feat: validate grafanaDep with semver

[s4kh]

Validate plugin.json -> dependencies.grafanaDependency using SemVer constraint.
Ignores schema validation for dependencies.grafanaDependency.

[s4kh]

At this stage, we know plugin.json file exists so no need to check for that.

[xnyo]

What if the file fails to open or to be read? I'd still keep the error check just in case

[s4kh]

I tried removing from the schema, but we have to read the schema and iterate through and find the grafanaDependency object and remove. Ignoring the returned error seemed simple so went with it.

[academo]

remove this

[academo]

remove print

[academo]

nit: validate that the schema is not reporting grafanaDependency as it used to be.

[s4kh]

now the new error message is checked in the main_test.go

[academo]

do we really need this validation here?

[s4kh]

It is to check combination of schema and grafanaDependency.

[xnyo]

Some small comments but the rest LGTM to me. I don't think this will conflict with #513 as they currently do two different things, but since the analyzer in #513 is called grafanaDependency we can maybe move this check over there instead once merged? (before cutting a release because the analyzer name will change if we move a check from one analyzer to another)

[xnyo]

What if the file fails to open or to be read? I'd still keep the error check just in case

[xnyo]

I went through this again considering also #513. I think we should merge this PR first, but we should make some changes before merging. My proposal is the following:

• Move the grafanaDependency check via the semver library in a separate grafanadependency analyzer, similar to #513. I would be fine with keeping the semver range check in the metadatavalid analyzer, but we need the extra checks in #513 (mostly just for our internal teams as sometimes they tend to forget the pre-release constraint -> deploy to cloud -> cause an incident because the version is "not supported". It never happens with community plugins since pretty much nobody uses on-prem "rolling" releases off main), so I think a dedicated analyzer is more suited, to keep those grafanaDependency-related checks close to each other
• Since the proposal is to move those more robust checks with the semver library in a different analyzer, I think we should remove the grafanaDependency error filtering done here:

  plugin-validator/pkg/analysis/passes/metadatavalid/metadatavalid.go

  Lines 122 to 127 in bbbfb76

  	// we validate grafanaDependency at line 91-100,
  	// so we ignore the error from schema validation
  	if strings.Contains(desc.Field(), "grafanaDependency") || strings.Contains(desc.Description(), "grafanaDependency") {
  	errLen -= 1
  	continue
  	}

  , unless it will conflict with the semver library check. I don't know if they will conflict with each other, but ideally they shouldn't: I see the regex as a first level of validation (weaker), and the semver library as a second one (more robust). If for some reason there are instances where the regex/schema check fails, but it should pass when fed into the semver library, I think we should change the regex instead of filtering out the error. If we decide to move the semver check into a dedicated analyzer, the filtering done in metadatavalid (like in this PR) will become messy because it would reference checks done on a separate grafanadependency analyzer. Moreover, if the user uses a config file that disables grafanadependency but keeps metadatavalid, the checks on the grafanaDependency field are skipped completely. I'd still keep a "simpler" check in metadatavalid and a proper one in a brand new analyzer

Once we merge this PR, I will rework #513 also considering your previous feedback (this PR is in a better state than #513, we're better off unblocking this one first)

What are your thoughts on this? @s4kh @academo

[s4kh]

I think the main problem with validating grafanaDependency in the metadatavalid check is the complexity of regex. Semver constraint can get pretty complex, and we need to adjust the regex every time - or sometimes regex fails but the other dedicated check passes or vice versa. And since we will be already using the semver validator for the grafanaDependency do we need to validate in the metadatavalid? I'll move it to the separate analyzer.

[s4kh]

Using github.com/Masterminds/semver/v3 v3.4.0 cause hashicorp/go-version treats this as invalid. Grafana treats as valid -> grafana/grafana#118090

[xnyo]

Just one small comment, the rest LGTM! Great job! 🙌

[xnyo]

Can you add test cases for:

• Empty grafanaDependency
• Missing grafanaDependency (if that makes sense, since there's also the schema validation)

[s4kh]

Got it. Added the tests. Unmarshal succeeds and NewConstraint returns error - improper constraint thus same title message is returned