57 lines
2.1 KiB
Bash
57 lines
2.1 KiB
Bash
|
|
#!/usr/bin/env bash
|
||
|
|
# -----------------------------------------------------------------------------
|
||
|
|
# checks/versions.sh — the VERSIONS pin-file is present, source-able, and lists
|
||
|
|
# every CONTRACT_003 §3.2 image + every required tool (CONTRACT_001 §Validation:
|
||
|
|
# "preflight asserts VERSIONS present and well-formed").
|
||
|
|
# FAIL if missing/unparseable or a required key is absent.
|
||
|
|
# WARN (not fail) on any image still carrying the PIN_DIGEST placeholder.
|
||
|
|
# -----------------------------------------------------------------------------
|
||
|
|
set -euo pipefail
|
||
|
|
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
|
||
|
|
# shellcheck source=../lib/common.sh
|
||
|
|
. "$PF_DIR/lib/common.sh"
|
||
|
|
|
||
|
|
echo "[versions] VERSIONS pin-file present and well-formed"
|
||
|
|
|
||
|
|
vf=$(pf_versions_file)
|
||
|
|
if [ ! -f "$vf" ]; then
|
||
|
|
pf_fail "VERSIONS not found at $vf"
|
||
|
|
pf_summary "versions"; exit $?
|
||
|
|
fi
|
||
|
|
pf_pass "VERSIONS present: $vf"
|
||
|
|
|
||
|
|
# Source-able? (run in a subshell so a bad file can't poison this process).
|
||
|
|
if ( set -a; . "$vf"; set +a ) >/dev/null 2>&1; then
|
||
|
|
pf_pass "VERSIONS is source-able"
|
||
|
|
else
|
||
|
|
pf_fail "VERSIONS is NOT source-able (syntax error)"
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Required image keys (CONTRACT_003 §3.2).
|
||
|
|
for k in IMAGE_CADDY IMAGE_FORGEJO IMAGE_POSTGRES IMAGE_VAULT IMAGE_RUSTFS IMAGE_ACT_RUNNER IMAGE_REGISTRY; do
|
||
|
|
v=$(pf_versions_get "$k" 2>/dev/null || true)
|
||
|
|
if [ -z "$v" ]; then
|
||
|
|
pf_fail "missing required image key: $k"
|
||
|
|
else
|
||
|
|
case "$v" in
|
||
|
|
*@sha256:PIN_DIGEST) pf_warn "$k not yet digest-pinned ($v) — run the pin-digests procedure" ;;
|
||
|
|
*@sha256:*) pf_pass "$k pinned by digest" ;;
|
||
|
|
*) pf_warn "$k has no '@sha256:' digest ($v) — floating tag (D5 wants a digest)" ;;
|
||
|
|
esac
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
|
||
|
|
# Required tool-minimum keys.
|
||
|
|
for k in TOOL_PULUMI_MIN TOOL_BUN_MIN TOOL_NODE_MIN TOOL_DOCKER_MIN TOOL_GIT_MIN \
|
||
|
|
TOOL_AGE_MIN TOOL_ZSTD_MIN TOOL_JQ_MIN TOOL_VAULT_MIN TOOL_PSQL_MIN \
|
||
|
|
TOOL_PG_DUMP_MIN TOOL_OPENSSH_MIN TOOL_MC_MIN; do
|
||
|
|
v=$(pf_versions_get "$k" 2>/dev/null || true)
|
||
|
|
if [ -z "$v" ]; then
|
||
|
|
pf_fail "missing required tool-minimum key: $k"
|
||
|
|
else
|
||
|
|
pf_pass "$k = $v"
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
|
||
|
|
pf_summary "versions"
|