25441711719

Committed 06 May 2026 02:31PM UTC coverage: 92.915%. Remained the same

Build # 25441711719

Build Type

push

github

Committed by

web-flow

Commit Message

use sha pin (with comment) format for generated actions (#23312)

Per the GitHub Action best practices we recently enabled at #23249, we
should pin each action to a SHA so that the reference is actually
immutable.

This will -- I hope -- knock out a large chunk of the 421 alerts we
currently get from zizmor. The next followup would then be upgrades and
harmonizing the generated and none-generated pins.

Notice: This idea was suggested by Claude while going over pinact output
and I was surprised to see that post processing the yaml wasn't too
gross.

Coverage Stats

92206 of 99237 relevant lines covered (92.91%)

4.04 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

100.0

/src/python/pants/backend/helm/check/kubeconform/deployment.py

# Copyright 2023 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).

from __future__ import annotations

import logging
from dataclasses import dataclass

from pants.backend.helm.check.kubeconform import common, extra_fields
from pants.backend.helm.check.kubeconform.common import (
    KubeconformCheckRequest,
    RunKubeconformRequest,
    run_kubeconform,
)
from pants.backend.helm.check.kubeconform.extra_fields import KubeconformFieldSet
from pants.backend.helm.check.kubeconform.subsystem import KubeconformSubsystem
from pants.backend.helm.dependency_inference import deployment as infer_deployment
from pants.backend.helm.subsystems.post_renderer import setup_post_renderer_launcher
from pants.backend.helm.target_types import HelmDeploymentFieldSet
from pants.backend.helm.util_rules import post_renderer, renderer
from pants.backend.helm.util_rules.post_renderer import HelmDeploymentPostRendererRequest
from pants.backend.helm.util_rules.renderer import (
    HelmDeploymentCmd,
    HelmDeploymentRequest,
    run_renderer,
)
from pants.core.goals.check import CheckRequest, CheckResult, CheckResults
from pants.engine.rules import collect_rules, concurrently, implicitly, rule
from pants.engine.unions import UnionRule

logger = logging.getLogger(__name__)


@dataclass(frozen=True)
class KubeconformDeploymentFieldSet(HelmDeploymentFieldSet, KubeconformFieldSet):
    pass


class KubeconformCheckDeploymentRequest(KubeconformCheckRequest):
    field_set_type = KubeconformDeploymentFieldSet


@rule
async def run_kubeconform_on_deployment(
    field_set: KubeconformDeploymentFieldSet,
) -> CheckResult:
    if field_set.skip.value:
        return CheckResult(
            exit_code=0, stdout="", stderr="", partition_description=field_set.address.spec
        )

    post_renderer = await setup_post_renderer_launcher(
        **implicitly(HelmDeploymentPostRendererRequest(field_set))
    )
    rendered_files = await run_renderer(
        **implicitly(
            HelmDeploymentRequest(
                field_set,
                cmd=HelmDeploymentCmd.RENDER,
                post_renderer=post_renderer,
                description=f"Evaluating Helm deployment files for {field_set.address}",
            )
        )
    )

    return await run_kubeconform(RunKubeconformRequest(field_set, rendered_files), **implicitly())


@rule
async def run_check_deployment(
    request: KubeconformCheckDeploymentRequest,
    kubeconform: KubeconformSubsystem,
) -> CheckResults:
    check_results = await concurrently(
        run_kubeconform_on_deployment(field_set) for field_set in request.field_sets
    )
    return CheckResults(check_results, checker_name=kubeconform.name)


def rules():
    return [
        *collect_rules(),
        *extra_fields.rules(),
        *infer_deployment.rules(),
        *post_renderer.rules(),
        *renderer.rules(),
        *common.rules(),
        UnionRule(CheckRequest, KubeconformCheckDeploymentRequest),
    ]

1	# Copyright 2023 Pants project contributors (see CONTRIBUTORS.md).
2	# Licensed under the Apache License, Version 2.0 (see LICENSE).
3
4	from __future__ import annotations	3✔
5
6	import logging	3✔
7	from dataclasses import dataclass	3✔
8
9	from pants.backend.helm.check.kubeconform import common, extra_fields	3✔
10	from pants.backend.helm.check.kubeconform.common import (	3✔
11	KubeconformCheckRequest,
12	RunKubeconformRequest,
13	run_kubeconform,
14	)
15	from pants.backend.helm.check.kubeconform.extra_fields import KubeconformFieldSet	3✔
16	from pants.backend.helm.check.kubeconform.subsystem import KubeconformSubsystem	3✔
17	from pants.backend.helm.dependency_inference import deployment as infer_deployment	3✔
18	from pants.backend.helm.subsystems.post_renderer import setup_post_renderer_launcher	3✔
19	from pants.backend.helm.target_types import HelmDeploymentFieldSet	3✔
20	from pants.backend.helm.util_rules import post_renderer, renderer	3✔
21	from pants.backend.helm.util_rules.post_renderer import HelmDeploymentPostRendererRequest	3✔
22	from pants.backend.helm.util_rules.renderer import (	3✔
23	HelmDeploymentCmd,
24	HelmDeploymentRequest,
25	run_renderer,
26	)
27	from pants.core.goals.check import CheckRequest, CheckResult, CheckResults	3✔
28	from pants.engine.rules import collect_rules, concurrently, implicitly, rule	3✔
29	from pants.engine.unions import UnionRule	3✔
30
31	logger = logging.getLogger(__name__)	3✔
32
33
34	@dataclass(frozen=True)	3✔
35	class KubeconformDeploymentFieldSet(HelmDeploymentFieldSet, KubeconformFieldSet):	3✔
36	pass	3✔
37
38
39	class KubeconformCheckDeploymentRequest(KubeconformCheckRequest):	3✔
40	field_set_type = KubeconformDeploymentFieldSet	3✔
41
42
43	@rule	3✔
44	async def run_kubeconform_on_deployment(	3✔
45	field_set: KubeconformDeploymentFieldSet,
46	) -> CheckResult:
47	if field_set.skip.value:	3✔
48	return CheckResult(	1✔
49	exit_code=0, stdout="", stderr="", partition_description=field_set.address.spec
50	)
51
52	post_renderer = await setup_post_renderer_launcher(	3✔
53	**implicitly(HelmDeploymentPostRendererRequest(field_set))
54	)
55	rendered_files = await run_renderer(	3✔
56	**implicitly(
57	HelmDeploymentRequest(
58	field_set,
59	cmd=HelmDeploymentCmd.RENDER,
60	post_renderer=post_renderer,
61	description=f"Evaluating Helm deployment files for {field_set.address}",
62	)
63	)
64	)
65
66	return await run_kubeconform(RunKubeconformRequest(field_set, rendered_files), **implicitly())	3✔
67
68
69	@rule	3✔
70	async def run_check_deployment(	3✔
71	request: KubeconformCheckDeploymentRequest,
72	kubeconform: KubeconformSubsystem,
73	) -> CheckResults:
74	check_results = await concurrently(	3✔
75	run_kubeconform_on_deployment(field_set) for field_set in request.field_sets
76	)
77	return CheckResults(check_results, checker_name=kubeconform.name)	3✔
78
79
80	def rules():	3✔
81	return [	3✔
82	*collect_rules(),
83	*extra_fields.rules(),
84	*infer_deployment.rules(),
85	*post_renderer.rules(),
86	*renderer.rules(),
87	*common.rules(),
88	UnionRule(CheckRequest, KubeconformCheckDeploymentRequest),
89	]

pantsbuild / pants / 25441711719

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous