From 5a53dd859ad8b027f4a2da59a4c1482bf921d77b Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <stefan.schimanski@gmail.com>
Date: Mon, 9 Jan 2017 15:18:45 +0100
Subject: [PATCH] Add hack/verify-readonly-packages

---
 hack/lib/util.sh                 |  5 ++-
 hack/verify-readonly-packages.sh | 63 ++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100755 hack/verify-readonly-packages.sh

diff --git a/hack/lib/util.sh b/hack/lib/util.sh
index 20626c0f6b6..b106a1998d9 100755
--- a/hack/lib/util.sh
+++ b/hack/lib/util.sh
@@ -402,6 +402,7 @@ kube::util::git_upstream_remote_name() {
 kube::util::has_changes_against_upstream_branch() {
   local -r git_branch=$1
   local -r pattern=$2
+  local -r not_pattern=${3:-totallyimpossiblepattern}
   local full_branch
 
   full_branch="$(kube::util::git_upstream_remote_name)/${git_branch}"
@@ -412,11 +413,11 @@ kube::util::has_changes_against_upstream_branch() {
     exit 1
   fi
   # notice this uses ... to find the first shared ancestor
-  if git diff --name-only "${full_branch}...HEAD" | grep "${pattern}" > /dev/null; then
+  if git diff --name-only "${full_branch}...HEAD" | grep -v "${not_pattern}" | grep "${pattern}" > /dev/null; then
     return 0
   fi
   # also check for pending changes
-  if git status --porcelain | grep "${pattern}" > /dev/null; then
+  if git status --porcelain | grep -v "${not_pattern}" | grep "${pattern}" > /dev/null; then
     echo "Detected '${pattern}' uncommitted changes."
     return 0
   fi
diff --git a/hack/verify-readonly-packages.sh b/hack/verify-readonly-packages.sh
new file mode 100755
index 00000000000..02d8d5745d8
--- /dev/null
+++ b/hack/verify-readonly-packages.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# verify-readonly-packages.sh checks whether between $KUBE_VERIFY_GIT_BRANCH and HEAD files
+# in readonly directories were modified. A directory is readonly iff it contains a .readonly
+# file. Being readonly DOES NOT apply recursively to subdirectories.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
+source "${KUBE_ROOT}/hack/lib/init.sh"
+
+readonly branch=${1:-${KUBE_VERIFY_GIT_BRANCH:-master}}
+
+find_files() {
+  find . -not \( \
+      \( \
+        -wholename './output' \
+        -o -wholename './_output' \
+        -o -wholename './_gopath' \
+        -o -wholename './release' \
+        -o -wholename './target' \
+        -o -wholename '*/third_party/*' \
+        -o -wholename '*/vendor/*' \
+        -o -wholename './staging' \
+      \) -prune \
+    \) -name '.readonly'
+}
+
+IFS=$'\n'
+conflicts=($(find_files | sed 's|/.readonly||' | while read dir; do
+    dir=${dir#./}
+    if kube::util::has_changes_against_upstream_branch "${branch}" "^${dir}/[^/]*\$" "/.readonly\$" &>/dev/null; then
+        echo "${dir}"
+    fi
+done))
+unset IFS
+
+if [ ${#conflicts[@]} -gt 0 ]; then
+    exec 1>&2
+    for dir in "${conflicts[@]}"; do
+        echo "Found ${dir}/.readonly, but files changed compared to \"${branch}\" branch."
+    done
+    exit 1
+else
+    echo "Readonly packages verified."
+fi
+# ex: ts=2 sw=2 et filetype=sh