ci: repair updater 3.4 acceptance contract

This commit is contained in:
Masterluke77
2026-07-10 15:11:39 +02:00
parent 2362c15477
commit 867cc6c2c0
@@ -0,0 +1,172 @@
name: Repair Updater 3.4 Acceptance Contract
on:
push:
branches:
- feature/updater-3.4-lifecycle
permissions:
contents: write
concurrency:
group: repair-updater-34-acceptance
cancel-in-progress: false
jobs:
repair:
if: ${{ github.actor != 'github-actions[bot]' }}
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
with:
ref: feature/updater-3.4-lifecycle
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22.x'
- name: Abnahmevertrag bereinigen und Diagnose härten
shell: python
run: |
from pathlib import Path
parser = Path('tools/verify-powershell-parser.ps1')
parser.write_text("""[CmdletBinding()]
param(
[string]$ReportPath = ''
)
Set-StrictMode -Version 2.0
$ErrorActionPreference = 'Stop'
$root = Split-Path -Parent $PSScriptRoot
$excludedParts = @('\\node_modules\\','\\.git\\','\\runtime\\','\\logs\\','\\data\\','\\backups\\')
$files = Get-ChildItem -LiteralPath $root -Recurse -File | Where-Object {
$_.Extension -in @('.ps1','.psm1','.psd1')
} | Where-Object {
$full = $_.FullName
-not (@($excludedParts | Where-Object { $full.IndexOf($_,[StringComparison]::OrdinalIgnoreCase) -ge 0 }).Count)
} | Sort-Object FullName
$failures = New-Object System.Collections.Generic.List[string]
foreach ($file in $files) {
$tokens = $null
$errors = $null
[void][System.Management.Automation.Language.Parser]::ParseFile($file.FullName,[ref]$tokens,[ref]$errors)
foreach ($parseError in @($errors)) {
$relative = $file.FullName.Substring($root.Length).TrimStart('\\')
$failures.Add(("{0}:{1}:{2} {3}" -f $relative,$parseError.Extent.StartLineNumber,$parseError.Extent.StartColumnNumber,$parseError.Message))
}
}
if ($failures.Count -gt 0) {
$report = "Windows-PowerShell-Parser-Gate fehlgeschlagen ($($failures.Count) Fehler):$([Environment]::NewLine)$(@($failures) -join [Environment]::NewLine)"
} else {
$report = "OK: Windows PowerShell $($PSVersionTable.PSVersion) hat $($files.Count) PowerShell-Dateien ohne Parserfehler akzeptiert."
}
if (-not [string]::IsNullOrWhiteSpace($ReportPath)) {
$parent = Split-Path -Parent $ReportPath
if ($parent) { New-Item -ItemType Directory -Path $parent -Force | Out-Null }
[IO.File]::WriteAllText($ReportPath,$report,(New-Object Text.UTF8Encoding($false)))
}
if ($failures.Count -gt 0) {
[Console]::Error.WriteLine($report)
exit 1
}
Write-Host $report
exit 0
""".lstrip(), encoding='utf-8', newline='\n')
ci = Path('.github/workflows/ci.yml')
text = ci.read_text(encoding='utf-8')
old_parser = """ - name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
shell: powershell
run: .\\tools\\verify-powershell-parser.ps1
- name: Vollständigen Vendoo-Releasevertrag unter Windows ausführen"""
new_parser = """ - name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
shell: powershell
run: .\\tools\\verify-powershell-parser.ps1 -ReportPath \"$env:RUNNER_TEMP\\powershell-parser-diagnostics.txt\"
- name: Parserdiagnose bei Fehler sichern
if: failure()
uses: actions/upload-artifact@v4
with:
name: powershell-parser-diagnostics-${{ github.event.pull_request.head.sha || github.sha }}
path: ${{ runner.temp }}/powershell-parser-diagnostics.txt
if-no-files-found: error
retention-days: 14
- name: Vollständigen Vendoo-Releasevertrag unter Windows ausführen"""
old_parser = old_parser.replace(' ', ' ')
new_parser = new_parser.replace(' ', ' ')
if text.count(old_parser) != 1:
raise SystemExit(f'Windows-Parserblock nicht eindeutig gefunden: {text.count(old_parser)}')
text = text.replace(old_parser, new_parser)
old_zip = """ (
cd release-output
zip -qr \"${release_name}.zip\" \"${release_name}\"
sha256sum \"${release_name}.zip\" > \"${release_name}.zip.sha256\"
sha256sum --check \"${release_name}.zip.sha256\"
)""".replace(' ', '')
new_zip = """ archive=\"release-output/${release_name}.zip\"
python tools/build-deterministic-zip.py \"$package_dir\" \"$archive\"
first_hash=\"$(sha256sum \"$archive\" | awk '{print $1}')\"
python tools/build-deterministic-zip.py \"$package_dir\" \"$archive\"
second_hash=\"$(sha256sum \"$archive\" | awk '{print $1}')\"
if [[ \"$first_hash\" != \"$second_hash\" ]]; then
echo \"Der ZIP-Build ist nicht byte-reproduzierbar.\" >&2
exit 1
fi
python -m zipfile -t \"$archive\"
(
cd release-output
sha256sum \"${release_name}.zip\" > \"${release_name}.zip.sha256\"
sha256sum --check \"${release_name}.zip.sha256\"
)""".replace(' ', '')
if text.count(old_zip) != 1:
raise SystemExit(f'ZIP-Block nicht eindeutig gefunden: {text.count(old_zip)}')
ci.write_text(text.replace(old_zip, new_zip), encoding='utf-8', newline='\n')
verifier = Path('tools/verify-updater-ci-lifecycle-3.4.mjs')
verify_text = verifier.read_text(encoding='utf-8')
anchor = "assert(ci.includes('actions/upload-artifact@v4'), 'Das geprüfte Paket wird nicht als CI-Artefakt bereitgestellt.');"
additions = """
assert(ci.includes('powershell-parser-diagnostics'), 'Windows-Parserfehler werden nicht als Diagnoseartefakt gesichert.');
assert(ci.includes('tools/build-deterministic-zip.py'), 'Paketjob verwendet keinen deterministischen ZIP-Build.');
assert(ci.includes('first_hash') && ci.includes('second_hash'), 'Paketjob weist die Byte-Reproduzierbarkeit des ZIPs nicht nach.');
assert(!ci.includes('zip -qr'), 'Paketjob verwendet weiterhin den zeitstempelabhängigen Standard-ZIP-Build.');
const deterministicZip = read('tools/build-deterministic-zip.py');
assert(deterministicZip.includes('FIXED_TIMESTAMP = (1980, 1, 1, 0, 0, 0)'), 'Deterministischer ZIP-Build besitzt keinen fixierten Zeitstempel.');
assert(deterministicZip.includes('sorted(source.rglob'), 'Deterministischer ZIP-Build sortiert die Payload nicht.');"""
if 'powershell-parser-diagnostics' not in verify_text:
if verify_text.count(anchor) != 1:
raise SystemExit(f'CI-Gate-Anker nicht eindeutig gefunden: {verify_text.count(anchor)}')
verifier.write_text(verify_text.replace(anchor, anchor + additions), encoding='utf-8', newline='\n')
- name: Temporäre Dateien entfernen und Manifest erzeugen
shell: bash
run: |
set -euo pipefail
rm -f \
logs/updater34-acceptance-ci-trigger.txt \
logs/updater34-final-acceptance-trigger.txt \
.github/workflows/patch-updater34-deterministic-package.yml \
.github/workflows/repair-updater34-acceptance.yml
node tools/generate-release-manifest.mjs .
git diff --check
- name: Bereinigten Vertrag committen
shell: bash
run: |
set -euo pipefail
git config user.name 'vendoo-updater-build'
git config user.email 'vendoo-updater-build@users.noreply.github.com'
git add --all
git commit -m 'ci: harden updater 3.4 acceptance diagnostics'
git push origin HEAD:feature/updater-3.4-lifecycle