Add check-for-go-fips-test pre-commit hook

Implements GitHub issue requirements:
- Detects packages using go-fips in environment or pipeline
- Verifies they have corresponding go-fips test (uses: test/go-fips-check)
- Reports failures for packages missing the required test

Author: AmberArcadia

.gitignore

@@ -0,0 +1 @@
+__pycache__/

.pre-commit-hooks.yaml

@@ -20,3 +20,13 @@
     - manual
   types:
     - yaml
+- id: check-for-go-fips-test
+  name: check for go-fips test
+  description: Check that packages using go-fips have corresponding go-fips tests
+  entry: check-for-go-fips-test
+  language: python
+  stages:
+    - pre-commit
+    - manual
+  types:
+    - yaml

example.pre-commit-config.yaml

@@ -18,6 +18,8 @@ repos:
           (?x)^(
               [^/]+\.ya?ml                      # matches .yaml or .yml files at the top level only
           )$
+      - id: check-for-go-fips-test
+        files: '^[^.][^/]*\.yaml$' # matches non-hidden .yaml files at the top level only
   - repo: https://github.com/chainguard-dev/yam
     rev: 768695300c5f663012a77911eb4920c12e5ed2e5 # frozen: v0.2.26
     hooks:

pre_commit_hooks/check_for_go_fips_test.py

@@ -0,0 +1,83 @@
+from __future__ import annotations
+
+import argparse
+import sys
+from collections.abc import Sequence
+from typing import Any
+
+import ruamel.yaml
+
+yaml = ruamel.yaml.YAML(typ="safe")
+
+
+def uses_go_fips(melange_cfg: dict[str, Any]) -> bool:
+    """Check if package uses go-fips."""
+    # Check environment packages
+    env_packages = melange_cfg.get("environment", {}).get("contents", {}).get("packages", [])
+    if "go-fips" in env_packages:
+        return True
+    
+    # Check pipeline steps for go/build with go-package: go-fips
+    pipelines = melange_cfg.get("pipeline", [])
+    for step in pipelines:
+        if step.get("uses") == "go/build":
+            if step.get("with", {}).get("go-package") == "go-fips":
+                return True
+    
+    # Check subpackage pipelines
+    for subpkg in melange_cfg.get("subpackages", []):
+        subpkg_pipelines = subpkg.get("pipeline", [])
+        for step in subpkg_pipelines:
+            if step.get("uses") == "go/build":
+                if step.get("with", {}).get("go-package") == "go-fips":
+                    return True
+    
+    return False
+
+
+def has_go_fips_test(melange_cfg: dict[str, Any]) -> bool:
+    """Check if package has go-fips test."""
+    test_section = melange_cfg.get("test", {})
+    test_pipelines = test_section.get("pipeline", [])
+    
+    for step in test_pipelines:
+        if step.get("uses") == "test/go-fips-check":
+            return True
+    
+    return False
+
+
+def main(argv: Sequence[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(
+        description="Check that packages using go-fips have corresponding go-fips tests"
+    )
+    parser.add_argument("filenames", nargs="*", help="Filenames to check")
+    args = parser.parse_args(argv)
+    
+    retval = 0
+    
+    for filename in args.filenames:
+        try:
+            with open(filename) as f:
+                melange_cfg = yaml.load(f)
+        except Exception as e:
+            print(f"Error loading {filename}: {e}")
+            retval = 1
+            continue
+            
+        if not melange_cfg:
+            continue
+            
+        if uses_go_fips(melange_cfg):
+            if not has_go_fips_test(melange_cfg):
+                print(
+                    f"{filename}: Package uses go-fips but does not have "
+                    "a corresponding go-fips test (add '- uses: test/go-fips-check' to test pipeline)"
+                )
+                retval = 1
+    
+    return retval
+
+
+if __name__ == "__main__":
+    sys.exit(main())

setup.cfg

@@ -22,6 +22,7 @@ python_requires = >=3.9
 [options.entry_points]
 console_scripts =
     shellcheck-run-steps = pre_commit_hooks.shellcheck_run_steps:main
+    check-for-go-fips-test = pre_commit_hooks.check_for_go_fips_test:main
 
 [bdist_wheel]
 universal = True