make buildspec validation part of the lint

Author: kazmer97

.gitignore

@@ -31,4 +31,9 @@ package-lock.json
 
 # Type checking
 pyrightconfig.temp.json
-.pyright/
+.pyright/
+
+# Python virtual environments
+.venv/
+.venv-*/
+venv/

Makefile

@@ -15,7 +15,7 @@ test:
 	cd idp_cli && python -m pytest -v
 
 # Run both linting and formatting in one command
-lint: ruff-lint format check-arn-partitions ui-lint
+lint: ruff-lint format check-arn-partitions validate-buildspec ui-lint
 
 # Run linting checks and fix issues automatically
 ruff-lint:
@@ -53,6 +53,13 @@ lint-cicd:
 
 	@echo -e "$(GREEN)All code quality checks passed!$(NC)"
 
+# Validate AWS CodeBuild buildspec files
+validate-buildspec:
+	@echo "Validating buildspec files..."
+	@python3 scripts/validate_buildspec.py patterns/*/buildspec.yml || \
+		(echo -e "$(RED)ERROR: Buildspec validation failed!$(NC)" && exit 1)
+	@echo -e "$(GREEN)✅ All buildspec files are valid!$(NC)"
+
 # Check CloudFormation templates for hardcoded AWS partition ARNs and service principals
 check-arn-partitions:
 	@echo "Checking CloudFormation templates for hardcoded ARN partitions and service principals..."

scripts/README_validate_buildspec.md

@@ -0,0 +1,193 @@
+# AWS CodeBuild Buildspec Validator
+
+A Python script to validate AWS CodeBuild `buildspec.yml` files for syntax errors, structural issues, and best practices.
+
+## Features
+
+- **YAML Syntax Validation**: Ensures buildspec files are valid YAML
+- **Structure Validation**: Checks for required fields (`version`, `phases`)
+- **Type Checking**: Validates that commands are strings, not accidentally parsed as objects
+- **Best Practices**: Warns about unknown phases or deprecated features
+- **Multi-file Support**: Can validate multiple buildspec files at once using glob patterns
+
+## Installation
+
+The validator requires Python 3.6+ and PyYAML:
+
+```bash
+pip install pyyaml
+```
+
+For development environments with externally-managed Python (like macOS with Homebrew), create a virtual environment:
+
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install pyyaml
+```
+
+## Usage
+
+### Validate a single file
+
+```bash
+python3 scripts/validate_buildspec.py patterns/pattern-2/buildspec.yml
+```
+
+### Validate multiple files with glob patterns
+
+```bash
+python3 scripts/validate_buildspec.py patterns/*/buildspec.yml
+```
+
+### Using the Makefile target
+
+```bash
+make validate-buildspec
+```
+
+This is also included in the `make lint` command.
+
+## Output
+
+The validator provides clear output with:
+- ✅ Success indicators
+- ❌ Error messages with specific line numbers
+- ⚠️ Warnings for non-critical issues
+- 📊 Summary of phases and command counts
+
+### Example Output
+
+```
+Validating: patterns/pattern-2/buildspec.yml
+======================================================================
+✅ Valid buildspec file
+
+Summary:
+  Version: 0.2
+  Phases: pre_build, build, post_build
+    - pre_build: 7 commands
+    - build: 39 commands
+    - post_build: 8 commands
+```
+
+### Example Error Output
+
+```
+Validating: patterns/pattern-2/buildspec.yml
+======================================================================
+
+❌ ERRORS (1):
+  - Phase 'post_build', command #5 must be a string, got dict
+
+❌ Invalid buildspec file
+```
+
+## Common Issues Detected
+
+### 1. Colons in Command Strings
+
+**Problem**: YAML interprets colons as key-value separators, even in quoted strings in some cases.
+
+```yaml
+# ❌ BAD - May be parsed as a dictionary
+- echo "Note: This is a message"
+
+# ✅ GOOD - Use single quotes around the entire command
+- 'echo "Note: This is a message"'
+```
+
+### 2. Missing Required Fields
+
+The validator checks for:
+- `version` field (must be 0.1 or 0.2)
+- `phases` section (must have at least one phase)
+
+### 3. Invalid Command Types
+
+All commands must be strings:
+
+```yaml
+# ❌ BAD - Command is a dictionary
+phases:
+  build:
+    commands:
+      - echo: "This is wrong"
+
+# ✅ GOOD - Command is a string
+phases:
+  build:
+    commands:
+      - echo "This is correct"
+```
+
+## Exit Codes
+
+- `0`: All buildspec files are valid
+- `1`: One or more buildspec files have errors
+
+This makes it suitable for use in CI/CD pipelines:
+
+```yaml
+- name: Validate Buildspec
+  run: python3 scripts/validate_buildspec.py patterns/*/buildspec.yml
+```
+
+## Limitations
+
+This validator checks for:
+- YAML syntax errors
+- Required fields and structure
+- Data type correctness
+- Common mistakes
+
+It does **not** validate:
+- AWS-specific runtime environments
+- Environment variable references
+- S3 artifact paths
+- IAM permissions
+
+For complete validation, test your buildspec in an actual CodeBuild environment.
+
+## Integration with CI/CD
+
+### GitHub Actions
+
+Already integrated in `.github/workflows/developer-tests.yml` via the `make lint` command.
+
+### Local Pre-commit Hook
+
+Add to `.git/hooks/pre-commit`:
+
+```bash
+#!/bin/bash
+python3 scripts/validate_buildspec.py patterns/*/buildspec.yml || exit 1
+```
+
+## Troubleshooting
+
+### "ModuleNotFoundError: No module named 'yaml'"
+
+Install PyYAML:
+```bash
+pip install pyyaml
+```
+
+### "externally-managed-environment"
+
+On macOS with Homebrew Python, use a virtual environment:
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install pyyaml
+```
+
+## Contributing
+
+When adding new buildspec files to the repository, ensure they pass validation:
+
+```bash
+make validate-buildspec
+```
+
+This is automatically checked in CI/CD pipelines.