alint — kubernetes/kubernetes

alint replaces 17 of Kubernetes' 50 hand-rolled hack/verify-*.sh scripts with one declarative config.

Why this matters

kubernetes/kubernetes is the canonical “verify-script sprawl” repo. Every PR is gated by 50 hack/verify-*.sh scripts, each with its own filesystem walk, its own error-reporting style, and its own way of integrating with the rest of CI. When CI breaks the contributor has 50 scripts to triage; when a rule needs to change, 50 places to look.

This is the canonical script-sprawl problem alint was designed to fix.

Headline catch

17 of 50 verify-scripts collapse to a single declarative config. alint replaces 12 scripts as drop-in primitives (file_header, file_max_size, yaml_path_matches, etc.), absorbs another 5 via the command: shellout (shellcheck, spelling, gofmt, golangci-lint, govulncheck), and runs them all in parallel — vs. the existing pipeline’s serial bash invocations.

One file. One pass. One place to look when the build is red.

The remaining 33 split cleanly: 7 motivate language-aware import-gate primitives that are now on the v0.10 must-ship list (Kubernetes is one of 4 Go monorepos demanding the same shape); 18 are deliberately out of alint’s scope (codegen drift, vendor-graph analysis, AST-aware Go checks); 6 are duplicates or pre-existing CVE / deps tooling.

Where alint earns its keep here

One declarative config replaces 12 verify scripts as exact primitives. License headers, file-size guards, OWNERS YAML structure, package-naming regex, staging-meta-file pairs — all expressible with rule kinds that already ship.
Five more shell out via command: without the contributor needing to learn a new orchestrator. alint check is still the entry point.
Parallel rule dispatch beats sequential bash. The shell pipeline runs 20 scripts in series, each doing its own filesystem walk. alint runs all rules in parallel against one walk.
The boundary is honest. alint doesn’t pretend to know Go’s AST or Go’s module graph. The 18 codegen / vendor / AST-aware verify scripts are explicitly recommended to stay where they are, collapsed into one make verify-out-of-scope target so contributors stop running them one-by-one.

Future story angles

The import_gate rule kind (allowlist / denylist / alias modes) is already on the v0.10 ship list with 4 Go-monorepo sources behind it; Kubernetes accounts for 6 of the 7 verify scripts that motivate it. When this lands, the “17 of 50” number jumps to “23 of 50”.
The pair_hash extension (file-content hash matches a pinned manifest entry) covers Kubernetes’ vendor/-readonly enforcement and is on the v0.10 list with 3 sources.
The for_each_dir shape used here for staging/src/k8s.io/*/ meta-file presence generalises directly to nested-monorepo workspace conventions — the same primitive that makes nixpkgs’s 20,678 by-name package directories fly.