25441711719

Committed 06 May 2026 02:31PM UTC coverage: 92.915%. Remained the same

Build # 25441711719

Build Type

push

github

Committed by

web-flow

Commit Message

use sha pin (with comment) format for generated actions (#23312)

Per the GitHub Action best practices we recently enabled at #23249, we
should pin each action to a SHA so that the reference is actually
immutable.

This will -- I hope -- knock out a large chunk of the 421 alerts we
currently get from zizmor. The next followup would then be upgrades and
harmonizing the generated and none-generated pins.

Notice: This idea was suggested by Claude while going over pinact output
and I was surprised to see that post processing the yaml wasn't too
gross.

Coverage Stats

92206 of 99237 relevant lines covered (92.91%)

4.04 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

92.68

/src/python/pants/backend/go/util_rules/pkg_pattern.py

# Copyright 2022 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).
from __future__ import annotations

import re
from collections.abc import Callable

# Adapted from Go toolchain:
# https://github.com/golang/go/blob/6a70292d1cb3464e5b2c2c03341e5148730a1889/src/cmd/internal/pkgpattern/pkgpattern.go
#
# // Copyright 2022 The Go Authors. All rights reserved.
# // Use of this source code is governed by a BSD-style
# // license that can be found in the LICENSE file.


def match_pattern(pattern: str) -> Callable[[str], bool]:
    """MatchPattern(pattern)(name) reports whether name matches pattern. Pattern is a limited glob
    pattern in which '...' means 'any string' and there is no other special syntax. Unfortunately,
    there are two special cases. Quoting "go help packages":

    First, /... at the end of the pattern can match an empty string, so that net/... matches both
    net and packages in its subdirectories, like net/http. Second, any slash-separated pattern
    element containing a wildcard never participates in a match of the "vendor" element in the path
    of a vendored package, so that ./... does not match packages in subdirectories of ./vendor or
    ./mycode/vendor, but ./vendor/... and ./mycode/vendor/... do. Note, however, that a directory
    named vendor that itself contains code is not a vendored package: cmd/vendor would be a command
    named vendor, and the pattern cmd/... matches it.
    """
    return _match_pattern_internal(pattern, True)


def match_simple_pattern(pattern: str) -> Callable[[str], bool]:
    """MatchSimplePattern returns a function that can be used to check whether a given name matches
    a pattern, where pattern is a limited glob pattern in which '...' means 'any string', with no
    other special syntax.

    There is one special case for MatchPatternSimple: according to the rules in "go help packages":
    a /... at the end of the pattern can match an empty string, so that net/... matches both net and
    packages in its subdirectories, like net/http.
    """
    return _match_pattern_internal(pattern, False)


def _match_pattern_internal(pattern: str, vendor_exclude: bool) -> Callable[[str], bool]:
    # Convert pattern to regular expression.
    # The strategy for the trailing /... is to nest it in an explicit ? expression.
    # The strategy for the vendor exclusion is to change the unmatchable
    # vendor strings to a disallowed code point (vendorChar) and to use
    # "(anything but that codepoint)*" as the implementation of the ... wildcard.
    # This is a bit complicated, but the obvious alternative,
    # namely a handwritten search like in most shell glob matchers,
    # is too easy to make accidentally exponential.
    # Using package regexp guarantees linear-time matching.

    vendor_char = chr(0)  # "\x00"

    if vendor_exclude and vendor_char in pattern:
        return lambda _name: False

    r: str = re.escape(pattern)
    wild = ".*"
    if vendor_exclude:
        wild = rf"[^{vendor_char}]*"
        r = _replace_vendor(r, vendor_char)

        suffix = rf"/{vendor_char}/\.\.\."
        if r.endswith(suffix):
            r = r[0 : -len(suffix)] + rf"(/vendor|/{vendor_char}/\.\.\.)"
        elif r == rf"{vendor_char}/\.\.\.":
            r = rf"(/vendor|/{vendor_char}/\.\.\.)"

    suffix = r"/\.\.\."
    if r.endswith(suffix):
        r = r[0 : -len(suffix)] + r"(/\.\.\.)?"
    r = r.replace(r"\.\.\.", wild)

    reg = re.compile(rf"^{r}$")

    def f(name: str) -> bool:
        if vendor_exclude:
            if vendor_char in name:
                return False
            name = _replace_vendor(name, vendor_char)
        return bool(reg.match(name))

    return f


# replaceVendor returns the result of replacing
# non-trailing vendor path elements in x with repl.
def _replace_vendor(x: str, repl: str) -> str:
    if "vendor" not in x:
        return x

    elems = x.split("/")
    for i, elem in enumerate(elems[0:-1]):
        if elem == "vendor":
            elems[i] = repl
    return "/".join(elems)

1	# Copyright 2022 Pants project contributors (see CONTRIBUTORS.md).
2	# Licensed under the Apache License, Version 2.0 (see LICENSE).
3	from __future__ import annotations	7✔
4
5	import re	7✔
6	from collections.abc import Callable	7✔
7
8	# Adapted from Go toolchain:
9	# https://github.com/golang/go/blob/6a70292d1cb3464e5b2c2c03341e5148730a1889/src/cmd/internal/pkgpattern/pkgpattern.go
10	#
11	# // Copyright 2022 The Go Authors. All rights reserved.
12	# // Use of this source code is governed by a BSD-style
13	# // license that can be found in the LICENSE file.
14
15
16	def match_pattern(pattern: str) -> Callable[[str], bool]:	7✔
17	"""MatchPattern(pattern)(name) reports whether name matches pattern. Pattern is a limited glob
18	pattern in which '...' means 'any string' and there is no other special syntax. Unfortunately,
19	there are two special cases. Quoting "go help packages":
20
21	First, /... at the end of the pattern can match an empty string, so that net/... matches both
22	net and packages in its subdirectories, like net/http. Second, any slash-separated pattern
23	element containing a wildcard never participates in a match of the "vendor" element in the path
24	of a vendored package, so that ./... does not match packages in subdirectories of ./vendor or
25	./mycode/vendor, but ./vendor/... and ./mycode/vendor/... do. Note, however, that a directory
26	named vendor that itself contains code is not a vendored package: cmd/vendor would be a command
27	named vendor, and the pattern cmd/... matches it.
28	"""
29	return _match_pattern_internal(pattern, True)	1✔
30
31
32	def match_simple_pattern(pattern: str) -> Callable[[str], bool]:	7✔
33	"""MatchSimplePattern returns a function that can be used to check whether a given name matches
34	a pattern, where pattern is a limited glob pattern in which '...' means 'any string', with no
35	other special syntax.
36
37	There is one special case for MatchPatternSimple: according to the rules in "go help packages":
38	a /... at the end of the pattern can match an empty string, so that net/... matches both net and
39	packages in its subdirectories, like net/http.
40	"""
41	return _match_pattern_internal(pattern, False)	2✔
42
43
44	def _match_pattern_internal(pattern: str, vendor_exclude: bool) -> Callable[[str], bool]:	7✔
45	# Convert pattern to regular expression.
46	# The strategy for the trailing /... is to nest it in an explicit ? expression.
47	# The strategy for the vendor exclusion is to change the unmatchable
48	# vendor strings to a disallowed code point (vendorChar) and to use
49	# "(anything but that codepoint)*" as the implementation of the ... wildcard.
50	# This is a bit complicated, but the obvious alternative,
51	# namely a handwritten search like in most shell glob matchers,
52	# is too easy to make accidentally exponential.
53	# Using package regexp guarantees linear-time matching.
54
55	vendor_char = chr(0) # "\x00"	2✔
56
57	if vendor_exclude and vendor_char in pattern:	2✔
58	return lambda _name: False	×
59
60	r: str = re.escape(pattern)	2✔
61	wild = ".*"	2✔
62	if vendor_exclude:	2✔
63	wild = rf"[^{vendor_char}]*"	1✔
64	r = _replace_vendor(r, vendor_char)	1✔
65
66	suffix = rf"/{vendor_char}/\.\.\."	1✔
67	if r.endswith(suffix):	1✔
68	r = r[0 : -len(suffix)] + rf"(/vendor\|/{vendor_char}/\.\.\.)"	1✔
69	elif r == rf"{vendor_char}/\.\.\.":	1✔
70	r = rf"(/vendor\|/{vendor_char}/\.\.\.)"	×
71
72	suffix = r"/\.\.\."	2✔
73	if r.endswith(suffix):	2✔
74	r = r[0 : -len(suffix)] + r"(/\.\.\.)?"	1✔
75	r = r.replace(r"\.\.\.", wild)	2✔
76
77	reg = re.compile(rf"^{r}$")	2✔
78
79	def f(name: str) -> bool:	2✔
80	if vendor_exclude:	2✔
81	if vendor_char in name:	1✔
82	return False	×
83	name = _replace_vendor(name, vendor_char)	1✔
84	return bool(reg.match(name))	2✔
85
86	return f	2✔
87
88
89	# replaceVendor returns the result of replacing
90	# non-trailing vendor path elements in x with repl.
91	def _replace_vendor(x: str, repl: str) -> str:	7✔
92	if "vendor" not in x:	1✔
93	return x	1✔
94
95	elems = x.split("/")	1✔
96	for i, elem in enumerate(elems[0:-1]):	1✔
97	if elem == "vendor":	1✔
98	elems[i] = repl	1✔
99	return "/".join(elems)	1✔

pantsbuild / pants / 25441711719

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous