|
| 1 | +# Bitwarden Workflow Linter - Copilot Instructions |
| 2 | + |
| 3 | +## Repository Overview |
| 4 | + |
| 5 | +**Bitwarden Workflow Linter** is an extensible Python CLI tool that enforces opinionated organization-specific GitHub Action standards. |
| 6 | + |
| 7 | +**CRITICAL UNDERSTANDING**: This tool generates and publishes **rules that are consumed across ALL Bitwarden repositories**. Changes to rules affect the entire Bitwarden organization's CI/CD pipelines, not just this repository. Rules are distributed via PyPI and consumed by repositories through the [composite Action](https://github.com/bitwarden/gh-actions/tree/main/lint-workflow). |
| 8 | + |
| 9 | +### High-Level Details |
| 10 | + |
| 11 | +- **Type**: Python CLI application and library (~86 Python files) |
| 12 | +- **Language**: Python 3.13.5 (minimum 3.11 supported) |
| 13 | +- **Package Manager**: pipenv for dependencies, hatch for building/publishing |
| 14 | +- **Distribution**: Published to PyPI as `bitwarden_workflow_linter` |
| 15 | +- **CLI Command**: `bwwl` |
| 16 | +- **Organizational Impact**: Rules affect CI/CD across entire Bitwarden codebase |
| 17 | + |
| 18 | +## Build & Development Setup |
| 19 | + |
| 20 | +### Essential Commands (Always run in this order) |
| 21 | + |
| 22 | +```bash |
| 23 | +# Setup (REQUIRED before any development work) |
| 24 | +pipenv install --dev |
| 25 | +pipenv shell |
| 26 | +pip install -e . |
| 27 | + |
| 28 | +# Testing (ALWAYS run before submitting changes) |
| 29 | +pytest tests --cov=src |
| 30 | + |
| 31 | +# Code quality (REQUIRED before merging to main) |
| 32 | +black . |
| 33 | +pylint --rcfile pylintrc src/ tests/ |
| 34 | + |
| 35 | +# Type checking (Linux only) |
| 36 | +pytype src |
| 37 | +``` |
| 38 | + |
| 39 | +### Task Runner Shortcuts |
| 40 | + |
| 41 | +- `task test:cov` - Run tests with coverage |
| 42 | +- `task fmt` - Format code with black |
| 43 | +- `task lint` - Run pylint |
| 44 | + |
| 45 | +## Key Project Structure |
| 46 | + |
| 47 | +**Rules Location**: `src/bitwarden_workflow_linter/rules/` - All linting rules |
| 48 | +**Rule Base Class**: `src/bitwarden_workflow_linter/rule.py` - Extend this for new rules |
| 49 | +**CLI Entry**: `src/bitwarden_workflow_linter/cli.py:main()` |
| 50 | +**Configuration**: |
| 51 | + |
| 52 | +- `settings.yaml` (local overrides) |
| 53 | +- `src/bitwarden_workflow_linter/default_settings.yaml` (defaults) |
| 54 | + |
| 55 | +## Rule Development - Organization-Wide Impact |
| 56 | + |
| 57 | +**CRITICAL**: Rules developed here are distributed to and enforced across ALL Bitwarden repositories. Every rule change has organization-wide impact. |
| 58 | + |
| 59 | +### Rule Distribution Flow |
| 60 | + |
| 61 | +1. Rules developed/tested in this repository |
| 62 | +2. Published to PyPI as `bitwarden_workflow_linter` |
| 63 | +3. Consumed by all Bitwarden repositories via gh-actions/lint-workflow |
| 64 | +4. Enforced in CI/CD pipelines organization-wide |
| 65 | +5. Rule failures can block deployments across hundreds of repositories |
| 66 | + |
| 67 | +### Rule Rollout Process (MANDATORY) |
| 68 | + |
| 69 | +**Before making ANY rule changes, read `RULE_ROLLOUT.md`** - documents the careful process for organization-wide deployment. |
| 70 | + |
| 71 | +**Key principles:** |
| 72 | + |
| 73 | +- **Gradual Rollout**: New rules start as `warning`, then upgrade to `error` |
| 74 | +- **Impact Assessment**: Test against representative workflows before activation |
| 75 | +- **Communication**: Coordinate with teams before deploying breaking changes |
| 76 | + |
| 77 | +### Adding New Rules |
| 78 | + |
| 79 | +1. **CRITICAL**: Rules must be implemented, tested, and merged to main BEFORE activation |
| 80 | +2. **CRITICAL**: Follow `RULE_ROLLOUT.md` process to avoid breaking organization CI |
| 81 | +3. Extend `Rule` base class in `src/bitwarden_workflow_linter/rule.py` |
| 82 | +4. Place in `src/bitwarden_workflow_linter/rules/` |
| 83 | +5. Must define: `message`, `on_fail`, `compatibility`, `settings`, and `fn()` method |
| 84 | +6. Add comprehensive tests with 100% coverage |
| 85 | +7. Start with `warning` level, upgrade to `error` after validation period |
| 86 | +8. After release, activate by adding to `settings.yaml` and `default_settings.yaml` |
| 87 | + |
| 88 | +### Rule Impact Levels |
| 89 | + |
| 90 | +- **ERROR Level**: Block CI/CD across all Bitwarden repositories - handle with extreme care |
| 91 | +- **WARNING Level**: Generate notifications but don't block - safer for initial rollout |
| 92 | + |
| 93 | +## Security Considerations |
| 94 | + |
| 95 | +### Critical Security Rules (Organization-Wide) |
| 96 | + |
| 97 | +- **Action Pinning**: `step_pinned.py` enforces SHA pinning (not tags) at ERROR level across all repos |
| 98 | + - Example: `uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2` |
| 99 | +- **Approved Actions**: `step_approved.py` enforces use of pre-approved actions only |
| 100 | +- **Permissions**: `permissions_exist.py` enforces explicit permissions in workflows |
| 101 | +- **PR Target Protection**: `check_pr_target.py` prevents dangerous `pull_request_target` usage |
| 102 | + |
| 103 | +**Security rule changes affect organization-wide security posture - always coordinate with security team.** |
| 104 | + |
| 105 | +## Critical Issues & Solutions |
| 106 | + |
| 107 | +### Rule Activation Order |
| 108 | + |
| 109 | +- **ERROR**: Activating rules before release causes import errors across all Bitwarden repositories |
| 110 | +- **SOLUTION**: Always merge rule implementation first, then activate after PyPI release |
| 111 | + |
| 112 | +### Organization-Wide Impact |
| 113 | + |
| 114 | +- **ERROR**: Deploying ERROR-level rules without testing breaks CI across hundreds of repositories |
| 115 | +- **SOLUTION**: Start with WARNING level, test extensively, coordinate rollout via `RULE_ROLLOUT.md` |
| 116 | + |
| 117 | +### Testing Best Practices |
| 118 | + |
| 119 | +- Tests change directories to avoid repo-specific paths |
| 120 | +- Use `default_settings.yaml` instead of repo `settings.yaml` in tests |
| 121 | +- Run with `--strict` flag to catch warnings as errors |
| 122 | +- Test rules against diverse workflow patterns from different Bitwarden repositories |
| 123 | + |
| 124 | +## Agent Instructions |
| 125 | + |
| 126 | +**Trust these instructions first** - only search for additional information if incomplete or incorrect. |
| 127 | + |
| 128 | +**CRITICAL AWARENESS**: This repository's rules are consumed across ALL Bitwarden repositories. Every change has organization-wide impact. |
| 129 | + |
| 130 | +**Required sequence for changes:** |
| 131 | + |
| 132 | +1. **Read `RULE_ROLLOUT.md` if working with rules** - understand organization-wide impact |
| 133 | +2. `pipenv shell && pip install -e .` |
| 134 | +3. `pytest tests --cov=src` |
| 135 | +4. `black . && pylint --rcfile pylintrc src/ tests/` |
| 136 | +5. Test CLI: `bwwl lint --files tests/fixtures` |
| 137 | + |
| 138 | +**For rule development:** |
| 139 | + |
| 140 | +- Rules affect hundreds of other Bitwarden repositories |
| 141 | +- Start with WARNING level, coordinate rollout, upgrade to ERROR only after validation |
| 142 | +- **Never deploy ERROR-level rules without extensive testing and coordination** |
0 commit comments