Validate LavaMoat config in parallel (#19589)

The LavaMoat policies and allow-scripts configuration are now validated in parallel. They are still only validated for release candidate branches and the `master` branch.
MetaMask · Jun 22, 2023 · 492038a · 492038a
1 parent 89cec53
commit 492038a
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 43 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -30,6 +30,12 @@ rc_branch_only: &rc_branch_only
       only:
         - /^Version-v(\d+)[.](\d+)[.](\d+)/
 
+rc_or_master_branch_only: &rc_or_master_branch_only
+  filters:
+    branches:
+      only:
+        - /^Version-v(\d+)[.](\d+)[.](\d+)|master/
+
 workflows:
   test_and_release:
     jobs:
@@ -50,11 +56,19 @@ workflows:
       - test-yarn-dedupe:
           requires:
             - prep-deps
-      - validate-lavamoat-config:
-          filters:
-            branches:
-              only:
-                - /^Version-v(\d+)[.](\d+)[.](\d+)|master/
+      - validate-lavamoat-allow-scripts:
+          <<: *rc_or_master_branch_only
+          requires:
+            - prep-deps
+      - validate-lavamoat-policy-build:
+          <<: *rc_or_master_branch_only
+          requires:
+            - prep-deps
+      - validate-lavamoat-policy-webapp:
+          <<: *rc_or_master_branch_only
+          matrix:
+            parameters:
+              build-type: [main, beta, flask, mmi, desktop]
           requires:
             - prep-deps
       - prep-build:
@@ -162,7 +176,9 @@ workflows:
             - prep-build-flask
       - all-tests-pass:
           requires:
-            - validate-lavamoat-config
+            - validate-lavamoat-allow-scripts
+            - validate-lavamoat-policy-build
+            - validate-lavamoat-policy-webapp
             - test-lint
             - test-lint-shellcheck
             - test-lint-lockfile
@@ -329,20 +345,47 @@ jobs:
             - node_modules
             - build-artifacts
 
-  validate-lavamoat-config:
+  validate-lavamoat-allow-scripts:
     executor: node-browsers-medium-plus
     steps:
       - checkout
       - attach_workspace:
           at: .
       - run:
           name: Validate allow-scripts config
-          command: |
-            .circleci/scripts/validate-allow-scripts.sh
+          command: yarn allow-scripts auto
       - run:
-          name: Validate LavaMoat policy
-          command: |
-            .circleci/scripts/validate-lavamoat-policy.sh
+          name: Check working tree
+          command: .circleci/scripts/check-working-tree.sh
+
+  validate-lavamoat-policy-build:
+    executor: node-browsers-medium-plus
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - run:
+          name: Validate LavaMoat build policy
+          command: yarn lavamoat:build:auto
+      - run:
+          name: Check working tree
+          command: .circleci/scripts/check-working-tree.sh
+
+  validate-lavamoat-policy-webapp:
+    executor: node-browsers-medium-plus
+    parameters:
+      build-type:
+        type: string
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - run:
+          name: Validate LavaMoat << parameters.build-type >>  policy
+          command: yarn lavamoat:webapp:auto:ci '--build-types=<< parameters.build-type >>'
+      - run:
+          name: Check working tree
+          command: .circleci/scripts/check-working-tree.sh
 
   prep-build:
     executor: node-browsers-medium-plus

diff --git a/.circleci/scripts/check-working-tree.sh b/.circleci/scripts/check-working-tree.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+
+if ! git diff --exit-code
+then
+  echo "Working tree dirty"
+  exit 1
+fi
diff --git a/.circleci/scripts/validate-allow-scripts.sh b/.circleci/scripts/validate-allow-scripts.sh
diff --git a/.circleci/scripts/validate-lavamoat-policy.sh b/.circleci/scripts/validate-lavamoat-policy.sh
diff --git a/package.json b/package.json
@@ -85,7 +85,6 @@
     "lavamoat:webapp:auto": "node ./development/generate-lavamoat-policies.js --devMode=true",
     "lavamoat:webapp:auto:ci": "node ./development/generate-lavamoat-policies.js --parallel=false",
     "lavamoat:auto": "yarn lavamoat:build:auto && yarn lavamoat:webapp:auto",
-    "lavamoat:auto:ci": "yarn lavamoat:build:auto && yarn lavamoat:webapp:auto:ci",
     "ts-migration:dashboard:build": "ts-node development/ts-migration-dashboard/scripts/build-app.ts",
     "ts-migration:dashboard:deploy": "gh-pages --dist development/ts-migration-dashboard/build/final --remote ts-migration-dashboard",
     "ts-migration:dashboard:watch": "yarn ts-migration:dashboard:build --watch",