diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml new file mode 100644 index 0000000..78c5255 --- /dev/null +++ b/.github/workflows/typos.yml @@ -0,0 +1,46 @@ +--- +name: Typos +on: + pull_request: + branches: [rolling, circinus, sagitta] + +permissions: + contents: read + pull-requests: write # auto-downgraded to read on fork PRs + +jobs: + typos: + runs-on: ubuntu-latest + steps: + - name: Checkout PR + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Checkout central typos config + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + repository: vyos/.github + ref: production + path: .github-central + persist-credentials: false + + - name: Bullfrog egress-audit + continue-on-error: true + uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4 + with: + egress-policy: audit + + - name: Run typos (full tree, central config) + uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2 + with: + config: .github-central/_typos.toml + + - name: Comment on failure (same-repo PRs only) + if: ${{ failure() && github.event.pull_request.head.repo.full_name == github.repository }} + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 + with: + issue-number: ${{ github.event.pull_request.number }} + body: | + ⚠️ **Typos check failed.** See the failing **Typos** check's annotations (Files changed tab) / job log for the exact strings and locations. + False positive (genuine VyOS jargon)? It belongs in the central allowlist — open a PR adding it to `vyos/.github` `_typos.toml`. diff --git a/_typos.toml b/_typos.toml new file mode 100644 index 0000000..721f9a7 --- /dev/null +++ b/_typos.toml @@ -0,0 +1,141 @@ +# Central VyOS typos allowlist — consumed by .github/workflows/typos.yml +# via `config: .github-central/_typos.toml` (checked out from vyos/.github@production). +# +# SEED config (Phase 1.3). Phase 2 evaluate step will tune further. +# +# Policy: allowlist only CONFIRMED genuine VyOS/networking/kernel jargon and +# code identifiers. Real typos in source or comments are NOT allowlisted — they +# should be fixed in the product repos. +# +# Sections +# -------- +# [default.extend-words] — token appears as a COMPONENT within an identifier +# (typos splits on underscores, hyphens, and case +# boundaries; use this section for sub-token jargon). +# [default.extend-identifiers] — token IS the whole identifier on its own. +# [files] extend-exclude — paths to skip (gitignore-style globs, relative to +# the repo root where typos is invoked in CI). + +[files] +# Upstream patch files: their content is unmodifiable (cherry-picked from upstream). +# Linux kernel defconfig/config fragments: contain many short CONFIG_ identifiers +# that typos misreads as common-word typos (DAMON/DAEMON, WIL/WILL, ALS/ALSO, etc.). +# Smoketest configs: large auto-generated firewall rule blobs (cert PEM data, country +# code lists, GeoIP regex) that produce hundreds of false positives. +# MIBs: vendor-supplied SNMP MIB files with proprietary identifiers. +extend-exclude = [ + "*.patch", + "smoketest/**", + "mibs/**", + "scripts/package-build/linux-kernel/config/**", +] + +[default.extend-words] +# ICMPv6 Neighbor Discovery (RFC 4861) — "nd" is the canonical prefix for ND +# message types: nd-router-solicit, nd-router-advert, nd-neighbor-solicit, +# nd-neighbor-advert, nd-redirect. Used in VyOS interface-definitions, nftables +# templates, and interface-definition XML files. +nd = "nd" +ND = "ND" + +# WiFi 802.11ax / hostapd: FILS = Fast Initial Link Setup (IEEE 802.11ai). +# A WPA3 authentication mechanism. Appears in wpa_supplicant.conf.j2 and +# hostapd.conf.j2 templates. +FILS = "FILS" +fils = "fils" + +# WiFi 802.11ax EDCA ACI field (Access Category Index). +# Appears as he_mu_edca_ac_bk_aci, he_mu_edca_ac_be_aci, etc. in hostapd.conf.j2. +aci = "aci" + +# MACsec / 802.1AE "pn" = Packet Number (sequence counter). +# Used in `ip macsec add … tx sa 0 pn 1 on key …` commands and in hostapd. +pn = "pn" +Pn = "Pn" + +# ISO 3166-1 alpha-2 country codes used in GeoIP constraint and +# elements in interface-definition XML files. "ba" = Bosnia and Herzegovina; +# "fo" = Faroe Islands. The GeoIP lists contain every valid two-letter code +# and are auto-generated — fixing them individually is impractical. +ba = "ba" +fo = "fo" + +# vyos-commitd: the VyOS commit daemon. The "commitd" suffix follows the Linux +# daemon-naming convention (sshd, named, …). Appears in systemctl unit files, +# test helpers, and the daemon source itself. +commitd = "commitd" + +# _OFR_CONFIGURE: VyOS bash env variable set in vyatta-op bash completion +# to detect configure mode. OFR is a component of this identifier split by _. +OFR = "OFR" + +# RT_FlAGS / NTF_FlAGS: Linux UAPI kernel headers (rtnetlink.h, neighbour.h) +# vendored into vyos-1x. The mixed-case "FlAGS" is upstream kernel source; +# typos splits it into "Fl" + "AGS" — "AGS" is the flagged component. +AGS = "AGS" + +# Triple DES EDE (Encrypt-Decrypt-Encrypt) — standard crypto mode name used +# in IPsec cipher suites (DES-EDE3-CBC, des-ede3-cbc) and OpenVPN config. +EDE = "EDE" +ede = "ede" + +# TCP/SCTP Retransmission Timeout (RTO). Used as RTAX_RTO_MIN netlink +# attribute name in network-event-logger and as an rto_min route attribute. +RTO = "RTO" +rto = "rto" +Rto = "Rto" + +# nftables chain-name prefix used in VyOS bridge firewall templates (nftables-bridge.j2). +# "NAM_" is an internal VyOS shortcode for named-ruleset chains (cf. "NAME_" chain type). +NAM = "NAM" + +# Linux kernel Data Access MONitor (CONFIG_DAMON). Appears in linux-kernel +# defconfig fragments. Belt-and-braces allowlist for files outside the excluded path. +DAMON = "DAMON" + +# Qualcomm 60 GHz WiFi driver (CONFIG_WIL6210). Same rationale as DAMON. +WIL = "WIL" + +# CONFIG_EXPORTFS: Linux kernel export-filesystem support (NFSd kernel module). +EXPORTFS = "EXPORTFS" + +# Synopsys Inc.: semiconductor IP vendor (DWC USB, DesignWare Ethernet, etc.). +# Appears as CONFIG_SYNOPSYS_* in kernel defconfigs. +SYNOPSYS = "SYNOPSYS" + +# CONFIG_ADIN_PHY: Analog Devices ADIN1300/ADIN1200 Ethernet PHY driver. +ADIN = "ADIN" + +# QoS token bucket / WRED threshold parameters: max_thr (maximum threshold) +# and min_thr (minimum threshold). Standard abbreviations in tc(8) / iproute2. +thr = "thr" + +# hostapd / IEEE 802.11ai Optimized Connectivity Experience (OCE). +# Config parameter family: oce_sta, oce_ap, etc. in hostapd.conf.j2. +OCE = "OCE" + +# inh-caps: setpriv(1) flag for inheritable Linux capabilities. +# Used in kea-vrf-helper to set inheritable capabilities before exec. +inh = "inh" + +# hostapd SME = Station Management Entity (IEEE 802.11 internal protocol layer). +# Appears in comments in hostapd.conf.j2: "driver SME is used". +SME = "SME" + +# Prefix-match completion file (src/opt/vyatta/etc/shell/level/users/allowed-op) +# lists progressive prefixes of op-mode commands for tab completion: +# c, cl, cle, clea, clear — "clea" is a valid entry, not a typo. +clea = "clea" + +# VyOS dummy interface short prefix: VyOS names dummy interfaces "dumX" (dum0, dum1, +# dum8000, etc.) per the sysconf/netdevice mapping "dum -> dummy". +# See ChangeLog: "Rename dummy interfaces to dumX to avoid confusion". +dum = "dum" + +# ATA/IDE hard disk device node prefix (hda, hdb, hdc, …). +# Used in install scripts to enumerate available disk devices. +hda = "hda" + +# "grat." = gratuitous (as in "gratuitous ARP" / GARP). Conventional networking +# abbreviation used in changelogs (e.g. "Extra grat. arps are not needed for vmac"). +grat = "grat"