From e69f3ab70aa248d7cb43eda1b920d196b79188b1 Mon Sep 17 00:00:00 2001
From: Lucas Rodriguez <lucas.rodriguez@defenseunicorns.com>
Date: Tue, 7 May 2024 12:41:12 -0500
Subject: [PATCH] chore: add a check for go mod tidy (#2481)

## Description
Adds a check in CI and `pre-commit` hooks to check if `go mod tidy`
needs to be ran in a PR

This PR adds:
- shell script to check if `go mod tidy` needs to be ran in a PR
- `make` target to call the script
- workflow to run in CI
- `pre-commit` hook

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow)
followed
---
 .github/workflows/scan-go-mod-tidy.yml | 26 ++++++++++++++++++++++++++
 .pre-commit-config.yaml                |  4 ++++
 Makefile                               |  4 ++++
 hack/check-go-mod-tidy.sh              |  9 +++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 .github/workflows/scan-go-mod-tidy.yml
 create mode 100755 hack/check-go-mod-tidy.sh

diff --git a/.github/workflows/scan-go-mod-tidy.yml b/.github/workflows/scan-go-mod-tidy.yml
new file mode 100644
index 0000000000..2eab6ce696
--- /dev/null
+++ b/.github/workflows/scan-go-mod-tidy.yml
@@ -0,0 +1,26 @@
+name: Validate Go Mod Tidy
+on:
+  pull_request:
+    paths:
+      - "go.mod"
+      - "go.sum"
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Check go mod tidy
+        run: make test-go-mod-tidy
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 5e96cba653..38e3b129cf 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -47,6 +47,10 @@ repos:
         files: .go$
         language: system
         pass_filenames: true
+      - id: check-go-mod-tidy
+        name: Check for out of sync Go module dependencies
+        entry: make test-go-mod-tidy
+        language: system
   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 0.14.0
     hooks:
diff --git a/Makefile b/Makefile
index 6adc76e641..18a61a82cd 100644
--- a/Makefile
+++ b/Makefile
@@ -220,6 +220,10 @@ test-docs-and-schema:
 test-cves:
 	go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype --fail-on low
 
+# INTERNAL: used to test that a dev has ran `go mod tidy` in their PR
+test-go-mod-tidy:
+	./hack/check-go-mod-tidy.sh
+
 cve-report: ## Create a CVE report for the current project (must `brew install grype` first)
 	@test -d ./build || mkdir ./build
 	go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/grype.tmpl > build/zarf-known-cves.csv
diff --git a/hack/check-go-mod-tidy.sh b/hack/check-go-mod-tidy.sh
new file mode 100755
index 0000000000..d9603736e8
--- /dev/null
+++ b/hack/check-go-mod-tidy.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+go mod tidy
+if ! git diff --quiet go.mod go.sum; then
+  echo "ERROR: Changes detected after running 'go mod tidy'. Please run 'go mod tidy' and commit the changes."
+  exit 1
+fi