Updater 3.4 – Lifecycle Hardening (#28)
Production-ready updater lifecycle hardening with final-head checks, Windows PowerShell 5.1 compatibility, reproducible package generation, provenance validation, payload rollback protection and documented acceptance.
This commit was merged in pull request #28.
This commit is contained in:
@@ -5,6 +5,7 @@ on:
|
||||
branches: [main, develop, 'feature/**', 'release/**', 'hotfix/**']
|
||||
pull_request:
|
||||
branches: [main, develop]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
@@ -42,16 +43,21 @@ jobs:
|
||||
- name: Git-Staging-Filter Regressionstest
|
||||
run: npm run verify:git-staging
|
||||
|
||||
- name: Release-Manifest und Paketvertrag prüfen
|
||||
run: npm run verify:release-manifest
|
||||
|
||||
- name: Git-Ignore-Grenzen für Quell- und Runtimeordner prüfen
|
||||
run: npm run verify:ignore-boundaries
|
||||
|
||||
- name: Syntaxprüfung
|
||||
run: npm run check
|
||||
|
||||
|
||||
- name: PowerShell-Regressionen statisch prüfen
|
||||
run: npm run verify:powershell-static
|
||||
|
||||
- name: Updater-3.4-Lifecycle und Startkette prüfen
|
||||
run: npm run verify:updater-start-chain && npm run verify:updater-lifecycle
|
||||
|
||||
- name: Produktiven Source-Root und Archivgrenzen prüfen
|
||||
run: npm run verify:source-boundaries
|
||||
|
||||
@@ -140,9 +146,93 @@ jobs:
|
||||
|
||||
- name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
|
||||
shell: powershell
|
||||
run: .\tools\verify-powershell-parser.ps1
|
||||
run: .\tools\verify-powershell-parser.ps1 -ReportPath "$env:RUNNER_TEMP\powershell-parser-diagnostics.txt"
|
||||
|
||||
- name: Parserdiagnose bei Fehler sichern
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: powershell-parser-diagnostics-${{ github.event.pull_request.head.sha || github.sha }}
|
||||
path: ${{ runner.temp }}/powershell-parser-diagnostics.txt
|
||||
if-no-files-found: error
|
||||
retention-days: 14
|
||||
|
||||
- name: Vollständigen Vendoo-Releasevertrag unter Windows ausführen
|
||||
shell: pwsh
|
||||
run: npm run verify:all
|
||||
|
||||
package-after-acceptance:
|
||||
name: Updater-3.4-Paket nach Abnahme
|
||||
needs: [quality, windows-release-contract]
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 15
|
||||
steps:
|
||||
- name: Exakten geprüften Head auschecken
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Node.js 22 aktivieren
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '22.x'
|
||||
cache: npm
|
||||
|
||||
- name: Abhängigkeiten reproduzierbar installieren
|
||||
run: npm ci
|
||||
|
||||
- name: main für den Provenienzvergleich aktualisieren
|
||||
run: git fetch origin main:refs/remotes/origin/main
|
||||
|
||||
- name: Reproduzierbares Root-Manifest bestätigen
|
||||
shell: bash
|
||||
run: |
|
||||
node tools/generate-release-manifest.mjs .
|
||||
git diff --exit-code -- release-manifest.json
|
||||
|
||||
- name: Paket mit unveränderlicher Provenienz erzeugen
|
||||
env:
|
||||
VENDOO_SOURCE_COMMIT: ${{ github.event.pull_request.head.sha || github.sha }}
|
||||
run: node tools/build-release.mjs
|
||||
|
||||
- name: Paketmanifest und SHA-256 prüfen
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
release_name="$(tr -d '\r\n' < release-output/RELEASE_NAME.txt)"
|
||||
package_dir="release-output/${release_name}"
|
||||
node --input-type=module - "$package_dir" <<'NODE'
|
||||
import { readAndValidateManifest } from './tools/release-manifest-lib.mjs';
|
||||
const packageDir = process.argv[2];
|
||||
const manifest = readAndValidateManifest(packageDir);
|
||||
if (manifest.schema !== 'vendoo-release-package-v2') throw new Error(`Unerwartetes Paketschema: ${manifest.schema}`);
|
||||
if (manifest.updaterVersion !== '3.4.0') throw new Error(`Unerwartete Updater-Version: ${manifest.updaterVersion}`);
|
||||
if (manifest.targetVersion !== '1.43.0') throw new Error(`Unerwartete Zielversion: ${manifest.targetVersion}`);
|
||||
console.log(`Paket validiert: ${manifest.targetVersion}, Updater ${manifest.updaterVersion}, Payload ${manifest.payloadHash}`);
|
||||
NODE
|
||||
archive="release-output/${release_name}.zip"
|
||||
python tools/build-deterministic-zip.py "$package_dir" "$archive"
|
||||
first_hash="$(sha256sum "$archive" | awk '{print $1}')"
|
||||
python tools/build-deterministic-zip.py "$package_dir" "$archive"
|
||||
second_hash="$(sha256sum "$archive" | awk '{print $1}')"
|
||||
if [[ "$first_hash" != "$second_hash" ]]; then
|
||||
echo "Der ZIP-Build ist nicht byte-reproduzierbar." >&2
|
||||
exit 1
|
||||
fi
|
||||
python -m zipfile -t "$archive"
|
||||
(
|
||||
cd release-output
|
||||
sha256sum "${release_name}.zip" > "${release_name}.zip.sha256"
|
||||
sha256sum --check "${release_name}.zip.sha256"
|
||||
)
|
||||
|
||||
- name: Abgenommenes Paket als CI-Artefakt bereitstellen
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: vendoo-1.43.0-updater-3.4-${{ github.event.pull_request.head.sha || github.sha }}
|
||||
path: |
|
||||
release-output/*.zip
|
||||
release-output/*.zip.sha256
|
||||
if-no-files-found: error
|
||||
retention-days: 14
|
||||
|
||||
@@ -3,19 +3,20 @@ name: Vendoo Release Manifest Sync
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- release/1.43.0-production-update-v3
|
||||
- 'release/*-production-update-v*'
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
actions: write
|
||||
|
||||
concurrency:
|
||||
group: vendoo-release-manifest-sync-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
sync:
|
||||
name: Release-Manifest reproduzierbar synchronisieren
|
||||
if: ${{ !contains(github.event.head_commit.message, '[manifest-sync]') }}
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
@@ -34,10 +35,14 @@ jobs:
|
||||
run: node tools/generate-release-manifest.mjs .
|
||||
|
||||
- name: Geändertes Manifest committen
|
||||
id: manifest
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
if git diff --quiet -- release-manifest.json; then
|
||||
echo "Release-Manifest ist bereits aktuell."
|
||||
echo "changed=false" >> "$GITHUB_OUTPUT"
|
||||
echo "head_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
|
||||
exit 0
|
||||
fi
|
||||
git config user.name "vendoo-release-bot"
|
||||
@@ -45,3 +50,22 @@ jobs:
|
||||
git add release-manifest.json
|
||||
git commit -m "chore: Release-Manifest synchronisieren [manifest-sync]"
|
||||
git push origin HEAD:${GITHUB_REF_NAME}
|
||||
echo "changed=true" >> "$GITHUB_OUTPUT"
|
||||
echo "head_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Finalen Manifest-Head explizit validieren
|
||||
if: ${{ steps.manifest.outputs.changed == 'true' }}
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
final_head="${{ steps.manifest.outputs.head_sha }}"
|
||||
remote_head="$(git ls-remote origin "refs/heads/${GITHUB_REF_NAME}" | awk '{print $1}')"
|
||||
if [[ -z "$remote_head" || "$remote_head" != "$final_head" ]]; then
|
||||
echo "Der gepushte Manifest-Head ist nicht stabil: lokal=$final_head remote=$remote_head" >&2
|
||||
exit 1
|
||||
fi
|
||||
gh workflow run ci.yml --repo "$GITHUB_REPOSITORY" --ref "$GITHUB_REF_NAME"
|
||||
gh workflow run sync-release-manifest.yml --repo "$GITHUB_REPOSITORY" --ref "$GITHUB_REF_NAME"
|
||||
echo "Vendoo CI und Manifest-Sync wurden für finalen Head $final_head explizit registriert."
|
||||
|
||||
Reference in New Issue
Block a user