CS-10959: add lint scripts for packages/observability/#4614
Open
CS-10959: add lint scripts for packages/observability/#4614
Conversation
Add `pnpm --filter @cardstack/observability lint` covering shellcheck,
JSON syntax, App Platform manifest shape, prettier (YAML), and a
secret-shape regression check on dashboard JSON. Wire into ci-lint.yaml
plus the observability-{diff,apply-staging,apply-production} workflows;
the latter three set GRAFANACTL_VALIDATE_ENV so `grafanactl resources
validate` runs against the live Grafana for that env.
Also fixes a few pre-existing shellcheck findings the new lint surfaced
(SC2295 in diff.sh, SC2317 in grafanactl-env.sh, SC2016 in
render-config.sh, SC2034 in extract-amg.sh) and a prettier drift in
docker-compose.yml so the lint passes clean on current state.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a dedicated lint entrypoint for packages/observability/ (shell/JSON/YAML + manifest/secret sanity checks) and wires it into CI and the observability diff/apply workflows to catch issues earlier in the Grafana “dashboards as code” pipeline.
Changes:
- Introduces
packages/observability/scripts/lint.shand exposes it viapackages/observability/package.jsonaspnpm --filter @cardstack/observability lint. - Integrates observability linting into
.github/workflows/ci-lint.yamland into the observability diff/apply workflows (with optionalgrafanactl resources validatewhen tokens are available). - Includes small script/workflow hygiene fixes (ShellCheck suppressions, quoting tweak, YAML formatting).
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/observability/scripts/lint.sh | New package-scoped lint script covering shellcheck, jq validation, manifest shape, secret redaction regression, prettier YAML, and optional grafanactl validation. |
| packages/observability/package.json | Adds lint script entrypoint for the observability package. |
| .github/workflows/ci-lint.yaml | Runs observability lint on PRs/pushes as part of the main lint workflow. |
| .github/workflows/observability-diff.yml | Runs observability lint (with live validation) before computing/posting the staging diff. |
| .github/workflows/observability-apply-staging.yml | Runs observability lint (with live validation) before applying to staging. |
| .github/workflows/observability-apply-production.yml | Runs observability lint (with live validation) before applying to production. |
| packages/observability/scripts/render-config.sh | Adds targeted ShellCheck suppression around envsubst allow-list usage. |
| packages/observability/scripts/grafanactl-env.sh | Adds ShellCheck suppression for sourced-vs-executed return/exit behavior. |
| packages/observability/scripts/diff.sh | Adjusts prefix-stripping in JSON normalization loop. |
| packages/observability/scripts/migrations/extract-amg.sh | Simplifies fail_on_collision signature and updates call sites. |
| packages/observability/docker-compose.yml | Prettier-driven formatting adjustment for the Loki healthcheck test array. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Copilot caught that the staging and production apply workflows on this branch dropped the `fetch REALM_SERVER_URL` SSM call, but apply.sh's required_env_vars guard still hard-fails for non-local envs if REALM_SERVER_URL is unset (CS-10923). The drop was unintentional reformatting collateral; the value is still needed at apply time to substitute the dashboards' realm_server constant template variable. Also confirmed there are no IAM grants to revoke — the SSM paths /staging/boxel-grafana/realm_server_url and the production counterpart are still in cardstack/infra's configs/boxel-observability-apply/. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ipts-for-packagesobservability # Conflicts: # .github/workflows/observability-diff.yml
1. shellcheck SC2016 on diff.sh:177
`JQ_NORMALIZE='...'` is a jq script that uses jq's own `\$url`
bound via `--arg url`, so the single-quoting is intentional —
shell expansion would break the jq variable reference. Same
pattern as render-config.sh:31. Added a targeted
`# shellcheck disable=SC2016` directive immediately above the
assignment with the rationale, rather than excluding the rule
globally.
2. PRETTIER_SKIP honored before the pnpm-availability check
The diff/apply workflows intentionally skip `pnpm install` to
stay fast and pass `PRETTIER_SKIP=1`, but the script's old order
errored on missing pnpm before checking the skip flag. Reordered
so PRETTIER_SKIP=1 short-circuits cleanly even when pnpm isn't on
PATH.
Re-ran `pnpm --filter @cardstack/observability lint` (clean
shellcheck output) and `PRETTIER_SKIP=1 bash scripts/lint.sh`
("PRETTIER_SKIP=1 — skipping prettier check" + "lint OK").
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Observability diff (vs staging)No dashboard / folder changes detected against the staging Grafana. (Run: https://github.com/cardstack/boxel/actions/runs/25341067849) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a self-contained
lintscript topackages/observability/covering the package's actual content — shell scripts, JSON manifests, YAML, plus a regression check on the secret-redaction code path. No JS/TS in this package, so ESLint / TS aren't applicable.What runs (
scripts/lint.sh):scripts/**/*.shjq emptyon every JSON file undergrafanactl/resources/andprovisioning/apiVersion+kind+metadata.name(offline schema sanity, no live Grafana required)templating.list[]constant variable namedgrafana_secretmust equalREPLACE_AT_APPLY_TIME. Regression check onextract-amg.sh's redactionprettier --checkon YAML (matches the rest of the repo's YAML formatting policy)grafanactl resources validate— opt-in viaGRAFANACTL_VALIDATE_ENV=local|staging|production. The diff/apply CI workflows set this withGRAFANA_TOKENalready in env, giving manifest-vs-live-server validation at PR / merge timeWiring:
package.jsonexposes"lint": "bash ./scripts/lint.sh"so rootpnpm lintpicks it up via--if-presentci-lint.yamlruns it on every PR (no token, skips step 6)observability-{diff,apply-staging,apply-production}.ymlrun it right after the SSM token fetch, withGRAFANACTL_VALIDATE_ENVset so step 6 contacts the right env.PRETTIER_SKIP=1in those three avoids forcing apnpm installfor a checkci-lintalready coversPre-existing shellcheck/prettier findings the new lint surfaced are fixed in the same commit so it passes clean: SC2295 in
diff.sh, SC2317 ingrafanactl-env.sh, SC2016 inrender-config.sh, SC2034 inextract-amg.sh, and a prettier drift indocker-compose.yml.Closes CS-10959. Follow-up to PR #4529 review (Hassan).
Test plan
Verified locally by planting each acceptance-criteria bad case, running
pnpm --filter @cardstack/observability lint, confirming it fails, then reverting:\$VARin a shell script → fails (SC2086)apiVersion→ fails (missing required field(s): apiVersion)malformed JSON)templating.list[].grafana_secret.query→ fails (is not REPLACE_AT_APPLY_TIME)pnpm lintincludes the package via--if-presentgrafanactl resources validatealso runs there)🤖 Generated with Claude Code