feat(lint): add sensitive keyword linter (#10488)

2026-03-10 14:10:37 -07:00 · 2025-10-03 13:25:28 -04:00
parent ee3e4017c3
commit 8149a4546e
2 changed files with 91 additions and 2 deletions
--- a/scripts/lint.js
+++ b/scripts/lint.js
@@ -7,7 +7,13 @@
 */

 import { execSync } from 'node:child_process';
-import { mkdirSync, rmSync } from 'node:fs';
+import {
+  mkdirSync,
+  rmSync,
+  readFileSync,
+  existsSync,
+  lstatSync,
+} from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';

@@ -169,6 +175,82 @@ export function runPrettier() {
  }
 }

+export function runSensitiveKeywordLinter() {
+  console.log('\nRunning sensitive keyword linter...');
+  const SENSITIVE_PATTERN = /gemini-\d+(\.\d+)?/g;
+  const ALLOWED_KEYWORDS = new Set([
+    'gemini-2.5',
+    'gemini-2.0',
+    'gemini-1.5',
+    'gemini-1.0',
+  ]);
+
+  function getChangedFiles() {
+    const baseRef = process.env.GITHUB_BASE_REF || 'main';
+    try {
+      execSync(`git fetch origin ${baseRef}`);
+      const mergeBase = execSync(`git merge-base HEAD origin/${baseRef}`)
+        .toString()
+        .trim();
+      return execSync(`git diff --name-only ${mergeBase}..HEAD`)
+        .toString()
+        .trim()
+        .split('\n')
+        .filter(Boolean);
+    } catch (_error) {
+      console.error(`Could not get changed files against origin/${baseRef}.`);
+      try {
+        console.log('Falling back to diff against HEAD~1');
+        return execSync(`git diff --name-only HEAD~1..HEAD`)
+          .toString()
+          .trim()
+          .split('\n')
+          .filter(Boolean);
+      } catch (_fallbackError) {
+        console.error('Could not get changed files against HEAD~1 either.');
+        process.exit(1);
+      }
+    }
+  }
+
+  const changedFiles = getChangedFiles();
+  let violationsFound = false;
+
+  for (const file of changedFiles) {
+    if (!existsSync(file) || lstatSync(file).isDirectory()) {
+      continue;
+    }
+    const content = readFileSync(file, 'utf-8');
+    const lines = content.split('\n');
+    let match;
+    while ((match = SENSITIVE_PATTERN.exec(content)) !== null) {
+      const keyword = match[0];
+      if (!ALLOWED_KEYWORDS.has(keyword)) {
+        violationsFound = true;
+        const matchIndex = match.index;
+        let lineNum = 0;
+        let charCount = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (charCount + line.length + 1 > matchIndex) {
+            lineNum = i + 1;
+            const colNum = matchIndex - charCount + 1;
+            console.log(
+              `::warning file=${file},line=${lineNum},col=${colNum}::Found sensitive keyword "${keyword}". Please make sure this change is appropriate to submit.`,
+            );
+            break;
+          }
+          charCount += line.length + 1; // +1 for the newline
+        }
+      }
+    }
+  }
+
+  if (!violationsFound) {
+    console.log('No sensitive keyword violations found.');
+  }
+}
+
 function main() {
  const args = process.argv.slice(2);

@@ -190,6 +272,9 @@ function main() {
  if (args.includes('--prettier')) {
    runPrettier();
  }
+  if (args.includes('--sensitive-keywords')) {
+    runSensitiveKeywordLinter();
+  }

  if (args.length === 0) {
    setupLinters();
@@ -198,6 +283,7 @@ function main() {
    runShellcheck();
    runYamllint();
    runPrettier();
+    runSensitiveKeywordLinter();
    console.log('\nAll linting checks passed!');
  }
 }