Commit graph

62 commits

Author SHA1 Message Date
Michał Kępień
00e351a824 Drop Danger check related to pre-release testing
With the advent of the new development model involving security-*
branches and autorebasing, the value added by the pre-release testing
mechanism dropped drastically.  The only remaining benefit of
pre-release testing is flagging in-progress security fixes targeting
open source branches that conflict with the corresponding bind-9.x-sub
branches.  However, such conflicts are a rare occurrence and can be
handled after merging anyway.

Remove the Danger check related to pre-release testing.

(cherry picked from commit 4c2046b59f)
2026-06-24 11:34:30 +00:00
Michał Kępień
73d2bebba1
Remove the "autorebase-merge-request" CI job
The "autorebase-merge-request" CI job is not useful in practice as the
Danger check whose complaints it was supposed to address does not look
for commit hashes in the original merge request's target branch, but
rather in the original merge request itself - and those commit hashes
remain stable over time.  Furthermore, after a backport gets merged, any
cherry-pick references its commits might contain will be maintained by
other autorebasing jobs.  Given the above, remove the
"autorebase-merge-request" CI job as it serves no useful purpose.

(cherry picked from commit 261208b987)
2026-06-24 10:10:10 +02:00
Michal Nowak
7c1e80603a Validate Assisted-by trailer format and tool list
CONTRIBUTING.md documents the Assisted-by trailer format as

    Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]

and excludes basic development tools (git, compilers, meson,
ninja, editors, clang-format, black, ruff) from the optional
tool list.

Walk every `Assisted-by:` line in each commit message and emit a
`warn()` when:

  - the line does not match the documented `AGENT:VERSION` shape;
  - the optional tool list contains basic-tool names.

The basic-tool list extends the CONTRIBUTING.md examples with
other formatters, generic linters, and build/test runners
commonly invoked from `.gitlab-ci.yml`.  Specialized analysis
tools (coccinelle, clang-tidy, AFL, Coverity, cppcheck,
valgrind, sanitizers) are intentionally absent so they remain
allowed in the trailer.

Use `warn()` rather than `fail()` because the format is
human-written and overly strict matching would produce false
positives on edge cases.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 2cac546d08)
2026-06-12 10:03:12 +00:00
Michal Nowak
760b20df01 Reject Signed-off-by trailers from AI tools in danger check
CONTRIBUTING.md states that AI agents must not add Signed-off-by
tags, since only humans can legally certify the Developer
Certificate of Origin.  Mirror the existing LLM Co-Authored-By
check against the Signed-off-by trailer line so danger fails on
commits that violate the rule.

The shared alternation of known LLM agent names is factored out
into LLM_AGENT_NAMES_RE so adding a new tool only requires one
edit.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 65d082277d)
2026-06-12 10:03:12 +00:00
Michal Nowak
9dbb8a8082 Detect Co-Authored-By trailers and reject AI co-authors
CONTRIBUTING.md states that AI agents must not be listed as
co-authors and that contributors should use the `Assisted-by:`
trailer instead.  Teach `dangerfile.py` to fail merge requests
whose commit messages include a `Co-Authored-By:` trailer naming
a known LLM (Claude, Codex, Mistral, Copilot, Gemini, Cursor,
Devin, Aider, Sourcegraph, CodeWhisperer).

For any other `Co-Authored-By:` trailer, emit an info-level
`message()` that includes the full trailer line so reviewers can
confirm the named co-author is a human contributor and not an
unrecognised AI tool.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit f5e9dd3dd6)
2026-06-12 10:03:12 +00:00
Michał Kępień
0b63ecd2bb
Support autorebasing backported security MRs
Autorebasing a backported security fix enables convenient refreshing of
cherry-pick references, which makes it trivial for developers to satisfy
Danger rules just before the merge request is merged.  Add a manual CI
job that is only created for backported merge requests targeting
security-* branches.

(cherry picked from commit dd723d93cb)
2026-05-21 11:27:46 +02:00
Michał Kępień
ab2aa2f4cc
Conflate missing commit reference notifications
Instead of creating a separate (potentially lengthy) Danger notification
for every missing commit reference in a backport, produce a single
notification with a list of all unreferenced commit hashes.  This makes
Danger output more concise while retaining all the relevant feedback for
the developer.

(cherry picked from commit 086780dcf0)
2026-05-21 11:27:46 +02:00
Nicki Křížek
4ae74863d1 Use underscore for system test names
Change the convention for system test directory names to always use an
underscore rather than a hyphen. Names using underscore are valid python
package names and can be used with standard `import` facilities in
python, which allows easier code reuse.

The temporary directories for test execution and their convenience
symlinks have been switched to using hyphens rather than underscores to
keep the pytest collection, filtering and .gitignore working as
expected.

(cherry picked from commit 9f4c1d1993)
2026-03-18 15:36:50 +01:00
Štěpán Balážik
68b9928f0f Fix vulture warnings and tweak ignore lists
Run vulture on the whole repository, fix most errors in previously
unchecked code, adjust ignore lists.

(cherry picked from commit 57ecaee95d)
2026-02-25 13:15:05 +01:00
Andoni Duarte Pintado
51712a9d31 Update issue closing regex in dangerfile.py
Update the regular expression used for extracting references to GitLab
issues closed by a given merge request so that it is identical to the
one used by GitLab [1].

See also isc-projects/bind9-qa!41

[1] https://docs.gitlab.com/user/project/issues/managing_issues/#default-closing-pattern

(cherry picked from commit 5298d0fcb8)
2025-04-02 13:42:40 +00:00
Nicki Křížek
babdac49c8 Make changelog audience mandatory
Use a stricter hazard check which ensures the audience tag is present in
the MR title and is one of the known values. This prevents siuations
where incorrect audience is accidentally used, resulting in a missing
changelog entry or a release note.

(cherry picked from commit cdb93bcbd4)
2024-10-29 16:03:31 +00:00
Petr Špaček
4f04079727 Remove milestone check from dangerfile
Milestone is automatically set by 'merged-metadata' CI job to 'Not
released yet' so it does not matter what the original value was.

(cherry picked from commit 73b950dc29)
2024-08-23 07:58:29 +00:00
Petr Špaček
84e7550631 Remove 'Release notes' label check from dangerfile
This label is now handled automatically by 'merged-metadata' CI job.

(cherry picked from commit 146743d5a3)
2024-08-23 07:58:29 +00:00
Petr Špaček
23cd27689b Remove 'No CHANGES' check from dangerfile
This label is now handled automatically by 'merged-metadata' CI job.

(cherry picked from commit edf0e6415a)
2024-08-23 07:58:29 +00:00
Nicki Křížek
98f7d68062
Update dangerfile for new changelog workflow
(cherry picked from commit 91be111dc7)
2024-07-29 14:44:59 +02:00
Michał Kępień
aae51cf28d
Fail for merge requests with "Affects v9.x" labels
Setting "Affects v9.x" labels on a merge request duplicates information
already present on the GitLab issue associated with that merge request.
For trivial merge requests that are not associated with any GitLab
issue, setting the "Affects v9.x" label(s) is considered unnecessary.
Trigger a failure for every merge request marked with at least one
"Affects v9.x" label.
2024-06-03 13:07:21 +02:00
Michał Kępień
80ec57f198
Warn about auto-generated merge request titles
Merge request titles auto-generated by GitLab are often a source of
confusion regarding the actual contents of a given merge request.  Warn
for merge requests containing titles that look like auto-generated ones.
2024-06-03 13:07:21 +02:00
Michał Kępień
09851e6230
Fail for branches using old-style version suffixes
Using "-v9_x" and "-v9.x" version suffixes for branch names is now
deprecated since some automation logic does not handle these.  Fail for
any merge request using such old-style version suffixes.
2024-06-03 13:07:21 +02:00
Michał Kępień
9359cb9c99
Fail for backports with "Affects v9.x" labels set
Backports are not expected to have any "Affects v9.x" labels set since
those are only meant to be set for merge requests that should have
backports created for them.
2024-06-03 13:07:21 +02:00
Nicki Křížek
6767172bc0
Use BIND_TEAM_API_TOKEN for danger bot
This is done to unify the token usage across our repositories to
simplify token maintenance.
2024-05-27 13:03:10 +02:00
Michał Kępień
5e02a007ca Warn if security fixes are not marked for testing 2024-03-21 17:38:57 +01:00
Petr Špaček
0ba29730f7 Warn about release notes without CHANGES entry 2024-03-21 17:38:57 +01:00
Petr Špaček
82cfb48295 Detect change in supported RR types and issue Hazard warning 2024-03-21 17:38:57 +01:00
Michał Kępień
0fec404c64
Fix Danger rules for flagging release note issues
The logic contained in dangerfile.py incorrectly warns about missing
release note changes for merge requests preparing release documentation
as such merge requests rename files in the doc/notes/ directory.  This
(correctly) causes these files to be passed to dangerfile.py via
danger.git.created_files and danger.git.deleted_files rather than via
danger.git.modified_files, which in turn causes the logic checking the
use of the "Release Notes" label to assume that no release notes are
added, removed, or modified by a given merge request.

Fix by considering all types of file changes (modifications, additions,
and removals - which also covers file renaming) when checking whether a
given merge request modifies release notes.  Update the warning messages
accordingly.

However, when trying to find release notes added by a given merge
request, deleted files must not be considered.  Tweak the logic looking
for GitLab identifiers in the release notes added by a given merge
request so that it only scans modified and added (or renamed) files.
2024-01-05 12:51:13 +01:00
Tom Krizek
4f70f5bd7c
Handle empty MR description in dangerfile
A merge request might have no description at all (i.e. None, rather than
an empty string). This might happen when the MR is created via an API.
Check a description is present before trying to find a backport string
in it.
2023-12-11 17:22:03 +01:00
Michał Kępień
43126e81e6
Improve determining the lines added by a branch
Since the list of lines added to Git-tracked text files in a given
branch is not part of the Danger DSL [1], it is determined using custom
code in dangerfile.py.  The current implementation of that logic is less
than perfect as it examines the diff between the current tip of the
target branch and the source branch rather than the diff between the
merge base of the two branches and the source branch.  Consider a Git
history like this:

    *   F (target)
    ...
    *   E
    *   D
    *   C
    | * B (source)
    |/
    *   A (merge base)

If danger-python or Hazard are run for commit B, the current logic for
determining the list of added lines in dangerfile.py examines the diff
between commits F and B rather than between commits A and B.  Therefore,
the added_lines() function returns not just the lines added by commit B
on top of commit A, but also the list of lines that were removed between
commits A and F, which leads to confusing results.

Fix by using the triple-dot diff operator in the Git invocation whose
output is used as the source of information for determining the list of
lines added by a given branch.

Since Hazard fetches the target branch itself when it is run, remove the
explicit "git fetch" invocation that fetches the target branch from
GitLab (shortening its local history to a single commit in the process)
before "git diff" is invoked.

[1] https://danger.systems/js/reference.html#GitDSL
2023-12-11 17:22:03 +01:00
Tom Krizek
cba5a1d62c
Add system test utility package isctest
Create a utility package for code shared by the python tests. The
utility functions should use reasonable defaults and be split up into
modules according to their functionality.

Ensure assert rewriting is enabled for the modules to get the most
useful output from pytest.
2023-12-05 13:26:49 +01:00
Mark Andrews
dbc2167325 Update dangerfile.py to know about ':cve:' 2023-10-17 01:05:46 +00:00
Tom Krizek
d1371267c6
danger: check system test convetions for pytest runner
When adding a new system test, it might easy to forget to add the
required files for the pytest runner or break a naming convention. Add
danger checks to cover these cases.
2023-09-19 13:29:30 +02:00
Aram Sargsyan
3db2beef9f Don't warn about subject line length for the fixup commits
The fixup commits' subject line has a prefix which has its own
length, so warning about the exceeding length is not accurate.
Given that the fixup commits can not be merged, because they
cause a danger failure, it's safe to ignore the length check
for them.
2023-09-14 09:31:32 +00:00
Michal Nowak
96563c6020
Add a friendly Danger plea to run the pairwise CI job
Sometimes a pairwise definition for a new ./configure switch is added
but not tested in the CI.
2023-05-19 14:11:54 +02:00
Tom Krizek
79ae467973
danger: relax rules for single-line commits
The following are not also accepted as single-line commits without
generating warnings:
- CHANGES/release note may appear in the beginning of the commit message
- Release note may be capitalized
- Allow commits with "GL #" (e.g. Update documentation for [GL #XXXX])
2023-01-27 14:17:06 +01:00
Tom Krizek
1939e585c0
danger: update CHANGES rule to work with -S edition
When updating the -S edition, the CHANGES.SE file is modified. Make sure
danger accepts that.
2023-01-27 14:17:04 +01:00
Mark Andrews
9b12473292 Teach danger about amend
commit --fixup=amend:<hash> produces a subject starting with amend!
by default.  Have danger look for this to ensure that it is squashed
before merging.
2023-01-27 19:14:32 +11:00
Tom Krizek
64d71a1f5f
danger: check the Affects labels are set
Unless the MR is a backport, the Affects labels should be used to
indicate which versions are affected by the issue that prompted the MR.
2022-12-23 09:44:56 +01:00
Tom Krizek
d1172e011c
danger: check version in MR title
Enforce the version indicator to be at the start of the MR title.
2022-12-23 09:44:56 +01:00
Tom Krizek
e8a5ebaee5
danger: remove obsolete check for cherry pick msg
With proper backport commit detection, this check has been made
redundant.
2022-12-16 13:37:12 +01:00
Tom Krizek
c617f97784
danger: check backport commits for original commit IDs
A full backport must have all the commit from the original MR and the
original commit IDs must be referenced in the backport commit messages.

If the criteria above is not met, the MR should be marked as a partial
backport. In that case, any discrepencies are only logged as informative
messages rather than failures.
2022-12-16 13:37:12 +01:00
Tom Krizek
89530f1a1c
danger: check that original MR has been merged
When checking a backport MR, ensure that the original MR has been merged
already. This is vital for followup checks that verify commit IDs from
original commits are present in backport commit messages.
2022-12-16 13:37:12 +01:00
Tom Krizek
12e0b05738
danger: check backport links to the original MR
When doing archeology, it is much easier to find stuff if it's properly
linked. This check ensures that backport MR are linked to their original
MR via a "Backport of !XXXX" message.

The regular expression is fairly broad and has been tested to accept the
following variants of the message:
Backport of MR !XXXX
Backport of: !XXXX
backport of mr !XXXX
Backport of   !XXXX
Backport of https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/XXXX
2022-12-16 13:37:12 +01:00
Tom Krizek
14b027cf83
danger: ensure target branch is in the MR title
Having the MR title clearly marked in its title can be very useful when
looking through older issues/MRs.

This check also ensures that the version from the version label matches
the proper version branch (i.e. v9.16 must be marked with [v9_16]).
2022-12-16 13:37:11 +01:00
Tom Krizek
1c0c1ba8b9
danger: support partial backport label
Treat the Backport::Partial label as a backport as well.
2022-12-16 13:37:10 +01:00
Tom Krizek
5ecb277090
Check for cherry pick message in backport commits in danger CI
Using the -x option for cherry pick makes it easy to link commits across
branches and it is recommended to use for all backport commits (with
exceptions -- thus a warning level rather than failure).
2022-11-08 14:34:58 +01:00
Tom Krizek
402b11431c
Detect work-in-progress commits in danger CI
To avoid accidentally merging unfinished work, detect prohibited
keywords at the start of the subject line. If the first word is any of
the following, fail the check:
WIP, wip, DROP, drop, TODO, todo

The only slightly controversial is the lowercase "drop" which might have
a legitimate use - seems like four commits in the history used it as a
start of a sentence. However, since people commonly use "drop" to
indicate a commit should be dropped before merging, let's prohibit it as
well. In case of false-positive, "Drop" with a capitalized first letter
can always be used.
2022-11-08 14:34:58 +01:00
Tom Krizek
e901342dd9
Use approve button workflow in danger CI
Since the LGTM label was deprecated in favor of using the Approve button
in gitlab, adjust the detection in danger bot.

Unfortunately, danger-python seems no longer maintained since 2020 and
MR approvals aren't available in its Python API (even though they're
supported in its Ruby/JS APIs). Going forward, let's use the more
comprehensive python-gitlab API.

It still makes sense to utilize the danger-python, since it handles the
integration with gitlab which doesn't need to be reimplemented as long
as it works - same with the other checks.
2022-11-08 14:34:56 +01:00
Tom Krizek
c9cb8ae9eb
Auto-format Python files with black
This patch is strictly the result of:
$ black $(git ls-files '*.py')

There have been no manual changes.
2022-06-08 10:28:08 +02:00
Petr Špaček
b0f59cb5cb
Flag new user-visible log messages for review
Messages with log levels INFO or higher are flagged for manual review.
Purpose of this check is to prevent debug logs to being released with
too-high log level.
2022-06-03 12:09:41 +02:00
Ondřej Surý
58bd26b6cf Update the copyright information in all files in the repository
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.
2022-01-11 09:05:02 +01:00
Michal Nowak
fe1dea6572 Update Danger check for GitLab references
Release notes now employ a custom :gl: Sphinx role for linking to GitLab
issues/MRs.  Tweak the relevant Danger checks to account for that.
2021-04-29 13:24:21 +02:00
Michał Kępień
bc42690c99 Skip subject line length check for merge commits
Some merge requests (e.g. those created for release branches) include
merge commits.  Prevent Danger from warning about excessive subject line
length for merge commits.  (While the proper way to detect a merge
commit would be to check the 'parents' attribute of a commit object,
Danger Python does not seem to populate that attribute, so a simple
string search is performed on the commit subject instead.)
2021-01-18 14:57:47 +01:00