check-for-unattached-signatures.py: codequality JSON output

2026-05-17 19:29:13 +00:00 · 2025-04-07 17:42:35 +02:00 · 2025-04-07 17:42:35 +02:00 · 0b3aaec700
commit 0b3aaec700
parent 874ba421b6
2 changed files with 38 additions and 9 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -215,7 +215,7 @@ lint:
  script:
    - apt-get -qy update
    - apt-get -qy dist-upgrade
-    - apt-get -qy install --no-install-recommends exiftool git python3 python3-yaml
+    - apt-get -qy install --no-install-recommends exiftool git jq python3 python3-yaml
    - export EXITVALUE=0
    - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }

@ -230,7 +230,13 @@ lint:
    - ./tools/check-for-unattached-signatures.py || set_error
    - ./tools/make-summary-translatable.py || set_error

+    # GitLab only supports one codequality report per job
+    - jq '[.[]|.[]]' --slurp *.json > codequality.json
+
    - exit $EXITVALUE
+  artifacts:
+    reports:
+      codequality: codequality.json

 schema validation:
  stage: test
--- a/tools/check-for-unattached-signatures.py
+++ b/tools/check-for-unattached-signatures.py
@ -6,24 +6,47 @@
 # files are useless cruft.

 import glob
+import hashlib
+import json
 import os
-
+import sys
 import yaml

+CODEQUALITY_REPORT = list()
+CHECK_NAME = os.path.basename(__file__)
+
 errors = 0
-for d in glob.glob('metadata/*/signatures/[0-9]*'):
+for d in glob.glob("metadata/*/signatures/[0-9]*"):
    appid = os.path.basename(os.path.dirname(os.path.dirname(d)))
-    with open(os.path.join('metadata', appid + '.yml')) as fp:
+    with open(os.path.join("metadata", appid + ".yml")) as fp:
        app = yaml.safe_load(fp)
    versionCode = os.path.basename(d)
    found = False
-    for build in app['Builds']:
-        if int(versionCode) == int(build['versionCode']):
+    for build in app["Builds"]:
+        if int(versionCode) == int(build["versionCode"]):
            found = True
            break
    if not found:
-        print('ERROR: found signatures files with no matching build:')
+        errors += 1
+        msg = "found signatures files with no matching build"
+        print(f"ERROR: {msg}:")
        for f in os.listdir(d):
-            print('\t', os.path.join(d, f))
+            sig_file = os.path.join(d, f)
+            print(f"\t{sig_file}")
+            m = hashlib.sha256()
+            with open(sig_file, 'rb') as fp:
+                m.update(fp.read())
+            CODEQUALITY_REPORT.append(
+                {
+                    "description": msg,
+                    "check_name": CHECK_NAME,
+                    "fingerprint": CHECK_NAME + f + m.hexdigest(),
+                    "severity": "major",
+                    "location": {"path": sig_file, "lines": {"begin": 0}},
+                }
+            )

-exit(errors)
+with open(f"{CHECK_NAME}.json", "w") as fp:
+    json.dump(CODEQUALITY_REPORT, fp)
+
+sys.exit(errors)