foundation/preflight/checks/versions.sh
Andreas Niemann edc708b826 feat(preflight): host/toolchain validation + VERSIONS pin-file — T01
- VERSIONS: 7 container images (CONTRACT_003 §3.2) + 13 host tools, KEY=value,
  source-able+greppable; images carry :PIN_DIGEST placeholders with a documented
  pin-digests procedure (D5 determinism — no real deploy until pinned).
- preflight.sh: fails closed (non-zero on any required check), bash-3.2 safe,
  composable checks/ (versions,tools,env,docker) + gated (ssh,dns) that WARN-skip
  until the stack is configured.
- env check honors D2 (passphrase presence only, never printed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 18:00:26 +02:00

56 lines
2.1 KiB
Bash
Executable file

#!/usr/bin/env bash
# -----------------------------------------------------------------------------
# checks/versions.sh — the VERSIONS pin-file is present, source-able, and lists
# every CONTRACT_003 §3.2 image + every required tool (CONTRACT_001 §Validation:
# "preflight asserts VERSIONS present and well-formed").
# FAIL if missing/unparseable or a required key is absent.
# WARN (not fail) on any image still carrying the PIN_DIGEST placeholder.
# -----------------------------------------------------------------------------
set -euo pipefail
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
# shellcheck source=../lib/common.sh
. "$PF_DIR/lib/common.sh"
echo "[versions] VERSIONS pin-file present and well-formed"
vf=$(pf_versions_file)
if [ ! -f "$vf" ]; then
pf_fail "VERSIONS not found at $vf"
pf_summary "versions"; exit $?
fi
pf_pass "VERSIONS present: $vf"
# Source-able? (run in a subshell so a bad file can't poison this process).
if ( set -a; . "$vf"; set +a ) >/dev/null 2>&1; then
pf_pass "VERSIONS is source-able"
else
pf_fail "VERSIONS is NOT source-able (syntax error)"
fi
# Required image keys (CONTRACT_003 §3.2).
for k in IMAGE_CADDY IMAGE_FORGEJO IMAGE_POSTGRES IMAGE_VAULT IMAGE_RUSTFS IMAGE_ACT_RUNNER IMAGE_REGISTRY; do
v=$(pf_versions_get "$k" 2>/dev/null || true)
if [ -z "$v" ]; then
pf_fail "missing required image key: $k"
else
case "$v" in
*@sha256:PIN_DIGEST) pf_warn "$k not yet digest-pinned ($v) — run the pin-digests procedure" ;;
*@sha256:*) pf_pass "$k pinned by digest" ;;
*) pf_warn "$k has no '@sha256:' digest ($v) — floating tag (D5 wants a digest)" ;;
esac
fi
done
# Required tool-minimum keys.
for k in TOOL_PULUMI_MIN TOOL_BUN_MIN TOOL_NODE_MIN TOOL_DOCKER_MIN TOOL_GIT_MIN \
TOOL_AGE_MIN TOOL_ZSTD_MIN TOOL_JQ_MIN TOOL_VAULT_MIN TOOL_PSQL_MIN \
TOOL_PG_DUMP_MIN TOOL_OPENSSH_MIN TOOL_MC_MIN; do
v=$(pf_versions_get "$k" 2>/dev/null || true)
if [ -z "$v" ]; then
pf_fail "missing required tool-minimum key: $k"
else
pf_pass "$k = $v"
fi
done
pf_summary "versions"