chore: git cache cleanup

2026-03-04 18:34:49 +00:00
parent c32cce2a88
commit 27c252600a
2001 changed files with 683185 additions and 0 deletions
--- a/tools/build.sh
+++ b/tools/build.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Deterministic, fast backend build step for CI/CodeQL extraction
+# Use `go list` to avoid long-running builds and network downloads.
+# Set GOPROXY to a standard proxy to avoid interactive network issues.
+set -euo pipefail
+cd backend
+export GOPROXY=${GOPROXY:-https://proxy.golang.org}
+export GOMODCACHE=${GOMODCACHE:-$(go env GOMODCACHE)}
+# First, list packages for fast JS extraction/diagnostics
+go list ./...
+# Ensure dependencies are downloaded and run a proper Go build so CodeQL can extract symbols
+go mod download
+go build ./...
--- a/tools/codeql_scan.sh
+++ b/tools/codeql_scan.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+set -e
+
+# Check if gh is installed
+if ! command -v gh &> /dev/null; then
+    echo "Error: GitHub CLI (gh) is not installed."
+    exit 1
+fi
+
+# Check if gh-codeql extension is installed
+if ! gh extension list | grep -q "github/gh-codeql"; then
+    echo "Installing GitHub CodeQL extension..."
+    gh extension install github/gh-codeql
+fi
+
+echo "Creating CodeQL database..."
+# Remove existing db if any
+rm -rf codeql-db
+
+# Clean up build artifacts and coverage reports to prevent false positives
+echo "Cleaning up build artifacts..."
+rm -rf frontend/dist backend/coverage
+
+# Create the database cluster
+echo "Creating CodeQL database cluster..."
+# We specify --command to ensure Go builds correctly
+# We include javascript to scan the frontend (TypeScript/React)
+# We use --db-cluster to support multiple languages
+gh codeql database create codeql-db --language=go,javascript --db-cluster --source-root . --command "./tools/build.sh" --overwrite
+
+echo "Analyzing CodeQL database..."
+# Analyze Go
+echo "Analyzing Go..."
+gh codeql database analyze codeql-db/go codeql/go-queries:codeql-suites/go-security-and-quality.qls --format=sarif-latest --output=codeql-results-go.sarif --download
+
+# Analyze JavaScript/TypeScript
+echo "Analyzing JavaScript/TypeScript..."
+gh codeql database analyze codeql-db/javascript codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls --format=sarif-latest --output=codeql-results-js.sarif --download
+
+echo "Scan complete."
+echo "Go results: codeql-results-go.sarif"
+echo "JS/TS results: codeql-results-js.sarif"
--- a/tools/dockerfile_check.sh
+++ b/tools/dockerfile_check.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# Dockerfile validation script
+# Checks for common mismatches between base images and package managers
+
+set -e
+
+DOCKERFILE="${1:-Dockerfile}"
+
+if [ ! -f "$DOCKERFILE" ]; then
+    echo "Error: $DOCKERFILE not found"
+    exit 1
+fi
+
+echo "Checking $DOCKERFILE for base image / package manager mismatches..."
+
+checking_stage=false
+current_stage=""
+stage_base=""
+
+while IFS= read -r line; do
+    if echo "$line" | grep -qE "^FROM\s+"; then
+        checking_stage=true
+        current_stage="$line"
+        stage_base="unknown"
+
+        if echo "$line" | grep -qi "alpine"; then
+            stage_base="alpine"
+        elif echo "$line" | grep -qiE "debian|ubuntu|trixie|bookworm|bullseye"; then
+            stage_base="debian"
+        fi
+    fi
+
+    if [ "$checking_stage" = true ] && [ "$stage_base" = "alpine" ]; then
+        if echo "$line" | grep -qE "(apt-get|apt)\s+(install|update)" || echo "$line" | grep -qE "xx-apt\s+"; then
+            echo "❌ ERROR: Found Alpine-based image with Debian package manager (apt/apt-get)"
+            echo "   Stage: $current_stage"
+            echo "   Command: $line"
+            echo "   Fix: Use 'apk add' or 'xx-apk' instead"
+            exit 1
+        fi
+    fi
+
+    if [ "$checking_stage" = true ] && [ "$stage_base" = "debian" ]; then
+        if echo "$line" | grep -qE "apk\s+(add|update|del)" || echo "$line" | grep -qE "xx-apk\s+"; then
+            echo "❌ ERROR: Found Debian-based image with Alpine package manager (apk)"
+            echo "   Stage: $current_stage"
+            echo "   Command: $line"
+            echo "   Fix: Use 'apt-get' or 'xx-apt' instead"
+            exit 1
+        fi
+    fi
+done < "$DOCKERFILE"
+
+echo "✓ Dockerfile validation passed"
+exit 0
--- a/tools/sourcery_precommit_wrapper.sh
+++ b/tools/sourcery_precommit_wrapper.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wrapper for Sourcery pre-commit hook.
+# Run Sourcery if the CLI is available or a token is provided.
+# This supports both interactive `sourcery login` and token-based CI usage.
+
+if command -v sourcery >/dev/null 2>&1; then
+  exec sourcery "$@"
+fi
+
+# Try python -m sourcery as a fallback
+if python -m sourcery --version >/dev/null 2>&1; then
+  exec python -m sourcery "$@"
+fi
+
+# If CLI not found but token env var present, try to run via 'sourcery' anyway
+if [ -n "${SOURCERY_TOKEN:-}" ] || [ -n "${SOURCERY_API_TOKEN:-}" ] || [ -n "${SOURCERY_API_KEY:-}" ]; then
+  if command -v sourcery >/dev/null 2>&1; then
+    exec sourcery "$@"
+  fi
+  if python -m sourcery --version >/dev/null 2>&1; then
+    exec python -m sourcery "$@"
+  fi
+fi
+
+echo "Sourcery CLI not available and no token detected; skipping sourcery pre-commit check."
+exit 0