ci: add typo check to ci (#5491)

Co-authored-by: Boquan Fang <boquanfang3@gmail.com>
Co-authored-by: James Mayclin <maycj@amazon.com>
Co-authored-by: Doug Chapman <54039637+dougch@users.noreply.github.com>

Author: 4 people

.github/config/_typos.toml renamed to .github/config/typos.toml

@@ -1,11 +1,16 @@
 [default]
 binary = false
 check-filename = true
+extend-ignore-identifiers-re = [
+    "PNGs",
+    "_EDE_",
+    "ETyp",
+]
 
 [default.extend-words]
-alloced = "alloced"
-s2nd = "s2nd"
+# prevent the "nd" in "s2nd" from being corrected to "and"
 nd = "nd"
+# prevent re:Inforce, the AWS cloud security event from being corrected (READING-LIST.md)
 Inforce = "Inforce"
 
 # While we build up the extend-words list
@@ -21,30 +26,33 @@ check-file = false
 [type.make]
 check-file = false
 
-[type.cmake]
-check-file = false
+[type.cmake.extend-words]
+# 'thr' is the FreeBSD threading library
+thr = "thr"
+testss = "testss"
 
 [type.rust]
 check-file = false
 
-[type.sh]
-check-file = false
-
 [files]
 extend-exclude = [
-    "*.bin",
     "**/corpus/*",
+    "**/mime.types",
+    "**/specs/**/*",
+    "*.bin",
+    "*.conf",
     "*.cry",
     "*.der",
     "*.h",
     "*.kat",
-    "*.pem",
     "*.patch",
+    "*.pcap",
     "*.pdf",
+    "*.pem",
     "*.png",
+    "*.priv",
     "*.saw",
     "*.snap",
     "*.suppressions",
-    "**/specs/**/*",
-
+    "tests/integrationv2/README.md",
 ]

.github/workflows/docs.yml

@@ -14,6 +14,30 @@ permissions:
   pages: write
 
 jobs:
+  typos:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          submodules: true
+
+      - name: Install rust toolchain
+        id: toolchain
+        run: |
+          rustup toolchain install stable --profile minimal
+          rustup override set stable
+
+      - uses: camshaft/install@v1
+        with:
+          crate: typos-cli
+          bins: typos
+
+      - name: Run typos
+        run: |
+          typos -c .github/config/typos.toml --format json | tee /tmp/typos.json | jq -rs '.[] | "::error file=\(.path),line=\(.line_num),col=\(.byte_offset)::\(.typo) should be \"" + (.corrections // [] | join("\" or \"") + "\"")'
+          cat /tmp/typos.json
+          ! grep -q '[^[:space:]]' /tmp/typos.json
+
   generate-doxygen:
     runs-on: ubuntu-latest
     steps:

CMakeLists.txt

@@ -375,7 +375,7 @@ endif()
 
 if (S2N_INTERN_LIBCRYPTO)
 
-    # Check if the AWS::crypto target has beeen added and handle it
+    # Check if the AWS::crypto target has been added and handle it
     if (TARGET AWS::crypto)
         # Get the target library type (shared or static)
         get_target_property(target_type AWS::crypto TYPE)
@@ -410,7 +410,7 @@ if (S2N_INTERN_LIBCRYPTO)
           cp ${crypto_STATIC_LIBRARY} s2n_libcrypto.a &&
           # dump all of the symbols and prefix them with `s2n$`
           bash -c "${CMAKE_NM} s2n_libcrypto.a | awk '/ [A-Z] /{if ($3) print $3\" s2n$\"$3}' | sort | uniq > libcrypto.symbols" &&
-          # redefine the libcrypto libary symbols
+          # redefine the libcrypto library symbols
           ${CMAKE_OBJCOPY} --redefine-syms libcrypto.symbols s2n_libcrypto.a &&
           rm -rf s2n_libcrypto &&
           mkdir s2n_libcrypto &&

codebuild/bin/install_default_dependencies.sh

@@ -92,7 +92,7 @@ if [[ "$TESTS" == "integrationv2" || "$TESTS" == "ALL" ]]; then
                 brew install python@3
                 python3 -m pip install --user tox ;;
             *)
-                echo "Unkown platform $DISTRO trying to install tox on $OS_NAME $ARCH"
+                echo "Unknown platform $DISTRO trying to install tox on $OS_NAME $ARCH"
                 exit 1
                 ;;
             esac
@@ -113,7 +113,7 @@ if [[ "$TESTS" == "integrationv2" || "$TESTS" == "ALL" ]]; then
 
     if [[ "$DISTRO" == "ubuntu" ]]; then
         # Install SSLyze for all Integration Tests on Ubuntu.
-        # There is a nassl dependancy issue preventing this from working on on AL2 ARM (others?).
+        # There is a nassl dependency issue preventing this from working on on AL2 ARM (others?).
         if [[ "$S2N_NO_SSLYZE" != "true" ]]; then
             codebuild/bin/install_sslyze.sh
         fi

codebuild/bin/install_ubuntu_dependencies.sh

@@ -13,7 +13,7 @@
 # permissions and limitations under the License.
 #
 
-# Shim code to get local docker/ec2 instances bootstraped like a CodeBuild instance.
+# Shim code to get local docker/ec2 instances bootstrapped like a CodeBuild instance.
 # Not actually used by CodeBuild.
 
 source codebuild/bin/s2n_setup_env.sh

codebuild/bin/s2n_fips_openssl.cnf

@@ -168,7 +168,7 @@ stateOrProvinceName_default	= Some-State
 localityName			= Locality Name (eg, city)
 
 0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= Internet Widgits Pty Ltd
+0.organizationName_default	= Internet Widgets Pty Ltd
 
 # we can do this but it is not needed normally :-)
 #1.organizationName		= Second Organization Name (eg, company)

codebuild/bin/s2n_setup_env.sh

@@ -73,7 +73,7 @@ if [[ -f "/etc/os-release" ]]; then
 elif [[ -x "/usr/bin/sw_vers" ]]; then
   export DISTRO="apple"
   export VERSION_ID=$(sw_vers -productVersion|sed 's/:[[:space:]]*/=/g')
-  export VERSION_CODENAME="unknown"  # not queriable via CLI
+  export VERSION_CODENAME="unknown"  # not queryable via CLI
 else
   export DISTRO="unknown"
   export VERSION_ID="unknown"

codebuild/bin/utils.sh

@@ -38,7 +38,7 @@ criterion_install_deps(){
 
 usage(){
     echo -e "Usage:\n\tget_latest_release: returns just the latest v.N.N.N version"
-    echo -e "\tgh_login <Secret Name> : retrieves a GitHub PAT from secrest manager and logs into GitHub.\n"
+    echo -e "\tgh_login <Secret Name> : retrieves a GitHub PAT from secrets manager and logs into GitHub.\n"
 }
 
 if [[ "${BASH_SOURCE[0]}" == "${0}"  ]]; then

docs/development/APPLICATION_DATA.md

@@ -118,7 +118,7 @@ s2n-tls attempts to send any necessary post-handshake messages BEFORE sending an
 
 If the send buffer is configured to be larger than the max record length via [s2n_config_set_send_buffer_size](https://aws.github.io/s2n-tls/doxygen/s2n_8h.html#a6de9d794c410474e9851880bd4914025), then s2n_send can buffer more than one record in `out` at a time before writing to the network. This reduces syscalls and can improve performance.
 
-This feature does not signficantly impact the s2n_send logic: it really just makes the call to "s2n_flush" after each record is written to `out` conditional on whether or not there's enough space in `out` for another record.
+This feature does not significantly impact the s2n_send logic: it really just makes the call to "s2n_flush" after each record is written to `out` conditional on whether or not there's enough space in `out` for another record.
 
 ## Receiving Application Data
 
@@ -128,7 +128,7 @@ Note: If you are unfamiliar with s2n_recv, read [the usage guide](https://github
 
 ### The header_in, in, and buffer_in buffers
 
-Once upon a time, reading a record involved reading the TLS header into the fixed-sized `header_in` buffer and reading the payload into the `in` buffer. The `in` buffer was allocated with enough memory to hold the largest possible record fragment allowed by the RFC. This made `in` generally analagous to `out`, but often larger. If you're trying to understand most of the s2n_recv logic, this is still a useful mental model.
+Once upon a time, reading a record involved reading the TLS header into the fixed-sized `header_in` buffer and reading the payload into the `in` buffer. The `in` buffer was allocated with enough memory to hold the largest possible record fragment allowed by the RFC. This made `in` generally analogous to `out`, but often larger. If you're trying to understand most of the s2n_recv logic, this is still a useful mental model.
 
 However, in reality, `in` no longer allocates *any* memory. Due to the addition of the "receive buffering" feature, `in` is now just a pointer to a subsection of `buffer_in`, and `buffer_in` is allocated with enough memory to hold the largest possible record allowed by the RFC. This is discussed further in the [Receive Buffering](#receive-buffering) section.
 
@@ -146,7 +146,7 @@ The "s2n_peek" method can be used to check if any plaintext is waiting in `in`.
 
 Historically, s2n_recv only read a single record each time it was called, regardless of how much application data the caller requested. Applications would need to call s2n_recv in a loop to read all expected data. This behavior has been maintained for backwards compatibility.
 
-However, applications can also call [s2n_config_set_recv_multi_record](https://aws.github.io/s2n-tls/doxygen/s2n_8h.html#a873c1969c18fdf8663a9b593e62b9460) to instead read records in a loop until the expected amount of application data has been read. This feature does not signficantly impact the s2n_recv logic: it really just wrapped the previous implementation in a loop.
+However, applications can also call [s2n_config_set_recv_multi_record](https://aws.github.io/s2n-tls/doxygen/s2n_8h.html#a873c1969c18fdf8663a9b593e62b9460) to instead read records in a loop until the expected amount of application data has been read. This feature does not significantly impact the s2n_recv logic: it really just wrapped the previous implementation in a loop.
 
 ### Receive buffering
 

docs/usage-guide/topics/ch07-io.md

@@ -192,7 +192,7 @@ or if called on a connection in a bad state.
 
 `s2n_shutdown()` may also read and decrypt multiple application data records while waiting
 for the close_notify alert. This could result in calls to `s2n_shutdown()` taking a long
-time to complete. If this is a problem, `s2n_shutdown_send()` may be preferrable.
+time to complete. If this is a problem, `s2n_shutdown_send()` may be preferable.
 See [Closing the connection for writes](#closing-the-connection-for-writes) below.
 
 Once `s2n_shutdown()` is complete: