[ci] register-lint: enforce 'no centralized Register* outside components/**'#60
Merged
Conversation
…Factory var" Adds scripts/register-lint.sh + a Makefile target + a CI step that fails the build if `func Register*(...)` appears outside `components/**` (or the explicit allowlist). STRATEGY.md bans a centralized component-factory registry without an accepted RFC. Until now that was policy. This gate makes it enforcement. Allowlist covers two pre-existing OTel-instrument registration helpers that match the `Register*` prefix but aren't the banned pattern: `internal/telemetry/build_info.go::RegisterBuildInfo` (observable gauge for `tracecore.build.info`) and `internal/telemetry/slo.go::RegisterSLOMetrics` (exporter.failure_rate and friends). Each is annotated in-script with a one-line rationale; adding to the allowlist requires the same. Closes the FOLLOWUPS `make register-lint` row under Tooling. Verification: - `make register-lint` exit 0 with 2 allowlisted file(s) acknowledged. - `make ci` exit 0 end-to-end. Notes: - Script ports the original bash-4 `mapfile` shape to a while-read loop so it runs on macOS bash 3.2 in addition to Linux CI. - Source agent was killed when it hit a sub-agent Bash sandbox; this is the parent-session take-over (script content harvested from the agent's worktree before cleanup). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Tri Lam <trilamsr@gmail.com>
This was referenced May 19, 2026
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
## What this PR does Follow-up to #64 (zizmor security-lint gate). Trims comments that didn't pass the six-months-cold-reader test. The commit was prepared on the #64 branch but pushed seconds after that PR auto-merged, so it never made it in — re-applying as a standalone follow-up. Comments trimmed: - `scripts/zizmor.sh`: dropped per-flag descriptions in the header block — `--no-progress` and `--config` don't need explainers; the WHY for `--min-severity=high` stays. Also fixed a stale error- message prefix copied from register-lint. - `.github/zizmor.yml`: 6 lines → 3. Kept the one load-bearing claim ("ignores live inline"). - `release.yml` cache-poisoning ignores: 6 lines → 2. Kept the WHY (cache keyed on go.sum, trust root M3 already validates); dropped the meta-pointer to zizmor.yml (which no longer carries the rationale) and the audit-confidence parens. - `release.yml` INPUT_TAG env comment: 4 lines → 2. No behavior change. `make ci` exit 0 (one transient kernelevents flake on first run, passed on retry — same intermittent test seen in this session's PRs #55, #60, #62, #63, #64). ## Linked issue(s) _No linked issue._ Follows up #64. ## Release notes ```release-notes NONE ``` ## Checklist - [x] `make ci` exit 0 - [x] No behavior change; pure documentation hygiene - [x] Commits are signed off 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Tri Lam <trilamsr@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
#68) ## What this PR does Two small fixes that turn this session's lessons into code instead of notes-to-self: ### 1. Deflake `TestJournaldSource_StreamsMockOutput` The 2s deadline for the mock-journalctl test was tight on loaded macOS / CI runners — subprocess spawn + fixture read + goroutine schedule could miss it. The test flaked on 5 of 5 PRs in this session that exercised the full suite (#55, #60, #62, #63, #64). Bumped the deadline 2s → 5s. The non-flake budget for "no record ever emitted" regressions stays well under the deadline; 5s just absorbs runner jitter without hiding real bugs. ### 2. Warn locally when `shellcheck` isn't on PATH `actionlint` silently skips run-block shellcheck when shellcheck isn't on PATH (macOS doesn't ship shellcheck by default). PR #62 passed `make actionlint` locally and then surfaced 4 shellcheck findings in CI — exactly the failure mode the gate is supposed to prevent. `make actionlint` now prints a `WARNING: shellcheck not on PATH; actionlint will skip run-block shellcheck.` line with `brew install` / `apt-get install` hints when the binary is missing. The underlying lint still runs; the warning just makes the gap visible to the macOS dev. ## Linked issue(s) _No linked issue._ ## Release notes ```release-notes NONE ``` ## Checklist - [x] `make ci` exit 0 (test passes deterministically with new deadline) - [x] `make actionlint` shows the warning when shellcheck is uninstalled (verified locally) - [x] No behavior change in CI (shellcheck already on Linux runners) - [x] Commits are signed off 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Tri Lam <trilamsr@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Adds
scripts/register-lint.sh+ a Makefile target + a CI step thatfails the build if
func Register*(...)appears outsidecomponents/**(or the explicit allowlist).STRATEGY.mdbans a centralized component-factory registry withoutan accepted RFC. Until now that was policy. This gate converts it
into enforcement — caught at
make ciinstead of waiting for areviewer to spot it.
Audit result: zero violations today. The grep surfaces two
pre-existing
Register*symbols that are NOT the banned pattern(they register OTel observable gauges on a MeterProvider, not
component factories):
internal/telemetry/build_info.go::RegisterBuildInfointernal/telemetry/slo.go::RegisterSLOMetricsBoth are allowlisted in the script with a one-line rationale each.
Adding to the allowlist in a future PR requires the same.
Closes the FOLLOWUPS
make register-lintrow under "Open —opportunistic > Tooling".
Linked issue(s)
No linked issue.
Release notes
Checklist
make register-lintexit 0 with 2 allowlisted files acknowledgedmake ciexit 0 end-to-end (kernelevents test had one transient flake on first run; passed on retry — same intermittent test seen during the omnibus PR)Test plan
make cigreenfunc RegisterXoutsidecomponents/**(without allowlist edit) fails the new gate🤖 Generated with Claude Code