Clean up Makefile corpus targets to use isolated temp dirs

philhassey · claude · philhassey · commit d6277580e2cd · 2026-03-18T15:34:25.000-06:00
Each corpus generation target now uses a private mktemp -d with a
trap for cleanup on failure, eliminating shared /tmp/corpus-tests
collisions and leaked temp files. Quote basename arguments for
safety with special characters. Add extracted corpus directories
to .gitignore.

Signed-off-by: Phil Hassey &lt;phil@strongdm.com&gt;

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,9 @@ tmp/
 .DS_Store
 coverage.out
 test/cedar-validation-tool/target/
+corpus-tests/
+corpus-tests-json-schemas/
+corpus-tests-validation/
 *.out
 .ai/
 ideas/
diff --git a/Makefile b/Makefile
@@ -13,11 +13,16 @@ linters:
 	go tool cover -func=coverage.out | sed 's/%$$//' | awk '$$2 == "isCedarType" { next } $$2 == "Entity" && $$1 ~ /entity\.go/ { next } $$2 == "typeOfExtensionCall" { next } { if ($$3 < 100.0) { printf "Insufficient code coverage for %s\n", $$0; failed=1 } } END { exit failed }'
 
 # Download the latest corpus tests tarball and overwrite corpus-tests.tar.gz if changed
-.PHONY: check-upstream-corpus
 check-upstream-corpus:
-	@tmp="$$(mktemp)" && \
-	curl -fL -o "$$tmp" https://raw.githubusercontent.com/cedar-policy/cedar-integration-tests/main/corpus-tests.tar.gz && \
-	if cmp -s "$$tmp" corpus-tests.tar.gz; then echo "corpus-tests.tar.gz is up to date."; rm -f "$$tmp"; else mv "$$tmp" corpus-tests.tar.gz; echo "corpus-tests.tar.gz updated."; fi
+	@tmpdir="$$(mktemp -d)" && \
+	trap 'rm -rf "$$tmpdir"' EXIT && \
+	curl -fL -o "$$tmpdir/corpus-tests.tar.gz" https://raw.githubusercontent.com/cedar-policy/cedar-integration-tests/main/corpus-tests.tar.gz && \
+	if cmp -s "$$tmpdir/corpus-tests.tar.gz" corpus-tests.tar.gz; then \
+		echo "corpus-tests.tar.gz is up to date."; \
+	else \
+		mv "$$tmpdir/corpus-tests.tar.gz" corpus-tests.tar.gz; \
+		echo "corpus-tests.tar.gz updated."; \
+	fi
 
 # Use an order-only prerequisite to check for changes. This allows other targets to
 # reference corpus-tests.tar.gz as a dependency so that they'll only be re-created
@@ -27,45 +32,46 @@ corpus-tests.tar.gz: | check-upstream-corpus
 # Convert Cedar schemas to JSON schemas
 corpus-tests-json-schemas.tar.gz: corpus-tests.tar.gz
 	@echo "Generating JSON schemas from Cedar schemas..."
-	@rm -rf /tmp/corpus-tests /tmp/corpus-tests-json-schemas
-	@mkdir -p /tmp/corpus-tests-json-schemas
-	@tar -xzf corpus-tests.tar.gz -C /tmp/
-	@for schema in /tmp/corpus-tests/*.cedarschema; do \
-		basename=$$(basename $$schema .cedarschema); \
-		echo "Converting $$basename.cedarschema..."; \
-		cedar translate-schema --direction cedar-to-json --schema "$$schema" > "/tmp/corpus-tests-json-schemas/$$basename.cedarschema.json" 2>&1; \
-	done
-	@tar -czf corpus-tests-json-schemas.tar.gz -C /tmp corpus-tests-json-schemas
-	@rm -rf /tmp/corpus-tests /tmp/corpus-tests-json-schemas
-	@echo "Done! Created corpus-tests-json-schemas.tar.gz"
+	@tmpdir="$$(mktemp -d)" && \
+	trap 'rm -rf "$$tmpdir"' EXIT && \
+	tar -xzf corpus-tests.tar.gz -C "$$tmpdir" && \
+	mkdir -p "$$tmpdir/corpus-tests-json-schemas" && \
+	for schema in "$$tmpdir"/corpus-tests/*.cedarschema; do \
+		basename=$$(basename "$$schema" .cedarschema); \
+		echo "  Converting $$basename.cedarschema..."; \
+		cedar translate-schema --direction cedar-to-json --schema "$$schema" \
+			> "$$tmpdir/corpus-tests-json-schemas/$$basename.cedarschema.json" 2>&1; \
+	done && \
+	tar -czf corpus-tests-json-schemas.tar.gz -C "$$tmpdir" corpus-tests-json-schemas && \
+	echo "Done! Created corpus-tests-json-schemas.tar.gz"
 
-# Build cedar-validation-tool and generate validation results
+# Build cedar-validation-tool
 test/cedar-validation-tool/target/release/cedar-validation-tool: test/cedar-validation-tool/src/main.rs test/cedar-validation-tool/Cargo.toml
 	@echo "Building cedar-validation-tool..."
 	@cd test/cedar-validation-tool && cargo build --release
 
+# Generate validation results from Rust Cedar
 corpus-tests-validation.tar.gz: corpus-tests.tar.gz test/cedar-validation-tool/target/release/cedar-validation-tool
 	@echo "Generating validation results from Rust Cedar..."
-	@rm -rf /tmp/corpus-tests /tmp/corpus-tests-validation
-	@mkdir -p /tmp/corpus-tests-validation
-	@tar -xzf corpus-tests.tar.gz -C /tmp/
-	@for testjson in /tmp/corpus-tests/*.json; do \
+	@tmpdir="$$(mktemp -d)" && \
+	trap 'rm -rf "$$tmpdir"' EXIT && \
+	tar -xzf corpus-tests.tar.gz -C "$$tmpdir" && \
+	mkdir -p "$$tmpdir/corpus-tests-validation" && \
+	for testjson in "$$tmpdir"/corpus-tests/*.json; do \
 		case "$$testjson" in *.entities.json) continue ;; esac; \
-		basename=$$(basename $$testjson .json); \
+		basename=$$(basename "$$testjson" .json); \
 		test/cedar-validation-tool/target/release/cedar-validation-tool \
-			"$$testjson" "/tmp/corpus-tests-validation/$${basename}.validation.json"; \
-	done
-	@cd /tmp && tar -czf corpus-tests-validation.tar.gz corpus-tests-validation/
-	@mv /tmp/corpus-tests-validation.tar.gz .
-	@rm -rf /tmp/corpus-tests /tmp/corpus-tests-validation
-	@echo "Done! Created corpus-tests-validation.tar.gz"
+			"$$testjson" "$$tmpdir/corpus-tests-validation/$${basename}.validation.json"; \
+	done && \
+	tar -czf corpus-tests-validation.tar.gz -C "$$tmpdir" corpus-tests-validation && \
+	echo "Done! Created corpus-tests-validation.tar.gz"
 
 # Regenerate validation data for x/exp/schema/validate/testdata
 testdata-validation: test/cedar-validation-tool/target/release/cedar-validation-tool
 	@echo "Regenerating testdata validation files..."
 	@for testjson in x/exp/schema/validate/testdata/*.json; do \
 		case "$$testjson" in *.entities.json|*.validation.json) continue ;; esac; \
-		basename=$$(basename $$testjson .json); \
+		basename=$$(basename "$$testjson" .json); \
 		echo "  Validating $$basename..."; \
 		test/cedar-validation-tool/target/release/cedar-validation-tool \
 			"$$testjson" "x/exp/schema/validate/testdata/$${basename}.validation.json"; \
