foundation/preflight/checks/versions.sh

57 lines
2.1 KiB
Bash
Raw Normal View History

#!/usr/bin/env bash
# -----------------------------------------------------------------------------
# checks/versions.sh — the VERSIONS pin-file is present, source-able, and lists
# every CONTRACT_003 §3.2 image + every required tool (CONTRACT_001 §Validation:
# "preflight asserts VERSIONS present and well-formed").
# FAIL if missing/unparseable or a required key is absent.
# WARN (not fail) on any image still carrying the PIN_DIGEST placeholder.
# -----------------------------------------------------------------------------
set -euo pipefail
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
# shellcheck source=../lib/common.sh
. "$PF_DIR/lib/common.sh"
echo "[versions] VERSIONS pin-file present and well-formed"
vf=$(pf_versions_file)
if [ ! -f "$vf" ]; then
pf_fail "VERSIONS not found at $vf"
pf_summary "versions"; exit $?
fi
pf_pass "VERSIONS present: $vf"
# Source-able? (run in a subshell so a bad file can't poison this process).
if ( set -a; . "$vf"; set +a ) >/dev/null 2>&1; then
pf_pass "VERSIONS is source-able"
else
pf_fail "VERSIONS is NOT source-able (syntax error)"
fi
# Required image keys (CONTRACT_003 §3.2).
for k in IMAGE_CADDY IMAGE_FORGEJO IMAGE_POSTGRES IMAGE_VAULT IMAGE_RUSTFS IMAGE_ACT_RUNNER IMAGE_REGISTRY; do
v=$(pf_versions_get "$k" 2>/dev/null || true)
if [ -z "$v" ]; then
pf_fail "missing required image key: $k"
else
case "$v" in
*@sha256:PIN_DIGEST) pf_warn "$k not yet digest-pinned ($v) — run the pin-digests procedure" ;;
*@sha256:*) pf_pass "$k pinned by digest" ;;
*) pf_warn "$k has no '@sha256:' digest ($v) — floating tag (D5 wants a digest)" ;;
esac
fi
done
# Required tool-minimum keys.
for k in TOOL_PULUMI_MIN TOOL_BUN_MIN TOOL_NODE_MIN TOOL_DOCKER_MIN TOOL_GIT_MIN \
TOOL_AGE_MIN TOOL_ZSTD_MIN TOOL_JQ_MIN TOOL_VAULT_MIN TOOL_PSQL_MIN \
TOOL_PG_DUMP_MIN TOOL_OPENSSH_MIN TOOL_MC_MIN; do
v=$(pf_versions_get "$k" 2>/dev/null || true)
if [ -z "$v" ]; then
pf_fail "missing required tool-minimum key: $k"
else
pf_pass "$k = $v"
fi
done
pf_summary "versions"