Production-ready updater lifecycle hardening with final-head checks, Windows PowerShell 5.1 compatibility, reproducible package generation, provenance validation, payload rollback protection and documented acceptance.
239 lines
8.0 KiB
YAML
239 lines
8.0 KiB
YAML
name: Vendoo CI
|
||
|
||
on:
|
||
push:
|
||
branches: [main, develop, 'feature/**', 'release/**', 'hotfix/**']
|
||
pull_request:
|
||
branches: [main, develop]
|
||
workflow_dispatch:
|
||
|
||
permissions:
|
||
contents: read
|
||
|
||
concurrency:
|
||
group: vendoo-ci-${{ github.ref }}
|
||
cancel-in-progress: true
|
||
|
||
jobs:
|
||
quality:
|
||
name: Syntax, Sicherheit und Release-Gates
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 25
|
||
steps:
|
||
- name: Repository auschecken
|
||
uses: actions/checkout@v6
|
||
with:
|
||
fetch-depth: 0
|
||
|
||
- name: Node.js 22 aktivieren
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: '22.x'
|
||
cache: npm
|
||
|
||
- name: Abhängigkeiten reproduzierbar installieren
|
||
run: npm ci
|
||
|
||
- name: Git-Sicherheitsgate
|
||
run: npm run verify:git
|
||
|
||
- name: Git-Sicherheitsgate Regressionstest
|
||
run: npm run verify:git-regression
|
||
|
||
- name: Git-Staging-Filter Regressionstest
|
||
run: npm run verify:git-staging
|
||
|
||
- name: Release-Manifest und Paketvertrag prüfen
|
||
run: npm run verify:release-manifest
|
||
|
||
- name: Git-Ignore-Grenzen für Quell- und Runtimeordner prüfen
|
||
run: npm run verify:ignore-boundaries
|
||
|
||
- name: Syntaxprüfung
|
||
run: npm run check
|
||
|
||
- name: PowerShell-Regressionen statisch prüfen
|
||
run: npm run verify:powershell-static
|
||
|
||
- name: Updater-3.4-Lifecycle und Startkette prüfen
|
||
run: npm run verify:updater-start-chain && npm run verify:updater-lifecycle
|
||
|
||
- name: Produktiven Source-Root und Archivgrenzen prüfen
|
||
run: npm run verify:source-boundaries
|
||
|
||
- name: ESM-Exportverträge prüfen
|
||
run: npm run verify:esm-exports
|
||
|
||
- name: FLUX-Loop-Hotfix prüfen
|
||
run: npm run verify:flux-loop
|
||
|
||
- name: Vollständigen Modul-Capability-Graph prüfen
|
||
run: npm run verify:capabilities
|
||
|
||
- name: Coolify-Deployment und Web-Updates prüfen
|
||
run: npm run verify:coolify
|
||
|
||
- name: Initial deaktivierte Module prüfen
|
||
run: npm run verify:initial-modules
|
||
|
||
- name: Plattformarchitektur und Design Tokens prüfen
|
||
run: npm run verify:architecture
|
||
|
||
- name: Theme Manager, Accessibility und Komponenten-Tokens prüfen
|
||
run: npm run verify:themes
|
||
|
||
- name: Security, Secrets und Observability prüfen
|
||
run: npm run verify:security
|
||
|
||
- name: Auth, Benutzer, Sitzungen und Einstellungen prüfen
|
||
run: npm run verify:identity
|
||
|
||
- name: Artikel, Lager und Medien prüfen
|
||
run: npm run verify:catalog
|
||
|
||
- name: Modulmanager, Pakete und Aktivierungsgrenzen prüfen
|
||
run: npm run verify:modules
|
||
|
||
- name: Deployment-Gate
|
||
run: npm run verify:deployment
|
||
|
||
- name: Persistenten Konfigurationsspeicher prüfen
|
||
run: npm run verify:config
|
||
|
||
- name: Geführte Shell-Installer simulieren
|
||
run: npm run verify:installer-shell
|
||
|
||
- name: Datenbankmigrationen prüfen
|
||
run: npm run verify:db
|
||
|
||
- name: Docker-Compose-Dateien validieren
|
||
run: |
|
||
cp .env.example .env
|
||
python - <<'PY'
|
||
from pathlib import Path
|
||
p=Path('.env')
|
||
s=p.read_text()
|
||
s=s.replace('VENDOO_SETUP_TOKEN=', 'VENDOO_SETUP_TOKEN=ci-only-not-a-production-secret-1234567890')
|
||
s=s.replace('VENDOO_DOMAIN=', 'VENDOO_DOMAIN=vendoo.example.invalid')
|
||
p.write_text(s)
|
||
PY
|
||
docker compose -f compose.yaml config -q
|
||
docker compose -f compose.yaml -f compose.bind-mounts.example.yaml config -q
|
||
docker compose -f compose.vps.yaml config -q
|
||
rm -f .env
|
||
|
||
- name: Docker-Image testweise bauen
|
||
run: docker build --pull --tag vendoo:ci .
|
||
|
||
windows-release-contract:
|
||
name: Windows – vollständiger Releasevertrag
|
||
runs-on: windows-latest
|
||
timeout-minutes: 35
|
||
steps:
|
||
- name: Repository auschecken
|
||
uses: actions/checkout@v6
|
||
with:
|
||
fetch-depth: 0
|
||
|
||
- name: Node.js 22 aktivieren
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: '22.x'
|
||
cache: npm
|
||
|
||
- name: Abhängigkeiten reproduzierbar installieren
|
||
run: npm ci
|
||
|
||
- name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
|
||
shell: powershell
|
||
run: .\tools\verify-powershell-parser.ps1 -ReportPath "$env:RUNNER_TEMP\powershell-parser-diagnostics.txt"
|
||
|
||
- name: Parserdiagnose bei Fehler sichern
|
||
if: failure()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: powershell-parser-diagnostics-${{ github.event.pull_request.head.sha || github.sha }}
|
||
path: ${{ runner.temp }}/powershell-parser-diagnostics.txt
|
||
if-no-files-found: error
|
||
retention-days: 14
|
||
|
||
- name: Vollständigen Vendoo-Releasevertrag unter Windows ausführen
|
||
shell: pwsh
|
||
run: npm run verify:all
|
||
|
||
package-after-acceptance:
|
||
name: Updater-3.4-Paket nach Abnahme
|
||
needs: [quality, windows-release-contract]
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 15
|
||
steps:
|
||
- name: Exakten geprüften Head auschecken
|
||
uses: actions/checkout@v6
|
||
with:
|
||
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
||
fetch-depth: 0
|
||
|
||
- name: Node.js 22 aktivieren
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: '22.x'
|
||
cache: npm
|
||
|
||
- name: Abhängigkeiten reproduzierbar installieren
|
||
run: npm ci
|
||
|
||
- name: main für den Provenienzvergleich aktualisieren
|
||
run: git fetch origin main:refs/remotes/origin/main
|
||
|
||
- name: Reproduzierbares Root-Manifest bestätigen
|
||
shell: bash
|
||
run: |
|
||
node tools/generate-release-manifest.mjs .
|
||
git diff --exit-code -- release-manifest.json
|
||
|
||
- name: Paket mit unveränderlicher Provenienz erzeugen
|
||
env:
|
||
VENDOO_SOURCE_COMMIT: ${{ github.event.pull_request.head.sha || github.sha }}
|
||
run: node tools/build-release.mjs
|
||
|
||
- name: Paketmanifest und SHA-256 prüfen
|
||
shell: bash
|
||
run: |
|
||
set -euo pipefail
|
||
release_name="$(tr -d '\r\n' < release-output/RELEASE_NAME.txt)"
|
||
package_dir="release-output/${release_name}"
|
||
node --input-type=module - "$package_dir" <<'NODE'
|
||
import { readAndValidateManifest } from './tools/release-manifest-lib.mjs';
|
||
const packageDir = process.argv[2];
|
||
const manifest = readAndValidateManifest(packageDir);
|
||
if (manifest.schema !== 'vendoo-release-package-v2') throw new Error(`Unerwartetes Paketschema: ${manifest.schema}`);
|
||
if (manifest.updaterVersion !== '3.4.0') throw new Error(`Unerwartete Updater-Version: ${manifest.updaterVersion}`);
|
||
if (manifest.targetVersion !== '1.43.0') throw new Error(`Unerwartete Zielversion: ${manifest.targetVersion}`);
|
||
console.log(`Paket validiert: ${manifest.targetVersion}, Updater ${manifest.updaterVersion}, Payload ${manifest.payloadHash}`);
|
||
NODE
|
||
archive="release-output/${release_name}.zip"
|
||
python tools/build-deterministic-zip.py "$package_dir" "$archive"
|
||
first_hash="$(sha256sum "$archive" | awk '{print $1}')"
|
||
python tools/build-deterministic-zip.py "$package_dir" "$archive"
|
||
second_hash="$(sha256sum "$archive" | awk '{print $1}')"
|
||
if [[ "$first_hash" != "$second_hash" ]]; then
|
||
echo "Der ZIP-Build ist nicht byte-reproduzierbar." >&2
|
||
exit 1
|
||
fi
|
||
python -m zipfile -t "$archive"
|
||
(
|
||
cd release-output
|
||
sha256sum "${release_name}.zip" > "${release_name}.zip.sha256"
|
||
sha256sum --check "${release_name}.zip.sha256"
|
||
)
|
||
|
||
- name: Abgenommenes Paket als CI-Artefakt bereitstellen
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: vendoo-1.43.0-updater-3.4-${{ github.event.pull_request.head.sha || github.sha }}
|
||
path: |
|
||
release-output/*.zip
|
||
release-output/*.zip.sha256
|
||
if-no-files-found: error
|
||
retention-days: 14
|