Updater 3.4 – Lifecycle Hardening #28
@@ -0,0 +1,118 @@
|
||||
name: Patch Updater 3.4 CI Contract
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- feature/updater-3.4-lifecycle
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
concurrency:
|
||||
group: patch-updater-34-ci-contract
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
patch:
|
||||
if: ${{ github.actor != 'github-actions[bot]' }}
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
ref: feature/updater-3.4-lifecycle
|
||||
fetch-depth: 0
|
||||
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '22.x'
|
||||
|
||||
- name: CI-Vertrag aktualisieren
|
||||
shell: python
|
||||
run: |
|
||||
from pathlib import Path
|
||||
|
||||
ci = Path('.github/workflows/ci.yml')
|
||||
text = ci.read_text(encoding='utf-8')
|
||||
expression_sha = '${' + '{ github.event.pull_request.head.sha || github.sha }}'
|
||||
expression_temp = '${' + '{ runner.temp }}'
|
||||
|
||||
old_parser = ''' - name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
|
||||
shell: powershell
|
||||
run: .\\tools\\verify-powershell-parser.ps1
|
||||
'''.replace(' ', ' ')
|
||||
new_parser = f''' - name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
|
||||
shell: powershell
|
||||
run: .\\tools\\verify-powershell-parser.ps1 -ReportPath "$env:RUNNER_TEMP\\powershell-parser-diagnostics.txt"
|
||||
|
||||
- name: Parserdiagnose bei Fehler sichern
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: powershell-parser-diagnostics-{expression_sha}
|
||||
path: {expression_temp}/powershell-parser-diagnostics.txt
|
||||
if-no-files-found: error
|
||||
retention-days: 14
|
||||
'''.replace(' ', ' ')
|
||||
if text.count(old_parser) != 1:
|
||||
raise SystemExit(f'Windows-Parserblock nicht eindeutig gefunden: {text.count(old_parser)}')
|
||||
text = text.replace(old_parser, new_parser)
|
||||
|
||||
old_zip = ''' (
|
||||
cd release-output
|
||||
zip -qr "${release_name}.zip" "${release_name}"
|
||||
sha256sum "${release_name}.zip" > "${release_name}.zip.sha256"
|
||||
sha256sum --check "${release_name}.zip.sha256"
|
||||
)'''
|
||||
new_zip = ''' archive="release-output/${release_name}.zip"
|
||||
python tools/build-deterministic-zip.py "$package_dir" "$archive"
|
||||
first_hash="$(sha256sum "$archive" | awk '{print $1}')"
|
||||
python tools/build-deterministic-zip.py "$package_dir" "$archive"
|
||||
second_hash="$(sha256sum "$archive" | awk '{print $1}')"
|
||||
if [[ "$first_hash" != "$second_hash" ]]; then
|
||||
echo "Der ZIP-Build ist nicht byte-reproduzierbar." >&2
|
||||
exit 1
|
||||
fi
|
||||
python -m zipfile -t "$archive"
|
||||
(
|
||||
cd release-output
|
||||
sha256sum "${release_name}.zip" > "${release_name}.zip.sha256"
|
||||
sha256sum --check "${release_name}.zip.sha256"
|
||||
)'''
|
||||
if text.count(old_zip) != 1:
|
||||
raise SystemExit(f'Standard-ZIP-Block nicht eindeutig gefunden: {text.count(old_zip)}')
|
||||
ci.write_text(text.replace(old_zip, new_zip), encoding='utf-8', newline='\n')
|
||||
|
||||
verifier = Path('tools/verify-updater-ci-lifecycle-3.4.mjs')
|
||||
verify_text = verifier.read_text(encoding='utf-8')
|
||||
anchor = "assert(ci.includes('actions/upload-artifact@v4'), 'Das geprüfte Paket wird nicht als CI-Artefakt bereitgestellt.');"
|
||||
additions = """
|
||||
assert(ci.includes('powershell-parser-diagnostics'), 'Windows-Parserfehler werden nicht als Diagnoseartefakt gesichert.');
|
||||
assert(ci.includes('tools/build-deterministic-zip.py'), 'Paketjob verwendet keinen deterministischen ZIP-Build.');
|
||||
assert(ci.includes('first_hash') && ci.includes('second_hash'), 'Paketjob weist die Byte-Reproduzierbarkeit des ZIPs nicht nach.');
|
||||
assert(!ci.includes('zip -qr'), 'Paketjob verwendet weiterhin den zeitstempelabhängigen Standard-ZIP-Build.');
|
||||
const deterministicZip = read('tools/build-deterministic-zip.py');
|
||||
assert(deterministicZip.includes('FIXED_TIMESTAMP = (1980, 1, 1, 0, 0, 0)'), 'Deterministischer ZIP-Build besitzt keinen fixierten Zeitstempel.');
|
||||
assert(deterministicZip.includes('sorted(source.rglob'), 'Deterministischer ZIP-Build sortiert die Payload nicht.');"""
|
||||
if 'powershell-parser-diagnostics' not in verify_text:
|
||||
if verify_text.count(anchor) != 1:
|
||||
raise SystemExit(f'CI-Gate-Anker nicht eindeutig gefunden: {verify_text.count(anchor)}')
|
||||
verifier.write_text(verify_text.replace(anchor, anchor + additions), encoding='utf-8', newline='\n')
|
||||
|
||||
- name: Hilfsworkflow entfernen und Manifest erzeugen
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
rm -f .github/workflows/patch-updater34-ci-contract.yml
|
||||
node tools/generate-release-manifest.mjs .
|
||||
git diff --check
|
||||
|
||||
- name: CI-Vertrag committen
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git config user.name 'vendoo-updater-build'
|
||||
git config user.email 'vendoo-updater-build@users.noreply.github.com'
|
||||
git add --all
|
||||
git commit -m 'ci: harden updater 3.4 Windows diagnostics and package build'
|
||||
git push origin HEAD:feature/updater-3.4-lifecycle
|
||||
Reference in New Issue
Block a user