[plan] Implement build-time validation for embedded JSON files #14710
Description
Objective
Add build-time validation for all embedded JSON files to catch data corruption before deployment, preventing init-time panics that crash the entire application.
Context
Source: Sergo Analysis Report #14696 - High Priority Issues #4-7
Severity: High
Multiple init() functions panic if embedded JSON data fails to unmarshal, preventing application startup entirely. These panics affect:
pkg/workflow/action_pins.go:64- Action pins JSONpkg/workflow/permissions_validation.go:48- Toolset permissions JSONpkg/workflow/domains.go:107- Ecosystem domains JSONpkg/workflow/github_tool_to_toolset.go:26- Tool mapping JSON
Implementation Steps
Step 1: Create validation script
Create scripts/validate-embedded-json.go:
//go:build ignore
package main
import (
"encoding/json"
"fmt"
"os"
)
func validateJSON(path string, target interface{}) error {
data, err := os.ReadFile(path)
if err != nil {
return fmt.Errorf("read %s: %w", path, err)
}
if err := json.Unmarshal(data, target); err != nil {
return fmt.Errorf("unmarshal %s: %w", path, err)
}
return nil
}
func main() {
files := map[string]interface{}{
"pkg/workflow/data/action_pins.json": &struct{}{},
"pkg/workflow/data/github_toolsets_permissions.json": &struct{}{},
"pkg/workflow/data/ecosystem_domains.json": &struct{}{},
"pkg/workflow/data/github_tool_to_toolset.json": &struct{}{},
}
failed := false
for path, target := range files {
if err := validateJSON(path, target); err != nil {
fmt.Fprintf(os.Stderr, "❌ %v\n", err)
failed = true
} else {
fmt.Printf("✅ %s\n", path)
}
}
if failed {
os.Exit(1)
}
}Step 2: Add to Makefile
.PHONY: validate-json
validate-json:
`@echo` "Validating embedded JSON files..."
`@go` run scripts/validate-embedded-json.goUpdate existing build target:
.PHONY: build
build: validate-json
`@go` build ./...Step 3: Add to CI pipeline
Update .github/workflows/ci.yml to include JSON validation before builds.
Acceptance Criteria
- Validation script created and tested
- Makefile updated with
validate-jsontarget - Build process includes JSON validation
- CI pipeline validates JSON before builds
- Test with intentionally corrupted JSON (should fail build)
- All 4 embedded JSON files validated
- Documentation updated in DEVGUIDE.md
Related to [sergo] Initialization Safety & Type Guards Analysis - 2026-02-09 #14696
AI generated by Plan Command for #14696
- expires on Feb 12, 2026, 1:07 AM UTC