forked from baron/baron-sso
웍스 드라이브 구조 변경
This commit is contained in:
@@ -9,6 +9,7 @@ deploy_workflow="$repo_root/.gitea/workflows/production_image_deploy.yml"
|
||||
image_compose="$repo_root/deploy/templates/docker-compose.images.yaml"
|
||||
bundle_script="$repo_root/scripts/deploy/build_image_deploy_bundle.sh"
|
||||
remote_deploy_script="$repo_root/scripts/deploy/upload_and_run_image_deploy.sh"
|
||||
works_image_download_script="$repo_root/scripts/docker-image/download_works_drive.sh"
|
||||
|
||||
fail() {
|
||||
echo "$1" >&2
|
||||
@@ -22,6 +23,7 @@ fail() {
|
||||
[[ -f "$image_compose" ]] || fail "image-based production compose template must exist."
|
||||
[[ -f "$bundle_script" ]] || fail "shared image deployment bundle script must exist."
|
||||
[[ -f "$remote_deploy_script" ]] || fail "shared image remote deploy script must exist."
|
||||
[[ -f "$works_image_download_script" ]] || fail "shared WORKS Drive image download script must exist."
|
||||
|
||||
grep -Fq "name: Publish Baron SSO Images" "$publish_workflow" \
|
||||
|| fail "publish workflow must have the shared stage/production name."
|
||||
@@ -58,8 +60,10 @@ grep -Fq "WORKS_DRIVE_OAUTH_CLIENT_SECRET: \${{ secrets.WORKS_OAUTH_CLIENT_SECRE
|
||||
|| fail "publish workflow must use the Gitea-compatible WORKS OAuth client secret name."
|
||||
grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN: \${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}" "$publish_workflow" \
|
||||
|| fail "publish workflow must support WORKS Drive refresh-token auth."
|
||||
grep -Fq "WORKS_DRIVE_PARENT_FILE_ID" "$publish_workflow" \
|
||||
|| fail "publish workflow must target a WORKS Drive folder."
|
||||
grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$publish_workflow" \
|
||||
|| fail "publish workflow must use the Docker-image-specific WORKS Drive ID variable."
|
||||
grep -Fq 'WORKS_DRIVE_SHARED_DRIVE_ID="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}"' "$publish_workflow" \
|
||||
|| fail "publish workflow must map WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID into the shared upload script."
|
||||
grep -Fq "Resolve WORKS Drive access token" "$publish_workflow" \
|
||||
|| fail "publish workflow must resolve a short-lived WORKS Drive access token before uploads."
|
||||
grep -Fq "WORKS_DRIVE_ACCESS_TOKEN_INPUT" "$publish_workflow" \
|
||||
@@ -90,6 +94,8 @@ grep -Fq "scripts/deploy/build_image_deploy_bundle.sh" "$staging_deploy_workflow
|
||||
|| fail "staging deploy workflow must use the shared bundle script."
|
||||
grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$staging_deploy_workflow" \
|
||||
|| fail "staging deploy workflow must use the shared remote deploy script."
|
||||
grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$staging_deploy_workflow" \
|
||||
|| fail "staging deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
|
||||
|
||||
grep -Fq "name: Deploy Baron SSO Production Images" "$deploy_workflow" \
|
||||
|| fail "deploy workflow must have the expected name."
|
||||
@@ -109,14 +115,23 @@ grep -Fq "scripts/deploy/build_image_deploy_bundle.sh" "$deploy_workflow" \
|
||||
|| fail "production deploy workflow must use the shared bundle script."
|
||||
grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$deploy_workflow" \
|
||||
|| fail "production deploy workflow must use the shared remote deploy script."
|
||||
grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$deploy_workflow" \
|
||||
|| fail "production deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
|
||||
grep -Fq "Same image tag contract as staging" "$deploy_workflow" \
|
||||
|| fail "production deploy workflow must document that it uses the same image tag as staging."
|
||||
grep -Fq "TRAEFIK_PUBLIC_NETWORK=traefik-public" "$bundle_script" \
|
||||
|| fail "shared bundle script must write Traefik public network env."
|
||||
grep -Fq "docker compose --env-file .env -f docker-compose.yml pull" "$remote_deploy_script" \
|
||||
|| fail "shared remote deploy script must pull the requested image version before running."
|
||||
grep -Fq "scripts/docker-image/download_works_drive.sh" "$remote_deploy_script" \
|
||||
|| fail "shared remote deploy script must load requested image archives from WORKS Drive before running."
|
||||
grep -Fq "docker load" "$works_image_download_script" \
|
||||
|| fail "WORKS Drive image download script must load downloaded archives into Docker."
|
||||
grep -Fq 'baron-sso/${IMAGE_TAG}/${image}.${IMAGE_TAG}.tar.zst' "$works_image_download_script" \
|
||||
|| fail "WORKS Drive image download script must document the normalized archive path."
|
||||
grep -Fq "docker compose --env-file .env -f docker-compose.yml up -d" "$remote_deploy_script" \
|
||||
|| fail "shared remote deploy script must start the stack after pulling images."
|
||||
if grep -Eiq 'harbor|docker login|docker compose --env-file .env -f docker-compose.yml pull|HARBOR_' "$staging_deploy_workflow" "$deploy_workflow" "$remote_deploy_script"; then
|
||||
fail "image deploy workflows/scripts must not depend on Harbor registry login or compose pull."
|
||||
fi
|
||||
|
||||
if grep -Eq 'docker (build|commit)' "$staging_deploy_workflow" "$deploy_workflow"; then
|
||||
fail "staging/production deploy workflows must never build or commit images remotely."
|
||||
|
||||
Reference in New Issue
Block a user