chore: add validation for module source URLs

.github/workflows/ci.yaml

@@ -63,8 +63,8 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.2"
-      - name: Validate contributors
+          go-version: "1.24"
+      - name: Validate README
         run: go build ./cmd/readmevalidation && ./readmevalidation
       - name: Remove build file artifact
         run: rm ./readmevalidation

.github/workflows/golangci-lint.yml

@@ -3,7 +3,6 @@ on:
   push:
     branches:
       - main
-      - master
   pull_request:
 
 permissions:

cmd/readmevalidation/codermodules.go

@@ -3,11 +3,81 @@ package main
 import (
 	"bufio"
 	"context"
+	"path/filepath"
+	"regexp"
 	"strings"
 
 	"golang.org/x/xerrors"
 )
 
+var (
+	terraformSourceRe = regexp.MustCompile(`^\s*source\s*=\s*"([^"]+)"`)
+)
+
+func extractNamespaceAndModuleFromPath(filePath string) (namespace string, moduleName string, err error) {
+	// Expected path format: registry/<namespace>/modules/<module-name>/README.md.
+	parts := strings.Split(filepath.Clean(filePath), string(filepath.Separator))
+	if len(parts) < 5 || parts[0] != "registry" || parts[2] != "modules" || parts[4] != "README.md" {
+		return "", "", xerrors.Errorf("invalid module path format: %s", filePath)
+	}
+	namespace = parts[1]
+	moduleName = parts[3]
+	return namespace, moduleName, nil
+}
+
+func validateModuleSourceURL(body string, filePath string) []error {
+	var errs []error
+
+	namespace, moduleName, err := extractNamespaceAndModuleFromPath(filePath)
+	if err != nil {
+		return []error{err}
+	}
+
+	expectedSource := "registry.coder.com/" + namespace + "/" + moduleName + "/coder"
+
+	trimmed := strings.TrimSpace(body)
+	foundCorrectSource := false
+	isInsideTerraform := false
+	firstTerraformBlock := true
+
+	lineScanner := bufio.NewScanner(strings.NewReader(trimmed))
+	for lineScanner.Scan() {
+		nextLine := lineScanner.Text()
+
+		if strings.HasPrefix(nextLine, "```") {
+			if strings.HasPrefix(nextLine, "```tf") && firstTerraformBlock {
+				isInsideTerraform = true
+				firstTerraformBlock = false
+			} else if isInsideTerraform {
+				// End of first terraform block.
+				break
+			}
+			continue
+		}
+
+		if isInsideTerraform {
+			// Check for any source line in the first terraform block.
+			if matches := terraformSourceRe.FindStringSubmatch(nextLine); matches != nil {
+				actualSource := matches[1]
+				if actualSource == expectedSource {
+					foundCorrectSource = true
+					break
+				} else if strings.HasPrefix(actualSource, "registry.coder.com/") && strings.Contains(actualSource, "/"+moduleName+"/coder") {
+					// Found source for this module but with wrong namespace/format.
+					errs = append(errs, xerrors.Errorf("incorrect source URL format: found %q, expected %q", actualSource, expectedSource))
+					return errs
+				}
+			}
+		}
+	}
+
+	if !foundCorrectSource {
+		errs = append(errs, xerrors.Errorf("did not find correct source URL %q in first Terraform code block", expectedSource))
+	}
+
+	return errs
+}
+
 func validateCoderModuleReadmeBody(body string) []error {
 	var errs []error
 
@@ -94,6 +164,9 @@ func validateCoderModuleReadme(rm coderResourceReadme) []error {
 	for _, err := range validateCoderModuleReadmeBody(rm.body) {
 		errs = append(errs, addFilePathToError(rm.filePath, err))
 	}
+	for _, err := range validateModuleSourceURL(rm.body, rm.filePath) {
+		errs = append(errs, addFilePathToError(rm.filePath, err))
+	}
 	for _, err := range validateResourceGfmAlerts(rm.body) {
 		errs = append(errs, addFilePathToError(rm.filePath, err))
 	}

cmd/readmevalidation/codermodules_test.go

@@ -20,3 +20,86 @@ func TestValidateCoderResourceReadmeBody(t *testing.T) {
 		}
 	})
 }
+
+func TestValidateModuleSourceURL(t *testing.T) {
+	t.Parallel()
+
+	t.Run("Valid source URL format", func(t *testing.T) {
+		t.Parallel()
+
+		body := "# Test Module\n\n```tf\nmodule \"test-module\" {\n  source   = \"registry.coder.com/test-namespace/test-module/coder\"\n  version  = \"1.0.0\"\n  agent_id = coder_agent.example.id\n}\n```\n"
+		filePath := "registry/test-namespace/modules/test-module/README.md"
+		errs := validateModuleSourceURL(body, filePath)
+		if len(errs) != 0 {
+			t.Errorf("Expected no errors, got: %v", errs)
+		}
+	})
+
+	t.Run("Invalid source URL format - wrong namespace", func(t *testing.T) {
+		t.Parallel()
+
+		body := "# Test Module\n\n```tf\nmodule \"test-module\" {\n  source   = \"registry.coder.com/wrong-namespace/test-module/coder\"\n  version  = \"1.0.0\"\n  agent_id = coder_agent.example.id\n}\n```\n"
+		filePath := "registry/test-namespace/modules/test-module/README.md"
+		errs := validateModuleSourceURL(body, filePath)
+		if len(errs) != 1 {
+			t.Errorf("Expected 1 error, got %d: %v", len(errs), errs)
+		}
+		if len(errs) > 0 && !contains(errs[0].Error(), "incorrect source URL format") {
+			t.Errorf("Expected source URL format error, got: %s", errs[0].Error())
+		}
+	})
+
+	t.Run("Missing source URL", func(t *testing.T) {
+		t.Parallel()
+
+		body := "# Test Module\n\n```tf\nmodule \"other-module\" {\n  source   = \"registry.coder.com/other/other-module/coder\"\n  version  = \"1.0.0\"\n  agent_id = coder_agent.example.id\n}\n```\n"
+		filePath := "registry/test-namespace/modules/test-module/README.md"
+		errs := validateModuleSourceURL(body, filePath)
+		if len(errs) != 1 {
+			t.Errorf("Expected 1 error, got %d: %v", len(errs), errs)
+		}
+		if len(errs) > 0 && !contains(errs[0].Error(), "did not find correct source URL") {
+			t.Errorf("Expected missing source URL error, got: %s", errs[0].Error())
+		}
+	})
+
+	t.Run("Module name with hyphens vs underscores", func(t *testing.T) {
+		t.Parallel()
+
+		body := "# Test Module\n\n```tf\nmodule \"test_module\" {\n  source   = \"registry.coder.com/test-namespace/test-module/coder\"\n  version  = \"1.0.0\"\n  agent_id = coder_agent.example.id\n}\n```\n"
+		filePath := "registry/test-namespace/modules/test-module/README.md"
+		errs := validateModuleSourceURL(body, filePath)
+		if len(errs) != 0 {
+			t.Errorf("Expected no errors for hyphen/underscore variation, got: %v", errs)
+		}
+	})
+
+	t.Run("Invalid file path format", func(t *testing.T) {
+		t.Parallel()
+
+		body := "# Test Module"
+		filePath := "invalid/path/format"
+		errs := validateModuleSourceURL(body, filePath)
+		if len(errs) != 1 {
+			t.Errorf("Expected 1 error, got %d: %v", len(errs), errs)
+		}
+		if len(errs) > 0 && !contains(errs[0].Error(), "invalid module path format") {
+			t.Errorf("Expected path format error, got: %s", errs[0].Error())
+		}
+	})
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && (s == substr || (len(s) > len(substr) &&
+		(s[:len(substr)] == substr || s[len(s)-len(substr):] == substr ||
+			indexOfSubstring(s, substr) >= 0)))
+}
+
+func indexOfSubstring(s, substr string) int {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return i
+		}
+	}
+	return -1
+}

cmd/readmevalidation/coderresources.go

@@ -25,7 +25,7 @@ var (
 	terraformVersionRe = regexp.MustCompile(`^\s*\bversion\s+=`)
 
 	// Matches the format "> [!INFO]". Deliberately using a broad pattern to catch formatting issues that can mess up
-	// the renderer for the Registry website
+	// the renderer for the Registry website.
 	gfmAlertRegex = regexp.MustCompile(`^>(\s*)\[!(\w+)\](\s*)(.*)`)
 )
 
@@ -39,7 +39,7 @@ type coderResourceFrontmatter struct {
 }
 
 // A slice version of the struct tags from coderResourceFrontmatter. Might be worth using reflection to generate this
-// list at runtime in the future, but this should be okay for now
+// list at runtime in the future, but this should be okay for now.
 var supportedCoderResourceStructKeys = []string{
 	"description", "icon", "display_name", "verified", "tags", "supported_os",
 	// TODO: This is an old, officially deprecated key from the archived coder/modules repo. We can remove this once we
@@ -315,15 +315,15 @@ func validateResourceGfmAlerts(readmeBody string) []error {
 		}
 
 		// Nested GFM alerts is such a weird mistake that it's probably not really safe to keep trying to process the
-		// rest of the content, so this will prevent any other validations from happening for the given line
+		// rest of the content, so this will prevent any other validations from happening for the given line.
 		if isInsideGfmQuotes {
-			errs = append(errs, errors.New("registry does not support nested GFM alerts"))
+			errs = append(errs, xerrors.New("registry does not support nested GFM alerts"))
 			continue
 		}
 
 		leadingWhitespace := currentMatch[1]
 		if len(leadingWhitespace) != 1 {
-			errs = append(errs, errors.New("GFM alerts must have one space between the '>' and the start of the GFM brackets"))
+			errs = append(errs, xerrors.New("GFM alerts must have one space between the '>' and the start of the GFM brackets"))
 		}
 		isInsideGfmQuotes = true
 
@@ -347,7 +347,7 @@ func validateResourceGfmAlerts(readmeBody string) []error {
 		}
 	}
 
-	if gfmAlertRegex.Match([]byte(sourceLine)) {
+	if gfmAlertRegex.MatchString(sourceLine) {
 		errs = append(errs, xerrors.Errorf("README has an incomplete GFM alert at the end of the file"))
 	}
 

cmd/readmevalidation/contributors.go

@@ -26,7 +26,7 @@ type contributorProfileFrontmatter struct {
 }
 
 // A slice version of the struct tags from contributorProfileFrontmatter. Might be worth using reflection to generate
-// this list at runtime in the future, but this should be okay for now
+// this list at runtime in the future, but this should be okay for now.
 var supportedContributorProfileStructKeys = []string{"display_name", "bio", "status", "avatar", "linkedin", "github", "website", "support_email"}
 
 type contributorProfileReadme struct {

cmd/readmevalidation/repostructure.go

@@ -13,12 +13,11 @@ import (
 
 var supportedUserNameSpaceDirectories = append(supportedResourceTypes, ".images")
 
-// validNameRe validates that names contain only alphanumeric characters and hyphens
+// validNameRe validates that names contain only alphanumeric characters and hyphens.
 var validNameRe = regexp.MustCompile(`^[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$`)
 
-
 // validateCoderResourceSubdirectory validates that the structure of a module or template within a namespace follows all
-// expected file conventions
+// expected file conventions.
 func validateCoderResourceSubdirectory(dirPath string) []error {
 	resourceDir, err := os.Stat(dirPath)
 	if err != nil {
@@ -47,7 +46,7 @@ func validateCoderResourceSubdirectory(dirPath string) []error {
 			continue
 		}
 
-		// Validate module/template name
+		// Validate module/template name.
 		if !validNameRe.MatchString(f.Name()) {
 			errs = append(errs, xerrors.Errorf("%q: name contains invalid characters (only alphanumeric characters and hyphens are allowed)", path.Join(dirPath, f.Name())))
 			continue
@@ -90,7 +89,7 @@ func validateRegistryDirectory() []error {
 			continue
 		}
 
-		// Validate namespace name
+		// Validate namespace name.
 		if !validNameRe.MatchString(nDir.Name()) {
 			allErrs = append(allErrs, xerrors.Errorf("%q: namespace name contains invalid characters (only alphanumeric characters and hyphens are allowed)", namespacePath))
 			continue
@@ -136,7 +135,7 @@ func validateRegistryDirectory() []error {
 
 // validateRepoStructure validates that the structure of the repo is "correct enough" to do all necessary validation
 // checks. It is NOT an exhaustive validation of the entire repo structure – it only checks the parts of the repo that
-// are relevant for the main validation steps
+// are relevant for the main validation steps.
 func validateRepoStructure() error {
 	var errs []error
 	if vrdErrs := validateRegistryDirectory(); len(vrdErrs) != 0 {

go.mod

@@ -1,6 +1,6 @@
 module coder.com/coder-registry
 
-go 1.23.2
+go 1.24
 
 require (
 	cdr.dev/slog v1.6.1

package.json

@@ -5,7 +5,8 @@
     "fmt:ci": "bun x prettier --check . && terraform fmt -check -recursive -diff",
     "terraform-validate": "./scripts/terraform_validate.sh",
     "test": "./scripts/terraform_test_all.sh",
-    "update-version": "./update-version.sh"
+    "update-version": "./update-version.sh",
+    "validate-readme": "go build ./cmd/readmevalidation && ./readmevalidation"
   },
   "devDependencies": {
     "@types/bun": "^1.2.21",