25441711719

Committed 06 May 2026 02:31PM UTC coverage: 92.915%. Remained the same

Build # 25441711719

Build Type

push

github

Committed by

web-flow

Commit Message

use sha pin (with comment) format for generated actions (#23312)

Per the GitHub Action best practices we recently enabled at #23249, we
should pin each action to a SHA so that the reference is actually
immutable.

This will -- I hope -- knock out a large chunk of the 421 alerts we
currently get from zizmor. The next followup would then be upgrades and
harmonizing the generated and none-generated pins.

Notice: This idea was suggested by Claude while going over pinact output
and I was surprised to see that post processing the yaml wasn't too
gross.

Coverage Stats

92206 of 99237 relevant lines covered (92.91%)

4.04 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

100.0

/src/python/pants/backend/visibility/rules.py

# Copyright 2022 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).
from __future__ import annotations

from collections.abc import Iterable

from pants.backend.visibility.rule_types import BuildFileVisibilityRules
from pants.backend.visibility.subsystem import VisibilitySubsystem
from pants.engine.goal import CurrentExecutingGoals
from pants.engine.internals.build_files import get_dependencies_rule_application
from pants.engine.internals.dep_rules import (
    BuildFileDependencyRulesImplementation,
    BuildFileDependencyRulesImplementationRequest,
)
from pants.engine.rules import Rule, collect_rules, implicitly, rule
from pants.engine.target import (
    Dependencies,
    DependenciesRuleApplicationRequest,
    FieldSet,
    ValidatedDependencies,
    ValidateDependenciesRequest,
)
from pants.engine.unions import UnionRule


class BuildFileVisibilityImplementationRequest(BuildFileDependencyRulesImplementationRequest):
    pass


class VisibilityValidateFieldSet(FieldSet):
    required_fields = (Dependencies,)


class VisibilityValidateDependenciesRequest(ValidateDependenciesRequest):
    field_set_type = VisibilityValidateFieldSet


@rule
async def build_file_visibility_implementation(
    _: BuildFileVisibilityImplementationRequest,
) -> BuildFileDependencyRulesImplementation:
    return BuildFileDependencyRulesImplementation(BuildFileVisibilityRules)


@rule
async def visibility_validate_dependencies(
    request: VisibilityValidateDependenciesRequest,
    visibility: VisibilitySubsystem,
    goals: CurrentExecutingGoals,
) -> ValidatedDependencies:
    if not visibility.enforce or goals.is_running("lint"):
        return ValidatedDependencies()

    address = request.field_set.address
    dependencies_rule_action = await get_dependencies_rule_application(
        DependenciesRuleApplicationRequest(
            address=address,
            dependencies=request.dependencies,
            description_of_origin=f"get dependency rules for {address}",
        ),
        **implicitly(),
    )
    dependencies_rule_action.execute_actions()
    return ValidatedDependencies()


def rules() -> Iterable[Rule | UnionRule]:
    return (
        *collect_rules(),
        UnionRule(
            BuildFileDependencyRulesImplementationRequest,
            BuildFileVisibilityImplementationRequest,
        ),
        UnionRule(ValidateDependenciesRequest, VisibilityValidateDependenciesRequest),
    )

1	# Copyright 2022 Pants project contributors (see CONTRIBUTORS.md).
2	# Licensed under the Apache License, Version 2.0 (see LICENSE).
3	from __future__ import annotations	2✔
4
5	from collections.abc import Iterable	2✔
6
7	from pants.backend.visibility.rule_types import BuildFileVisibilityRules	2✔
8	from pants.backend.visibility.subsystem import VisibilitySubsystem	2✔
9	from pants.engine.goal import CurrentExecutingGoals	2✔
10	from pants.engine.internals.build_files import get_dependencies_rule_application	2✔
11	from pants.engine.internals.dep_rules import (	2✔
12	BuildFileDependencyRulesImplementation,
13	BuildFileDependencyRulesImplementationRequest,
14	)
15	from pants.engine.rules import Rule, collect_rules, implicitly, rule	2✔
16	from pants.engine.target import (	2✔
17	Dependencies,
18	DependenciesRuleApplicationRequest,
19	FieldSet,
20	ValidatedDependencies,
21	ValidateDependenciesRequest,
22	)
23	from pants.engine.unions import UnionRule	2✔
24
25
26	class BuildFileVisibilityImplementationRequest(BuildFileDependencyRulesImplementationRequest):	2✔
27	pass	2✔
28
29
30	class VisibilityValidateFieldSet(FieldSet):	2✔
31	required_fields = (Dependencies,)	2✔
32
33
34	class VisibilityValidateDependenciesRequest(ValidateDependenciesRequest):	2✔
35	field_set_type = VisibilityValidateFieldSet	2✔
36
37
38	@rule	2✔
39	async def build_file_visibility_implementation(	2✔
40	_: BuildFileVisibilityImplementationRequest,
41	) -> BuildFileDependencyRulesImplementation:
42	return BuildFileDependencyRulesImplementation(BuildFileVisibilityRules)	2✔
43
44
45	@rule	2✔
46	async def visibility_validate_dependencies(	2✔
47	request: VisibilityValidateDependenciesRequest,
48	visibility: VisibilitySubsystem,
49	goals: CurrentExecutingGoals,
50	) -> ValidatedDependencies:
51	if not visibility.enforce or goals.is_running("lint"):	2✔
52	return ValidatedDependencies()	1✔
53
54	address = request.field_set.address	1✔
55	dependencies_rule_action = await get_dependencies_rule_application(	1✔
56	DependenciesRuleApplicationRequest(
57	address=address,
58	dependencies=request.dependencies,
59	description_of_origin=f"get dependency rules for {address}",
60	),
61	**implicitly(),
62	)
63	dependencies_rule_action.execute_actions()	1✔
64	return ValidatedDependencies()	1✔
65
66
67	def rules() -> Iterable[Rule \| UnionRule]:	2✔
68	return (	2✔
69	*collect_rules(),
70	UnionRule(
71	BuildFileDependencyRulesImplementationRequest,
72	BuildFileVisibilityImplementationRequest,
73	),
74	UnionRule(ValidateDependenciesRequest, VisibilityValidateDependenciesRequest),
75	)

pantsbuild / pants / 25441711719

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous