Merge branch 'v1.4.x' into develop

Author: pskrbasu

.ai/codebase-notes.md

@@ -31,6 +31,12 @@ jobs:
           path: pipe-fittings
           ref: develop
 
+      - name: Run CLI Unit Tests
+        run: |
+          cd powerpipe
+          go clean -testcache
+          go test -timeout 30s ./... -test.v
+
       - name: Set up Docker
         uses: docker/setup-buildx-action@v3
 
@@ -102,6 +108,7 @@ jobs:
           - "snapshot"
           - "dashboard_parsing_validation"
           - "database_precedence"
+          - "tag_filtering"
           - "config_precedence"
     runs-on: ${{ matrix.platform }}
     steps:

.github/workflows/11-test-acceptance.yaml

@@ -1,3 +1,7 @@
+## v1.4.2 [TBD]
+_Bug Fixes_
+- Fixed: cell controls not appearing after scroll. ([#956](https://github.com/turbot/powerpipe/issues/956))
+
 ## v1.4.1 [2025-10-07]
 _Bug Fixes_
 - Build: Restored CentOS/RHEL 9 compatibility by pinning the build image to an older libstdc++/GCC baseline. Previous build linked against newer GLIBCXX symbols, causing Powerpipe to fail on CentOS/RHEL 9.

CHANGELOG.md

@@ -104,7 +104,7 @@ require (
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
-	github.com/containerd/containerd v1.7.27 // indirect
+	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/errdefs v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
@@ -260,7 +260,7 @@ require (
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/term v0.34.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.36.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	google.golang.org/api v0.230.0 // indirect

go.mod

@@ -771,8 +771,8 @@ github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
-github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
-github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
+github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
+github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
 github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII=
 github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4=
@@ -1819,8 +1819,8 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

go.sum

@@ -177,7 +177,9 @@ func (e *ExecutionTree) waitForActiveRunsToComplete(ctx context.Context, paralle
 
 func (e *ExecutionTree) populateControlFilterMap(controlFilter pworkspace.ResourceFilter) error {
 	// if we derived or were passed a where clause, run the filter
-	if controlFilter.Empty() {
+	// Note: WherePredicate can be set even when Tags/Where are empty (new tag filtering logic),
+	// so we must honor a custom predicate even if the filter appears "empty".
+	if controlFilter.Empty() && controlFilter.WherePredicate == nil {
 		return nil
 	}
 

internal/controlexecute/execution_tree.go

@@ -10,10 +10,11 @@ import (
 	"github.com/turbot/pipe-fittings/v2/error_helpers"
 	"github.com/turbot/pipe-fittings/v2/modconfig"
 	"github.com/turbot/pipe-fittings/v2/statushooks"
-	"github.com/turbot/pipe-fittings/v2/workspace"
+	pfworkspace "github.com/turbot/pipe-fittings/v2/workspace"
 	"github.com/turbot/powerpipe/internal/controldisplay"
 	"github.com/turbot/powerpipe/internal/initialisation"
 	"github.com/turbot/powerpipe/internal/resources"
+	"github.com/turbot/powerpipe/internal/workspace"
 )
 
 type CheckTarget interface {
@@ -24,7 +25,7 @@ type CheckTarget interface {
 type InitData struct {
 	initialisation.InitData
 	OutputFormatter controldisplay.Formatter
-	ControlFilter   workspace.ResourceFilter
+	ControlFilter   pfworkspace.ResourceFilter
 }
 
 func (i *InitData) BaseInitData() *initialisation.InitData {
@@ -49,7 +50,7 @@ func NewInitData[T CheckTarget](ctx context.Context, cmd *cobra.Command, args ..
 
 	w := i.Workspace
 	if !w.ModfileExists() {
-		i.Result.Error = workspace.ErrorNoModDefinition
+		i.Result.Error = pfworkspace.ErrorNoModDefinition
 	}
 
 	if viper.GetString(constants.ArgOutput) == constants.OutputFormatNone {
@@ -105,13 +106,14 @@ func NewInitData[T CheckTarget](ctx context.Context, cmd *cobra.Command, args ..
 
 func (i *InitData) setControlFilter() {
 	if viper.IsSet(constants.ArgTag) {
-		// if '--tag' args were used, derive the whereClause from them
+		// if '--tag' args were used, build a predicate that supports both equality and inequality
+		// (key!=value includes resources missing the tag). This replaces the older tag-only map filter.
 		tags := viper.GetStringSlice(constants.ArgTag)
-		i.ControlFilter = workspace.ResourceFilterFromTags(tags)
+		i.ControlFilter = workspace.ResourceFilterFromTagArgs(tags)
 	} else if viper.IsSet(constants.ArgWhere) {
 		// if a 'where' arg was used, execute this sql to get a list of  control names
 		// use this list to build a name map used to determine whether to run a particular control
-		i.ControlFilter = workspace.ResourceFilter{
+		i.ControlFilter = pfworkspace.ResourceFilter{
 			Where: viper.GetString(constants.ArgWhere),
 		}
 	}

internal/controlinit/init_data.go

@@ -0,0 +1,83 @@
+package workspace
+
+import (
+	"strings"
+
+	"github.com/turbot/pipe-fittings/v2/modconfig"
+	"github.com/turbot/pipe-fittings/v2/workspace"
+)
+
+// tagFilter captures allowed and disallowed values for a tag key.
+type tagFilter struct {
+	equals    []string
+	notEquals []string
+}
+
+// ResourceFilterFromTagArgs builds a workspace.ResourceFilter from CLI --tag args,
+// supporting both equality (key=value) and inequality (key!=value) semantics.
+// For inequality, resources without the tag must be included (only resources
+// with the tag set to the disallowed value are excluded). This aligns CLI
+// behavior with user expectations (e.g., env!=staging should include items
+// with no env tag).
+func ResourceFilterFromTagArgs(tags []string) workspace.ResourceFilter {
+	tagFilters := map[string]*tagFilter{}
+
+	for _, arg := range tags {
+		var key, value string
+		var isNotEquals bool
+
+		if parts := strings.SplitN(arg, "!=", 2); len(parts) == 2 {
+			key, value = parts[0], parts[1]
+			isNotEquals = true
+		} else if parts := strings.SplitN(arg, "=", 2); len(parts) == 2 {
+			key, value = parts[0], parts[1]
+		} else {
+			// malformed tag; skip and let validation elsewhere handle errors (consistent with prior behavior)
+			continue
+		}
+
+		tf := tagFilters[key]
+		if tf == nil {
+			tf = &tagFilter{}
+			tagFilters[key] = tf
+		}
+		if isNotEquals {
+			tf.notEquals = append(tf.notEquals, value)
+		} else {
+			tf.equals = append(tf.equals, value)
+		}
+	}
+
+	return workspace.ResourceFilter{
+		WherePredicate: func(item modconfig.HclResource) bool {
+			itemTags := item.GetTags()
+
+			for key, filter := range tagFilters {
+				tagValue, present := itemTags[key]
+
+				// Equality rules: tag must be present AND match one of the allowed values.
+				if len(filter.equals) > 0 {
+					if !present || !contains(filter.equals, tagValue) {
+						return false
+					}
+				}
+
+				// Inequality rules: exclude only if tag present AND value is disallowed.
+				if len(filter.notEquals) > 0 && present && contains(filter.notEquals, tagValue) {
+					return false
+				}
+			}
+
+			return true
+		},
+	}
+}
+
+func contains(values []string, candidate string) bool {
+	for _, v := range values {
+		if v == candidate {
+			return true
+		}
+	}
+	return false
+}

internal/workspace/tag_filter.go

@@ -0,0 +1,103 @@
+package workspace
+
+import (
+	"testing"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/turbot/pipe-fittings/v2/modconfig"
+	pfworkspace "github.com/turbot/pipe-fittings/v2/workspace"
+	"github.com/turbot/powerpipe/internal/resources"
+)
+
+func TestResourceFilterFromTagArgs(t *testing.T) {
+	mod := modconfig.NewMod("tag_filter_mod", ".", hcl.Range{})
+	controls := map[string]*resources.Control{
+		"deprecated_true":  makeTaggedControl(t, mod, "deprecated_true", map[string]string{"deprecated": "true"}),
+		"deprecated_false": makeTaggedControl(t, mod, "deprecated_false", map[string]string{"deprecated": "false"}),
+		"no_tag":           makeTaggedControl(t, mod, "no_tag", map[string]string{}),
+		"other_tag_only":   makeTaggedControl(t, mod, "other_tag_only", map[string]string{"env": "qa"}),
+	}
+	modResources := resources.NewModResources(mod).(*resources.PowerpipeModResources)
+	for _, c := range controls {
+		_ = modResources.AddResource(c)
+	}
+	mod.Resources = modResources
+
+	w := &PowerpipeWorkspace{
+		Workspace: pfworkspace.Workspace{
+			Mod: mod,
+		},
+	}
+
+	tests := []struct {
+		name      string
+		tagArgs   []string
+		wantNames map[string]struct{}
+	}{
+		{
+			name:    "equals match",
+			tagArgs: []string{"deprecated=true"},
+			wantNames: map[string]struct{}{
+				"tag_filter_mod.control.deprecated_true": {},
+			},
+		},
+		{
+			name:    "not equals includes missing",
+			tagArgs: []string{"deprecated!=true"},
+			wantNames: map[string]struct{}{
+				"tag_filter_mod.control.deprecated_false": {},
+				"tag_filter_mod.control.no_tag":           {},
+				"tag_filter_mod.control.other_tag_only":   {},
+			},
+		},
+		{
+			name:    "not equals multiple values includes missing",
+			tagArgs: []string{"deprecated!=true", "deprecated!=false"},
+			wantNames: map[string]struct{}{
+				"tag_filter_mod.control.no_tag":         {},
+				"tag_filter_mod.control.other_tag_only": {},
+			},
+		},
+		{
+			name:    "mix equals and not equals honors both",
+			tagArgs: []string{"deprecated!=true", "env=qa"},
+			wantNames: map[string]struct{}{
+				"tag_filter_mod.control.other_tag_only": {},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			filter := ResourceFilterFromTagArgs(tt.tagArgs)
+			got, err := pfworkspace.FilterWorkspaceResourcesOfType[*resources.Control](&w.Workspace, filter)
+			if err != nil {
+				t.Fatalf("FilterWorkspaceResourcesOfType error: %v", err)
+			}
+
+			if len(got) != len(tt.wantNames) {
+				t.Fatalf("expected %d results, got %d", len(tt.wantNames), len(got))
+			}
+			for name := range tt.wantNames {
+				if _, ok := got[name]; !ok {
+					t.Fatalf("expected %s but not present", name)
+				}
+			}
+		})
+	}
+}
+
+func makeTaggedControl(t *testing.T, mod *modconfig.Mod, name string, tags map[string]string) *resources.Control {
+	t.Helper()
+
+	title := "title"
+	description := "desc"
+	sql := "select 1"
+	control := resources.NewControl(&hcl.Block{Type: "control"}, mod, name).(*resources.Control)
+	control.Title = &title
+	control.Description = &description
+	control.SQL = &sql
+	control.Tags = tags
+
+	return control
+}

internal/workspace/tag_filter_test.go

@@ -0,0 +1,4 @@
+mod "tag_filtering_mod" {
+  title       = "Tag filtering acceptance mod"
+  description = "Exercises control/benchmark tag filters for deprecated and env tags."
+}