diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cae8f53..c36bdad 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,7 @@ on: branches: [main, develop, 'feature/**', 'release/**', 'hotfix/**'] pull_request: branches: [main, develop] + workflow_dispatch: permissions: contents: read @@ -42,16 +43,21 @@ jobs: - name: Git-Staging-Filter Regressionstest run: npm run verify:git-staging + - name: Release-Manifest und Paketvertrag prüfen + run: npm run verify:release-manifest + - name: Git-Ignore-Grenzen für Quell- und Runtimeordner prüfen run: npm run verify:ignore-boundaries - name: Syntaxprüfung run: npm run check - - name: PowerShell-Regressionen statisch prüfen run: npm run verify:powershell-static + - name: Updater-3.4-Lifecycle und Startkette prüfen + run: npm run verify:updater-start-chain && npm run verify:updater-lifecycle + - name: Produktiven Source-Root und Archivgrenzen prüfen run: npm run verify:source-boundaries @@ -146,3 +152,69 @@ jobs: shell: pwsh run: npm run verify:all + package-after-acceptance: + name: Updater-3.4-Paket nach Abnahme + needs: [quality, windows-release-contract] + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Exakten geprüften Head auschecken + uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + fetch-depth: 0 + + - name: Node.js 22 aktivieren + uses: actions/setup-node@v4 + with: + node-version: '22.x' + cache: npm + + - name: Abhängigkeiten reproduzierbar installieren + run: npm ci + + - name: main für den Provenienzvergleich aktualisieren + run: git fetch origin main:refs/remotes/origin/main + + - name: Reproduzierbares Root-Manifest bestätigen + shell: bash + run: | + node tools/generate-release-manifest.mjs . + git diff --exit-code -- release-manifest.json + + - name: Paket mit unveränderlicher Provenienz erzeugen + env: + VENDOO_SOURCE_COMMIT: ${{ github.event.pull_request.head.sha || github.sha }} + run: node tools/build-release.mjs + + - name: Paketmanifest und SHA-256 prüfen + shell: bash + run: | + set -euo pipefail + release_name="$(tr -d '\r\n' < release-output/RELEASE_NAME.txt)" + package_dir="release-output/${release_name}" + node --input-type=module - "$package_dir" <<'NODE' + import { readAndValidateManifest } from './tools/release-manifest-lib.mjs'; + const packageDir = process.argv[2]; + const manifest = readAndValidateManifest(packageDir); + if (manifest.schema !== 'vendoo-release-package-v2') throw new Error(`Unerwartetes Paketschema: ${manifest.schema}`); + if (manifest.updaterVersion !== '3.4.0') throw new Error(`Unerwartete Updater-Version: ${manifest.updaterVersion}`); + if (manifest.targetVersion !== '1.43.0') throw new Error(`Unerwartete Zielversion: ${manifest.targetVersion}`); + console.log(`Paket validiert: ${manifest.targetVersion}, Updater ${manifest.updaterVersion}, Payload ${manifest.payloadHash}`); + NODE + ( + cd release-output + zip -qr "${release_name}.zip" "${release_name}" + sha256sum "${release_name}.zip" > "${release_name}.zip.sha256" + sha256sum --check "${release_name}.zip.sha256" + ) + + - name: Abgenommenes Paket als CI-Artefakt bereitstellen + uses: actions/upload-artifact@v4 + with: + name: vendoo-1.43.0-updater-3.4-${{ github.event.pull_request.head.sha || github.sha }} + path: | + release-output/*.zip + release-output/*.zip.sha256 + if-no-files-found: error + retention-days: 14