ci: repair updater 3.4 acceptance contract
This commit is contained in:
@@ -0,0 +1,172 @@
|
||||
name: Repair Updater 3.4 Acceptance Contract
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- feature/updater-3.4-lifecycle
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
concurrency:
|
||||
group: repair-updater-34-acceptance
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
repair:
|
||||
if: ${{ github.actor != 'github-actions[bot]' }}
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
ref: feature/updater-3.4-lifecycle
|
||||
fetch-depth: 0
|
||||
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '22.x'
|
||||
|
||||
- name: Abnahmevertrag bereinigen und Diagnose härten
|
||||
shell: python
|
||||
run: |
|
||||
from pathlib import Path
|
||||
|
||||
parser = Path('tools/verify-powershell-parser.ps1')
|
||||
parser.write_text("""[CmdletBinding()]
|
||||
param(
|
||||
[string]$ReportPath = ''
|
||||
)
|
||||
|
||||
Set-StrictMode -Version 2.0
|
||||
$ErrorActionPreference = 'Stop'
|
||||
$root = Split-Path -Parent $PSScriptRoot
|
||||
$excludedParts = @('\\node_modules\\','\\.git\\','\\runtime\\','\\logs\\','\\data\\','\\backups\\')
|
||||
$files = Get-ChildItem -LiteralPath $root -Recurse -File | Where-Object {
|
||||
$_.Extension -in @('.ps1','.psm1','.psd1')
|
||||
} | Where-Object {
|
||||
$full = $_.FullName
|
||||
-not (@($excludedParts | Where-Object { $full.IndexOf($_,[StringComparison]::OrdinalIgnoreCase) -ge 0 }).Count)
|
||||
} | Sort-Object FullName
|
||||
|
||||
$failures = New-Object System.Collections.Generic.List[string]
|
||||
foreach ($file in $files) {
|
||||
$tokens = $null
|
||||
$errors = $null
|
||||
[void][System.Management.Automation.Language.Parser]::ParseFile($file.FullName,[ref]$tokens,[ref]$errors)
|
||||
foreach ($parseError in @($errors)) {
|
||||
$relative = $file.FullName.Substring($root.Length).TrimStart('\\')
|
||||
$failures.Add(("{0}:{1}:{2} {3}" -f $relative,$parseError.Extent.StartLineNumber,$parseError.Extent.StartColumnNumber,$parseError.Message))
|
||||
}
|
||||
}
|
||||
|
||||
if ($failures.Count -gt 0) {
|
||||
$report = "Windows-PowerShell-Parser-Gate fehlgeschlagen ($($failures.Count) Fehler):$([Environment]::NewLine)$(@($failures) -join [Environment]::NewLine)"
|
||||
} else {
|
||||
$report = "OK: Windows PowerShell $($PSVersionTable.PSVersion) hat $($files.Count) PowerShell-Dateien ohne Parserfehler akzeptiert."
|
||||
}
|
||||
|
||||
if (-not [string]::IsNullOrWhiteSpace($ReportPath)) {
|
||||
$parent = Split-Path -Parent $ReportPath
|
||||
if ($parent) { New-Item -ItemType Directory -Path $parent -Force | Out-Null }
|
||||
[IO.File]::WriteAllText($ReportPath,$report,(New-Object Text.UTF8Encoding($false)))
|
||||
}
|
||||
|
||||
if ($failures.Count -gt 0) {
|
||||
[Console]::Error.WriteLine($report)
|
||||
exit 1
|
||||
}
|
||||
|
||||
Write-Host $report
|
||||
exit 0
|
||||
""".lstrip(), encoding='utf-8', newline='\n')
|
||||
|
||||
ci = Path('.github/workflows/ci.yml')
|
||||
text = ci.read_text(encoding='utf-8')
|
||||
old_parser = """ - name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
|
||||
shell: powershell
|
||||
run: .\\tools\\verify-powershell-parser.ps1
|
||||
|
||||
- name: Vollständigen Vendoo-Releasevertrag unter Windows ausführen"""
|
||||
new_parser = """ - name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
|
||||
shell: powershell
|
||||
run: .\\tools\\verify-powershell-parser.ps1 -ReportPath \"$env:RUNNER_TEMP\\powershell-parser-diagnostics.txt\"
|
||||
|
||||
- name: Parserdiagnose bei Fehler sichern
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: powershell-parser-diagnostics-${{ github.event.pull_request.head.sha || github.sha }}
|
||||
path: ${{ runner.temp }}/powershell-parser-diagnostics.txt
|
||||
if-no-files-found: error
|
||||
retention-days: 14
|
||||
|
||||
- name: Vollständigen Vendoo-Releasevertrag unter Windows ausführen"""
|
||||
old_parser = old_parser.replace(' ', ' ')
|
||||
new_parser = new_parser.replace(' ', ' ')
|
||||
if text.count(old_parser) != 1:
|
||||
raise SystemExit(f'Windows-Parserblock nicht eindeutig gefunden: {text.count(old_parser)}')
|
||||
text = text.replace(old_parser, new_parser)
|
||||
|
||||
old_zip = """ (
|
||||
cd release-output
|
||||
zip -qr \"${release_name}.zip\" \"${release_name}\"
|
||||
sha256sum \"${release_name}.zip\" > \"${release_name}.zip.sha256\"
|
||||
sha256sum --check \"${release_name}.zip.sha256\"
|
||||
)""".replace(' ', '')
|
||||
new_zip = """ archive=\"release-output/${release_name}.zip\"
|
||||
python tools/build-deterministic-zip.py \"$package_dir\" \"$archive\"
|
||||
first_hash=\"$(sha256sum \"$archive\" | awk '{print $1}')\"
|
||||
python tools/build-deterministic-zip.py \"$package_dir\" \"$archive\"
|
||||
second_hash=\"$(sha256sum \"$archive\" | awk '{print $1}')\"
|
||||
if [[ \"$first_hash\" != \"$second_hash\" ]]; then
|
||||
echo \"Der ZIP-Build ist nicht byte-reproduzierbar.\" >&2
|
||||
exit 1
|
||||
fi
|
||||
python -m zipfile -t \"$archive\"
|
||||
(
|
||||
cd release-output
|
||||
sha256sum \"${release_name}.zip\" > \"${release_name}.zip.sha256\"
|
||||
sha256sum --check \"${release_name}.zip.sha256\"
|
||||
)""".replace(' ', '')
|
||||
if text.count(old_zip) != 1:
|
||||
raise SystemExit(f'ZIP-Block nicht eindeutig gefunden: {text.count(old_zip)}')
|
||||
ci.write_text(text.replace(old_zip, new_zip), encoding='utf-8', newline='\n')
|
||||
|
||||
verifier = Path('tools/verify-updater-ci-lifecycle-3.4.mjs')
|
||||
verify_text = verifier.read_text(encoding='utf-8')
|
||||
anchor = "assert(ci.includes('actions/upload-artifact@v4'), 'Das geprüfte Paket wird nicht als CI-Artefakt bereitgestellt.');"
|
||||
additions = """
|
||||
assert(ci.includes('powershell-parser-diagnostics'), 'Windows-Parserfehler werden nicht als Diagnoseartefakt gesichert.');
|
||||
assert(ci.includes('tools/build-deterministic-zip.py'), 'Paketjob verwendet keinen deterministischen ZIP-Build.');
|
||||
assert(ci.includes('first_hash') && ci.includes('second_hash'), 'Paketjob weist die Byte-Reproduzierbarkeit des ZIPs nicht nach.');
|
||||
assert(!ci.includes('zip -qr'), 'Paketjob verwendet weiterhin den zeitstempelabhängigen Standard-ZIP-Build.');
|
||||
const deterministicZip = read('tools/build-deterministic-zip.py');
|
||||
assert(deterministicZip.includes('FIXED_TIMESTAMP = (1980, 1, 1, 0, 0, 0)'), 'Deterministischer ZIP-Build besitzt keinen fixierten Zeitstempel.');
|
||||
assert(deterministicZip.includes('sorted(source.rglob'), 'Deterministischer ZIP-Build sortiert die Payload nicht.');"""
|
||||
if 'powershell-parser-diagnostics' not in verify_text:
|
||||
if verify_text.count(anchor) != 1:
|
||||
raise SystemExit(f'CI-Gate-Anker nicht eindeutig gefunden: {verify_text.count(anchor)}')
|
||||
verifier.write_text(verify_text.replace(anchor, anchor + additions), encoding='utf-8', newline='\n')
|
||||
|
||||
- name: Temporäre Dateien entfernen und Manifest erzeugen
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
rm -f \
|
||||
logs/updater34-acceptance-ci-trigger.txt \
|
||||
logs/updater34-final-acceptance-trigger.txt \
|
||||
.github/workflows/patch-updater34-deterministic-package.yml \
|
||||
.github/workflows/repair-updater34-acceptance.yml
|
||||
node tools/generate-release-manifest.mjs .
|
||||
git diff --check
|
||||
|
||||
- name: Bereinigten Vertrag committen
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git config user.name 'vendoo-updater-build'
|
||||
git config user.email 'vendoo-updater-build@users.noreply.github.com'
|
||||
git add --all
|
||||
git commit -m 'ci: harden updater 3.4 acceptance diagnostics'
|
||||
git push origin HEAD:feature/updater-3.4-lifecycle
|
||||
Reference in New Issue
Block a user