feat: integrate embedded-cluster CLI lint into release lint pipeline#696
feat: integrate embedded-cluster CLI lint into release lint pipeline#696
Conversation
Adds EC lint as an opt-in linter (disabled by default) that runs the embedded-cluster CLI against manifest directories and surfaces results alongside Helm, Preflight, and Support Bundle lint output. - New ECLinterConfig type with disabled-by-default IsEnabled() semantics - Discovers EC version automatically from the EmbeddedCluster Config manifest - Downloads the EC CLI binary from S3 by version, caches it alongside other tools - Supports binary-path config field and REPLICATED_EMBEDDED_CLUSTER_BINARY_PATH env var to bypass the resolver - Configurable --disable checks with sensible defaults Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…ries Replaces manifestBaseDirs with ExpandManifestGlobs which expands the manifest glob patterns from .replicated config to actual YAML file paths, applying the same gitignore and hidden-path filtering as other linters. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Kots uses LinterConfig where nil Disabled means enabled, so it requires an explicit boolPtr(true). Also adds a nil-check in ApplyDefaults to default Kots to disabled when a repl-lint section exists but omits Kots. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lyDefaults Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…on path Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| return fmt.Errorf("checksum verification failed: %w", err) | ||
| } | ||
| case ToolEmbeddedCluster: | ||
| // No checksum verification for EC archives |
There was a problem hiding this comment.
Downloaded EC binary executed without integrity verification
Low Severity
The EC binary is downloaded from S3 and subsequently executed via exec.CommandContext without any checksum or signature verification. All other downloaded tools (Helm, Preflight, Support Bundle) perform checksum verification before execution. A compromised or tampered artifact on the S3 bucket would be silently accepted and run.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit e5e82ff. Configure here.
There was a problem hiding this comment.
we dont yet have checksums
- Use json.NewDecoder loop in LintEmbeddedCluster to handle trailing content after JSON output (matches parseTroubleshootJSON approach) - Iterate YAML documents in parseECVersionFromFile to find EC Config in non-first documents of multi-document YAML files - Move DiscoverECVersion after binary path resolution so it is skipped when a binary path is explicitly provided (no version needed) - Skip DownloadWithFallback for EC since version is always explicit; fallback to latest is unsupported and produced a misleading error message Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…o-discovery mode The early return for "No lintable resources found" ran before the EC linting block, silently skipping EC lint even when explicitly enabled. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 15a52dd. Configure here.
| } | ||
|
|
||
| return messages | ||
| } |
There was a problem hiding this comment.
Redundant convertECResultToMessages duplicates generic troubleshoot converter
Low Severity
convertECResultToMessages is a near-exact copy of convertTroubleshootResultToMessages in troubleshoot_common.go. The only structural difference is that ecFileResult uses the JSON tag "info" instead of "infos". The conversion logic (iterating errors, warnings, infos and calling formatTroubleshootMessage) is identical. This duplication means any future changes to the message conversion pattern need to be applied in two places.
Reviewed by Cursor Bugbot for commit 15a52dd. Configure here.
1 participant
Summary
ECLinterConfigtype with disabled-by-defaultIsEnabled()semantics — enable withrepl-lint.linters.embedded-cluster.disabled: falseEmbeddedCluster/Configmanifest (spec.version) in the manifests directory — no need to configure it separatelyhttps://tf-staging-embedded-cluster-bin.s3.us-east-1.amazonaws.com/releases/{version}-{os}.tgz) and caches it alongside other toolsbinary-pathconfig field andREPLICATED_EMBEDDED_CLUSTER_BINARY_PATHenv var to bypass the resolver (useful for local dev/testing)disable-checkslist with defaults (helmchart-archive,ecconfig-helmchart-archive)Example config
Test plan
replicated release lintwithout EC config — EC section shows as disabled.replicated, point at a manifests dir with anEmbeddedCluster/Configmanifest — version is auto-discovered, binary is downloaded and linting runsREPLICATED_EMBEDDED_CLUSTER_BINARY_PATHto a local binary — resolver is bypassedembedded_cluster_resultsfieldlinting failedexit code🤖 Generated with Claude Code