helm/helm

ci: add check to prevent invisible Unicode characters (ZWSP/bidi) in source

Open

#32137 opened on May 21, 2026

View on GitHub
 (3 comments) (2 reactions) (0 assignees)Go (29,815 stars) (7,602 forks)batch import
good first issuehelp wanted

Description

Summary

PR #32134 removed three U+200B (zero-width space) characters from a comment in internal/plugin/plugin.go. The characters were invisible, had no effect on behavior, but caused Renovate to emit a repo-wide warning for every project that vendors helm.sh/helm/v4:

⚠️ WARN: Hidden Unicode characters have been discovered in file(s) in your repository...

Proposal

Add a CI step that fails if any invisible/dangerous Unicode codepoints are found in the source tree. A one-liner like:

grep -rP '[\x{200B}-\x{200D}\x{FEFF}\x{202A}-\x{202E}\x{2066}-\x{2069}]' --include='*.go' . && echo 'FAIL: invisible Unicode found' && exit 1 || true

This covers:

  • U+200B–U+200D: zero-width spaces
  • U+FEFF: BOM / zero-width no-break space
  • U+202A–U+202E: bidirectional text controls
  • U+2066–U+2069: bidirectional isolates (the "trojan source" class)

Alternatively, a golangci-lint plugin or a standalone tool such as bidichk could be wired into the existing lint pipeline.

Motivation

  • Prevents the same class of issue from silently reappearing.
  • Protects downstream vendor/ consumers from noisy Renovate warnings that can't be suppressed per-path.
  • Guards against "trojan source" style attacks (bidi overrides in code comments/strings).

Contributor guide

Tech stack
gogithub actionsshell
Domain
ci cdsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Go programmingCI workflow configuration
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
85
Research direction
Review the existing CI configuration in .github/workflows or Makefile. Consider implementing the check via a shell command as proposed or by adding bidichk to golangci lint. Check the issue comments for any maintainer feedback on the preferred approach. The relevant file where the ZWSP was found is internal/plugin/plugin.go.