Files
vendoo/tools/build-release.mjs
T
Masterluke77andGitHub 637275effc Updater 3.4 – Lifecycle Hardening (#28)
Production-ready updater lifecycle hardening with final-head checks, Windows PowerShell 5.1 compatibility, reproducible package generation, provenance validation, payload rollback protection and documented acceptance.
2026-07-10 19:54:36 +02:00

76 lines
3.5 KiB
JavaScript

import {
copyFileSync,
mkdirSync,
readFileSync,
readdirSync,
rmSync,
statSync,
writeFileSync,
} from 'node:fs';
import { createHash } from 'node:crypto';
import { spawnSync } from 'node:child_process';
import { dirname, join, relative, sep } from 'node:path';
import { fileURLToPath } from 'node:url';
import { generateReleaseManifest } from './generate-release-manifest.mjs';
import { MANIFEST_FILE, readAndValidateManifest } from './release-manifest-lib.mjs';
import { createPackageManifest } from './updater-lifecycle-3.4.mjs';
const root = dirname(dirname(fileURLToPath(import.meta.url)));
const pkg = JSON.parse(readFileSync(join(root, 'package.json'), 'utf8'));
const outputRoot = join(root, 'release-output');
const normalize = value => value.split(sep).join('/');
function git(args, { allowFailure = false } = {}) {
const result = spawnSync('git', ['-C', root, ...args], { encoding: 'utf8' });
if (!allowFailure && result.status !== 0) {
throw new Error(`git ${args.join(' ')} fehlgeschlagen: ${(result.stderr || result.stdout || '').trim()}`);
}
return result.status === 0 ? String(result.stdout || '').trim() : '';
}
// Das committed Manifest bleibt der reproduzierbare Quellvertrag. Das ausgelieferte
// Paket erhält zusätzlich eine unveränderliche Git-Herkunft und einen Payload-Hash.
generateReleaseManifest(root);
const manifest = readAndValidateManifest(root);
const sourceCommit = process.env.VENDOO_SOURCE_COMMIT || git(['rev-parse', 'HEAD']);
const configuredBase = process.env.VENDOO_BASE_COMMIT || '';
const discoveredBase = configuredBase || git(['merge-base', sourceCommit, 'origin/main'], { allowFailure: true });
const baseCommit = discoveredBase || sourceCommit;
const createdAt = process.env.VENDOO_SOURCE_CREATED_AT || git(['show', '-s', '--format=%cI', sourceCommit]);
const packageManifest = createPackageManifest(manifest, { sourceCommit, baseCommit, createdAt });
const packageName = `Vendoo_${pkg.version}_Updater_${manifest.updaterVersion}`;
const stage = join(outputRoot, packageName);
rmSync(outputRoot, { recursive: true, force: true });
mkdirSync(stage, { recursive: true });
for (const entry of manifest.files) {
const source = join(root, entry.path);
const target = join(stage, entry.path);
mkdirSync(dirname(target), { recursive: true });
copyFileSync(source, target);
if (statSync(target).size !== entry.size) throw new Error(`Release-Kopie hat falsche Größe: ${entry.path}`);
}
writeFileSync(join(stage, MANIFEST_FILE), `${JSON.stringify(packageManifest, null, 2)}\n`, 'utf8');
readAndValidateManifest(stage);
const checksums = [];
function hashTree(dir) {
for (const name of readdirSync(dir).sort((a, b) => a.localeCompare(b, 'en'))) {
const abs = join(dir, name);
const stat = statSync(abs);
if (stat.isDirectory()) hashTree(abs);
else {
const rel = normalize(relative(stage, abs));
if (rel === 'FILE_CHECKSUMS_SHA256.txt') continue;
const digest = createHash('sha256').update(readFileSync(abs)).digest('hex');
checksums.push(`${digest} ${rel}`);
}
}
}
hashTree(stage);
writeFileSync(join(stage, 'FILE_CHECKSUMS_SHA256.txt'), `${checksums.join('\n')}\n`, 'utf8');
writeFileSync(join(outputRoot, 'RELEASE_NAME.txt'), `${packageName}\n`, 'utf8');
console.log(`Manifestbasiertes Release-Staging erstellt: ${stage}`);
console.log(`${manifest.files.length} Payload-Dateien und ${checksums.length} Paketdateien mit SHA-256 erfasst.`);
console.log(`Paket-Provenienz: source=${sourceCommit}, base=${baseCommit}, payload=${packageManifest.payloadHash}`);