Files
vendoo/.github/workflows/ci.yml
T

310 lines
11 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: Vendoo CI
on:
push:
branches: [main, develop, 'feature/**', 'release/**', 'hotfix/**']
pull_request:
branches: [main, develop]
workflow_dispatch:
permissions:
contents: read
concurrency:
group: vendoo-ci-${{ github.ref }}
cancel-in-progress: true
jobs:
quality:
name: Syntax, Sicherheit und Release-Gates
runs-on: ubuntu-latest
timeout-minutes: 25
steps:
- name: Repository auschecken
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Node.js 22 aktivieren
uses: actions/setup-node@v4
with:
node-version: '22.x'
cache: npm
- name: Abhängigkeiten reproduzierbar installieren
run: npm ci
- name: Git-Sicherheitsgate
run: npm run verify:git
- name: Git-Sicherheitsgate Regressionstest
run: npm run verify:git-regression
- name: Git-Staging-Filter Regressionstest
run: npm run verify:git-staging
- name: Release-Manifest und Paketvertrag prüfen
run: npm run verify:release-manifest
- name: Git-Ignore-Grenzen für Quell- und Runtimeordner prüfen
run: npm run verify:ignore-boundaries
- name: Syntaxprüfung
run: npm run check
- name: PowerShell-Regressionen statisch prüfen
run: npm run verify:powershell-static
- name: Updater-3.4-Lifecycle und Startkette prüfen
run: npm run verify:updater-start-chain && npm run verify:updater-lifecycle
- name: Produktiven Source-Root und Archivgrenzen prüfen
run: npm run verify:source-boundaries
- name: ESM-Exportverträge prüfen
run: npm run verify:esm-exports
- name: FLUX-Loop-Hotfix prüfen
run: npm run verify:flux-loop
- name: Vollständigen Modul-Capability-Graph prüfen
run: npm run verify:capabilities
- name: Coolify-Deployment und Web-Updates prüfen
run: npm run verify:coolify
- name: Initial deaktivierte Module prüfen
run: npm run verify:initial-modules
- name: Plattformarchitektur und Design Tokens prüfen
run: npm run verify:architecture
- name: Theme Manager, Accessibility und Komponenten-Tokens prüfen
run: npm run verify:themes
- name: Security, Secrets und Observability prüfen
run: npm run verify:security
- name: Auth, Benutzer, Sitzungen und Einstellungen prüfen
run: npm run verify:identity
- name: Artikel, Lager und Medien prüfen
run: npm run verify:catalog
- name: Modulmanager, Pakete und Aktivierungsgrenzen prüfen
run: npm run verify:modules
- name: Deployment-Gate
run: npm run verify:deployment
- name: Persistenten Konfigurationsspeicher prüfen
run: npm run verify:config
- name: Geführte Shell-Installer simulieren
run: npm run verify:installer-shell
- name: Datenbankmigrationen prüfen
run: npm run verify:db
- name: Docker-Compose-Dateien validieren
run: |
cp .env.example .env
python - <<'PY'
from pathlib import Path
p=Path('.env')
s=p.read_text()
s=s.replace('VENDOO_SETUP_TOKEN=', 'VENDOO_SETUP_TOKEN=ci-only-not-a-production-secret-1234567890')
s=s.replace('VENDOO_DOMAIN=', 'VENDOO_DOMAIN=vendoo.example.invalid')
p.write_text(s)
PY
docker compose -f compose.yaml config -q
docker compose -f compose.yaml -f compose.bind-mounts.example.yaml config -q
docker compose -f compose.vps.yaml config -q
rm -f .env
- name: Docker-Image testweise bauen
run: docker build --pull --tag vendoo:ci .
windows-release-contract:
name: Windows vollständiger Releasevertrag
runs-on: windows-latest
timeout-minutes: 35
steps:
- name: Repository auschecken
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Node.js 22 aktivieren
uses: actions/setup-node@v4
with:
node-version: '22.x'
cache: npm
- name: Abhängigkeiten reproduzierbar installieren
run: npm ci
- name: Alle PowerShell-Dateien mit Windows PowerShell 5.1 parsen
shell: powershell
run: .\tools\verify-powershell-parser.ps1 -ReportPath "$env:RUNNER_TEMP\powershell-parser-diagnostics.txt"
- name: Parserdiagnose bei Fehler sichern
if: failure()
uses: actions/upload-artifact@v4
with:
name: powershell-parser-diagnostics-${{ github.event.pull_request.head.sha || github.sha }}
path: ${{ runner.temp }}/powershell-parser-diagnostics.txt
if-no-files-found: error
retention-days: 14
- name: Vollständigen Vendoo-Releasevertrag unter Windows ausführen
shell: pwsh
run: npm run verify:all
package-after-acceptance:
name: Updater-3.4-Paket nach Abnahme
needs: [quality, windows-release-contract]
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Exakten geprüften Head auschecken
uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
fetch-depth: 0
- name: Node.js 22 aktivieren
uses: actions/setup-node@v4
with:
node-version: '22.x'
cache: npm
- name: Abhängigkeiten reproduzierbar installieren
run: npm ci
- name: main für den Provenienzvergleich aktualisieren
run: git fetch origin main:refs/remotes/origin/main
- name: Reproduzierbares Root-Manifest bestätigen
shell: bash
run: |
node tools/generate-release-manifest.mjs .
git diff --exit-code -- release-manifest.json
- name: Paket mit unveränderlicher Provenienz erzeugen
env:
VENDOO_SOURCE_COMMIT: ${{ github.event.pull_request.head.sha || github.sha }}
run: node tools/build-release.mjs
- name: Paketmanifest und SHA-256 prüfen
shell: bash
run: |
set -euo pipefail
release_name="$(tr -d '\r\n' < release-output/RELEASE_NAME.txt)"
package_dir="release-output/${release_name}"
node --input-type=module - "$package_dir" <<'NODE'
import { readAndValidateManifest } from './tools/release-manifest-lib.mjs';
const packageDir = process.argv[2];
const manifest = readAndValidateManifest(packageDir);
if (manifest.schema !== 'vendoo-release-package-v2') throw new Error(`Unerwartetes Paketschema: ${manifest.schema}`);
if (manifest.updaterVersion !== '3.4.0') throw new Error(`Unerwartete Updater-Version: ${manifest.updaterVersion}`);
if (manifest.targetVersion !== '1.43.0') throw new Error(`Unerwartete Zielversion: ${manifest.targetVersion}`);
console.log(`Paket validiert: ${manifest.targetVersion}, Updater ${manifest.updaterVersion}, Payload ${manifest.payloadHash}`);
NODE
archive="release-output/${release_name}.zip"
python tools/build-deterministic-zip.py "$package_dir" "$archive"
first_hash="$(sha256sum "$archive" | awk '{print $1}')"
python tools/build-deterministic-zip.py "$package_dir" "$archive"
second_hash="$(sha256sum "$archive" | awk '{print $1}')"
if [[ "$first_hash" != "$second_hash" ]]; then
echo "Der ZIP-Build ist nicht byte-reproduzierbar." >&2
exit 1
fi
python -m zipfile -t "$archive"
(
cd release-output
sha256sum "${release_name}.zip" > "${release_name}.zip.sha256"
sha256sum --check "${release_name}.zip.sha256"
)
- name: Abgenommenes Paket als CI-Artefakt bereitstellen
uses: actions/upload-artifact@v4
with:
name: vendoo-1.43.0-updater-3.4-${{ github.event.pull_request.head.sha || github.sha }}
path: |
release-output/*.zip
release-output/*.zip.sha256
if-no-files-found: error
retention-days: 14
# BEGIN TEMP WORKER34 PARSER REPAIR
repair-worker34-parser:
name: Worker34 PowerShell-5.1-Kompatibilität reparieren
if: github.ref == 'refs/heads/feature/updater-3.4-lifecycle' || github.event.pull_request.head.ref == 'feature/updater-3.4-lifecycle'
permissions:
contents: write
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Branch vollständig auschecken
uses: actions/checkout@v6
with:
ref: feature/updater-3.4-lifecycle
fetch-depth: 0
- name: Worker-Syntax systematisch korrigieren
shell: python
run: |
from pathlib import Path
import re
worker = Path('scripts/updater/Vendoo.Updater.Worker34.ps1')
text = worker.read_text(encoding='utf-8-sig')
text, foreach_count = re.subn(
r'foreach\(\$([A-Za-z_][A-Za-z0-9_]*)\s+in(?=[@$])',
r'foreach($\1 in ',
text,
)
text, in_operator_count = re.subn(
r'(?<=\S)-in(?=[@$])',
' -in ',
text,
)
if foreach_count < 1:
raise SystemExit('Keine inkompatiblen foreach-Konstruktionen gefunden.')
if re.search(r'foreach\(\$[A-Za-z_][A-Za-z0-9_]*\s+in(?=[@$])', text):
raise SystemExit('Mindestens eine inkompatible foreach-Konstruktion ist verblieben.')
if re.search(r'(?<=\S)-in(?=[@$])', text):
raise SystemExit('Mindestens ein inkompatibler -in-Operator ist verblieben.')
worker.write_text('\ufeff' + text, encoding='utf-8', newline='\n')
print(f'Korrigiert: {foreach_count} foreach-Konstruktionen, {in_operator_count} -in-Operatoren.')
- name: Temporären Reparaturjob entfernen und Manifest neu erzeugen
shell: python
run: |
from pathlib import Path
ci = Path('.github/workflows/ci.yml')
text = ci.read_text(encoding='utf-8')
marker = '\n # BEGIN TEMP WORKER34 PARSER REPAIR\n'
if text.count(marker) != 1:
raise SystemExit(f'Temporärer Reparaturmarker nicht eindeutig: {text.count(marker)}')
ci.write_text(text.split(marker, 1)[0].rstrip() + '\n', encoding='utf-8', newline='\n')
- name: Release-Manifest aus dem finalen Baum erzeugen
run: node tools/generate-release-manifest.mjs .
- name: Reparatur committen
shell: bash
run: |
set -euo pipefail
git diff --check
git config user.name 'vendoo-updater-build'
git config user.email 'vendoo-updater-build@users.noreply.github.com'
git add --all
git commit -m 'fix: make Worker34 compatible with Windows PowerShell 5.1'
git push origin HEAD:feature/updater-3.4-lifecycle