Skip to content

[ci] register-lint: enforce 'no centralized Register* outside components/**'#60

Merged
trilamsr merged 1 commit into
mainfrom
worktree-register-lint-gate
May 19, 2026
Merged

[ci] register-lint: enforce 'no centralized Register* outside components/**'#60
trilamsr merged 1 commit into
mainfrom
worktree-register-lint-gate

Conversation

@trilamsr

Copy link
Copy Markdown
Contributor

What this PR does

Adds scripts/register-lint.sh + a Makefile target + a CI step that
fails the build if func Register*(...) appears outside
components/** (or the explicit allowlist).

STRATEGY.md bans a centralized component-factory registry without
an accepted RFC. Until now that was policy. This gate converts it
into enforcement — caught at make ci instead of waiting for a
reviewer to spot it.

Audit result: zero violations today. The grep surfaces two
pre-existing Register* symbols that are NOT the banned pattern
(they register OTel observable gauges on a MeterProvider, not
component factories):

  • internal/telemetry/build_info.go::RegisterBuildInfo
  • internal/telemetry/slo.go::RegisterSLOMetrics

Both are allowlisted in the script with a one-line rationale each.
Adding to the allowlist in a future PR requires the same.

Closes the FOLLOWUPS make register-lint row under "Open —
opportunistic > Tooling".

Linked issue(s)

No linked issue.

Release notes

NONE

Checklist

  • make register-lint exit 0 with 2 allowlisted files acknowledged
  • make ci exit 0 end-to-end (kernelevents test had one transient flake on first run; passed on retry — same intermittent test seen during the omnibus PR)
  • Commits are signed off
  • No new components

Test plan

  • Local make ci green
  • CI green on this PR
  • After merge: a future PR adding func RegisterX outside components/** (without allowlist edit) fails the new gate

🤖 Generated with Claude Code

…Factory var"

Adds scripts/register-lint.sh + a Makefile target + a CI step that
fails the build if `func Register*(...)` appears outside `components/**`
(or the explicit allowlist).

STRATEGY.md bans a centralized component-factory registry without an
accepted RFC. Until now that was policy. This gate makes it
enforcement.

Allowlist covers two pre-existing OTel-instrument registration helpers
that match the `Register*` prefix but aren't the banned pattern:
`internal/telemetry/build_info.go::RegisterBuildInfo` (observable
gauge for `tracecore.build.info`) and
`internal/telemetry/slo.go::RegisterSLOMetrics` (exporter.failure_rate
and friends). Each is annotated in-script with a one-line rationale;
adding to the allowlist requires the same.

Closes the FOLLOWUPS `make register-lint` row under Tooling.

Verification:
- `make register-lint` exit 0 with 2 allowlisted file(s) acknowledged.
- `make ci` exit 0 end-to-end.

Notes:
- Script ports the original bash-4 `mapfile` shape to a while-read
  loop so it runs on macOS bash 3.2 in addition to Linux CI.
- Source agent was killed when it hit a sub-agent Bash sandbox; this
  is the parent-session take-over (script content harvested from the
  agent's worktree before cleanup).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Tri Lam <trilamsr@gmail.com>
@trilamsr trilamsr merged commit e53d100 into main May 19, 2026
5 checks passed
@trilamsr trilamsr deleted the worktree-register-lint-gate branch May 19, 2026 02:29
trilamsr added a commit that referenced this pull request May 19, 2026
## What this PR does

Follow-up to #64 (zizmor security-lint gate). Trims comments that
didn't pass the six-months-cold-reader test. The commit was prepared
on the #64 branch but pushed seconds after that PR auto-merged, so it
never made it in — re-applying as a standalone follow-up.

Comments trimmed:

- `scripts/zizmor.sh`: dropped per-flag descriptions in the header
  block — `--no-progress` and `--config` don't need explainers; the
  WHY for `--min-severity=high` stays. Also fixed a stale error-
  message prefix copied from register-lint.
- `.github/zizmor.yml`: 6 lines → 3. Kept the one load-bearing claim
  ("ignores live inline").
- `release.yml` cache-poisoning ignores: 6 lines → 2. Kept the WHY
  (cache keyed on go.sum, trust root M3 already validates); dropped
  the meta-pointer to zizmor.yml (which no longer carries the
  rationale) and the audit-confidence parens.
- `release.yml` INPUT_TAG env comment: 4 lines → 2.

No behavior change. `make ci` exit 0 (one transient kernelevents
flake on first run, passed on retry — same intermittent test seen
in this session's PRs #55, #60, #62, #63, #64).

## Linked issue(s)

_No linked issue._ Follows up #64.

## Release notes

```release-notes
NONE
```

## Checklist

- [x] `make ci` exit 0
- [x] No behavior change; pure documentation hygiene
- [x] Commits are signed off

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Signed-off-by: Tri Lam <trilamsr@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trilamsr added a commit that referenced this pull request May 19, 2026
#68)

## What this PR does

Two small fixes that turn this session's lessons into code instead of
notes-to-self:

### 1. Deflake `TestJournaldSource_StreamsMockOutput`

The 2s deadline for the mock-journalctl test was tight on loaded
macOS / CI runners — subprocess spawn + fixture read + goroutine
schedule could miss it. The test flaked on 5 of 5 PRs in this
session that exercised the full suite (#55, #60, #62, #63, #64).

Bumped the deadline 2s → 5s. The non-flake budget for "no record
ever emitted" regressions stays well under the deadline; 5s just
absorbs runner jitter without hiding real bugs.

### 2. Warn locally when `shellcheck` isn't on PATH

`actionlint` silently skips run-block shellcheck when shellcheck
isn't on PATH (macOS doesn't ship shellcheck by default). PR #62
passed `make actionlint` locally and then surfaced 4 shellcheck
findings in CI — exactly the failure mode the gate is supposed to
prevent.

`make actionlint` now prints a `WARNING: shellcheck not on PATH;
actionlint will skip run-block shellcheck.` line with `brew
install` / `apt-get install` hints when the binary is missing.
The underlying lint still runs; the warning just makes the gap
visible to the macOS dev.

## Linked issue(s)

_No linked issue._

## Release notes

```release-notes
NONE
```

## Checklist

- [x] `make ci` exit 0 (test passes deterministically with new deadline)
- [x] `make actionlint` shows the warning when shellcheck is uninstalled
(verified locally)
- [x] No behavior change in CI (shellcheck already on Linux runners)
- [x] Commits are signed off

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Signed-off-by: Tri Lam <trilamsr@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant