option<Decision>,
|
|
}
|