🧹 Refactor rust_glib_advisory_violations to use GlibLegacyContext dataclass

scripts/checks/verify_supply_chain.py

@@ -4,6 +4,7 @@
 import re
 import shlex
 from itertools import pairwise
+from dataclasses import dataclass
 from pathlib import Path
 
 try:
@@ -1644,6 +1645,16 @@ def verify_release_asset_allowlist_policy() -> list[str]:
     return violations
 
 
+
+@dataclass(frozen=True)
+class GlibLegacyContext:
+    """Context for validating legacy glib dependencies against allowed owners."""
+    package_dependencies: dict[str, list[str]]
+    glib_exception_owned_packages: set[str]
+    legacy_glib_ancestors: set[str]
+    legacy_glib_direct_owners: set[str]
+
+
 def rust_dependency_advisory_violations(
     lockfile: Path = Path("apps/desktop/src-tauri/Cargo.lock"),
 ) -> list[str]:
@@ -1661,6 +1672,12 @@ def rust_dependency_advisory_violations(
     legacy_glib_direct_owners = cargo_lock_dependency_owners(
         package_dependencies, RUST_GLIB_LEGACY_EXCEPTION_PACKAGE
     )
+    glib_context = GlibLegacyContext(
+        package_dependencies=package_dependencies,
+        glib_exception_owned_packages=glib_exception_owned_packages,
+        legacy_glib_ancestors=legacy_glib_ancestors,
+        legacy_glib_direct_owners=legacy_glib_direct_owners,
+    )
     for package in cargo_lock_packages(lockfile):
         current_name = str(package.get("name", ""))
         version = str(package.get("version", ""))
@@ -1675,10 +1692,7 @@ def rust_dependency_advisory_violations(
                     rust_glib_advisory_violations(
                         lockfile,
                         version,
-                        package_dependencies,
-                        legacy_glib_ancestors,
-                        legacy_glib_direct_owners,
-                        glib_exception_owned_packages,
+                        glib_context,
                     )
                 )
             continue
@@ -1809,19 +1823,11 @@ def rust_osv_exception_violations(
 def rust_glib_advisory_violations(
     lockfile: Path,
     version: str,
-    package_dependencies: dict[str, list[str]],
-    legacy_glib_ancestors: set[str],
-    legacy_glib_direct_owners: set[str],
-    glib_exception_owned_packages: set[str],
+    context: GlibLegacyContext,
 ) -> list[str]:
     """Return violations for vulnerable glib versions outside the Tauri GTK stack."""
     if version == RUST_GLIB_LEGACY_EXCEPTION_VERSION:
-        if glib_legacy_exception_owners_are_allowed(
-            package_dependencies,
-            legacy_glib_ancestors,
-            glib_exception_owned_packages,
-            legacy_glib_direct_owners,
-        ):
+        if glib_legacy_exception_owners_are_allowed(context):
             return []
         return [
             f"{lockfile}: glib {version} matches the legacy exception version but "
@@ -1849,24 +1855,19 @@ def rust_glib_advisory_violations(
     return []
 
 
-def glib_legacy_exception_owners_are_allowed(
-    package_dependencies: dict[str, list[str]],
-    legacy_glib_ancestors: set[str],
-    glib_exception_owned_packages: set[str],
-    legacy_glib_direct_owners: set[str],
-) -> bool:
+def glib_legacy_exception_owners_are_allowed(context: GlibLegacyContext) -> bool:
     """Return whether every glib ancestor matches the documented GTK/WebKit stack."""
-    if not legacy_glib_ancestors:
+    if not context.legacy_glib_ancestors:
         return False
     ancestor_names = {
-        ancestor.rsplit(" ", maxsplit=1)[0] for ancestor in legacy_glib_ancestors
+        ancestor.rsplit(" ", maxsplit=1)[0] for ancestor in context.legacy_glib_ancestors
     }
     direct_owner_names = {
-        owner.rsplit(" ", maxsplit=1)[0] for owner in legacy_glib_direct_owners
+        owner.rsplit(" ", maxsplit=1)[0] for owner in context.legacy_glib_direct_owners
     }
     if not direct_owner_names <= RUST_GLIB_LEGACY_DIRECT_OWNER_NAMES:
         return False
-    off_chain_ancestors = legacy_glib_ancestors - glib_exception_owned_packages
+    off_chain_ancestors = context.legacy_glib_ancestors - context.glib_exception_owned_packages
     allowed_app_roots = {
         ancestor
         for ancestor in off_chain_ancestors
@@ -1876,7 +1877,7 @@ def glib_legacy_exception_owners_are_allowed(
     if off_chain_ancestors != allowed_app_roots:
         return False
     if not glib_allowed_app_roots_reach_glib_through_tauri(
-        package_dependencies, allowed_app_roots
+        context.package_dependencies, allowed_app_roots
     ):
         return False
     return ancestor_names <= (