feat(preflight): host/toolchain validation + VERSIONS pin-file — T01
- VERSIONS: 7 container images (CONTRACT_003 §3.2) + 13 host tools, KEY=value, source-able+greppable; images carry :PIN_DIGEST placeholders with a documented pin-digests procedure (D5 determinism — no real deploy until pinned). - preflight.sh: fails closed (non-zero on any required check), bash-3.2 safe, composable checks/ (versions,tools,env,docker) + gated (ssh,dns) that WARN-skip until the stack is configured. - env check honors D2 (passphrase presence only, never printed). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
188e30e23e
commit
edc708b826
12 changed files with 763 additions and 0 deletions
56
preflight/checks/versions.sh
Executable file
56
preflight/checks/versions.sh
Executable file
|
|
@ -0,0 +1,56 @@
|
|||
#!/usr/bin/env bash
|
||||
# -----------------------------------------------------------------------------
|
||||
# checks/versions.sh — the VERSIONS pin-file is present, source-able, and lists
|
||||
# every CONTRACT_003 §3.2 image + every required tool (CONTRACT_001 §Validation:
|
||||
# "preflight asserts VERSIONS present and well-formed").
|
||||
# FAIL if missing/unparseable or a required key is absent.
|
||||
# WARN (not fail) on any image still carrying the PIN_DIGEST placeholder.
|
||||
# -----------------------------------------------------------------------------
|
||||
set -euo pipefail
|
||||
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
|
||||
# shellcheck source=../lib/common.sh
|
||||
. "$PF_DIR/lib/common.sh"
|
||||
|
||||
echo "[versions] VERSIONS pin-file present and well-formed"
|
||||
|
||||
vf=$(pf_versions_file)
|
||||
if [ ! -f "$vf" ]; then
|
||||
pf_fail "VERSIONS not found at $vf"
|
||||
pf_summary "versions"; exit $?
|
||||
fi
|
||||
pf_pass "VERSIONS present: $vf"
|
||||
|
||||
# Source-able? (run in a subshell so a bad file can't poison this process).
|
||||
if ( set -a; . "$vf"; set +a ) >/dev/null 2>&1; then
|
||||
pf_pass "VERSIONS is source-able"
|
||||
else
|
||||
pf_fail "VERSIONS is NOT source-able (syntax error)"
|
||||
fi
|
||||
|
||||
# Required image keys (CONTRACT_003 §3.2).
|
||||
for k in IMAGE_CADDY IMAGE_FORGEJO IMAGE_POSTGRES IMAGE_VAULT IMAGE_RUSTFS IMAGE_ACT_RUNNER IMAGE_REGISTRY; do
|
||||
v=$(pf_versions_get "$k" 2>/dev/null || true)
|
||||
if [ -z "$v" ]; then
|
||||
pf_fail "missing required image key: $k"
|
||||
else
|
||||
case "$v" in
|
||||
*@sha256:PIN_DIGEST) pf_warn "$k not yet digest-pinned ($v) — run the pin-digests procedure" ;;
|
||||
*@sha256:*) pf_pass "$k pinned by digest" ;;
|
||||
*) pf_warn "$k has no '@sha256:' digest ($v) — floating tag (D5 wants a digest)" ;;
|
||||
esac
|
||||
fi
|
||||
done
|
||||
|
||||
# Required tool-minimum keys.
|
||||
for k in TOOL_PULUMI_MIN TOOL_BUN_MIN TOOL_NODE_MIN TOOL_DOCKER_MIN TOOL_GIT_MIN \
|
||||
TOOL_AGE_MIN TOOL_ZSTD_MIN TOOL_JQ_MIN TOOL_VAULT_MIN TOOL_PSQL_MIN \
|
||||
TOOL_PG_DUMP_MIN TOOL_OPENSSH_MIN TOOL_MC_MIN; do
|
||||
v=$(pf_versions_get "$k" 2>/dev/null || true)
|
||||
if [ -z "$v" ]; then
|
||||
pf_fail "missing required tool-minimum key: $k"
|
||||
else
|
||||
pf_pass "$k = $v"
|
||||
fi
|
||||
done
|
||||
|
||||
pf_summary "versions"
|
||||
Loading…
Add table
Add a link
Reference in a new issue