#!/usr/bin/env bash # ----------------------------------------------------------------------------- # checks/versions.sh — the VERSIONS pin-file is present, source-able, and lists # every CONTRACT_003 §3.2 image + every required tool (CONTRACT_001 §Validation: # "preflight asserts VERSIONS present and well-formed"). # FAIL if missing/unparseable or a required key is absent. # WARN (not fail) on any image still carrying the PIN_DIGEST placeholder. # ----------------------------------------------------------------------------- set -euo pipefail PF_DIR=$(cd "$(dirname "$0")/.." && pwd) # shellcheck source=../lib/common.sh . "$PF_DIR/lib/common.sh" echo "[versions] VERSIONS pin-file present and well-formed" vf=$(pf_versions_file) if [ ! -f "$vf" ]; then pf_fail "VERSIONS not found at $vf" pf_summary "versions"; exit $? fi pf_pass "VERSIONS present: $vf" # Source-able? (run in a subshell so a bad file can't poison this process). if ( set -a; . "$vf"; set +a ) >/dev/null 2>&1; then pf_pass "VERSIONS is source-able" else pf_fail "VERSIONS is NOT source-able (syntax error)" fi # Required image keys (CONTRACT_003 §3.2). for k in IMAGE_CADDY IMAGE_FORGEJO IMAGE_POSTGRES IMAGE_VAULT IMAGE_RUSTFS IMAGE_ACT_RUNNER IMAGE_REGISTRY; do v=$(pf_versions_get "$k" 2>/dev/null || true) if [ -z "$v" ]; then pf_fail "missing required image key: $k" else case "$v" in *@sha256:PIN_DIGEST) pf_warn "$k not yet digest-pinned ($v) — run the pin-digests procedure" ;; *@sha256:*) pf_pass "$k pinned by digest" ;; *) pf_warn "$k has no '@sha256:' digest ($v) — floating tag (D5 wants a digest)" ;; esac fi done # Required tool-minimum keys. for k in TOOL_PULUMI_MIN TOOL_BUN_MIN TOOL_NODE_MIN TOOL_DOCKER_MIN TOOL_GIT_MIN \ TOOL_AGE_MIN TOOL_ZSTD_MIN TOOL_JQ_MIN TOOL_VAULT_MIN TOOL_PSQL_MIN \ TOOL_PG_DUMP_MIN TOOL_OPENSSH_MIN TOOL_MC_MIN; do v=$(pf_versions_get "$k" 2>/dev/null || true) if [ -z "$v" ]; then pf_fail "missing required tool-minimum key: $k" else pf_pass "$k = $v" fi done pf_summary "versions"