forked from baron/baron-sso
병합 후 flow업데이트
This commit is contained in:
@@ -2,7 +2,8 @@
|
||||
set -euo pipefail
|
||||
|
||||
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
publish_workflow="$repo_root/.gitea/workflows/production_image_publish.yml"
|
||||
publish_workflow="$repo_root/.gitea/workflows/image_publish.yml"
|
||||
legacy_publish_workflow="$repo_root/.gitea/workflows/production_image_publish.yml"
|
||||
staging_deploy_workflow="$repo_root/.gitea/workflows/staging_image_deploy.yml"
|
||||
deploy_workflow="$repo_root/.gitea/workflows/production_image_deploy.yml"
|
||||
image_compose="$repo_root/deploy/templates/docker-compose.images.yaml"
|
||||
@@ -14,15 +15,16 @@ fail() {
|
||||
exit 1
|
||||
}
|
||||
|
||||
[[ -f "$publish_workflow" ]] || fail "production image publish workflow must exist."
|
||||
[[ -f "$publish_workflow" ]] || fail "shared image publish workflow must exist."
|
||||
[[ ! -f "$legacy_publish_workflow" ]] || fail "production-only image publish workflow must be renamed to image_publish.yml."
|
||||
[[ -f "$staging_deploy_workflow" ]] || fail "staging image deploy workflow must exist."
|
||||
[[ -f "$deploy_workflow" ]] || fail "production image deploy workflow must exist."
|
||||
[[ -f "$image_compose" ]] || fail "image-based production compose template must exist."
|
||||
[[ -f "$bundle_script" ]] || fail "shared image deployment bundle script must exist."
|
||||
[[ -f "$remote_deploy_script" ]] || fail "shared image remote deploy script must exist."
|
||||
|
||||
grep -Fq "name: Publish Baron SSO Production Images" "$publish_workflow" \
|
||||
|| fail "publish workflow must have the expected name."
|
||||
grep -Fq "name: Publish Baron SSO Images" "$publish_workflow" \
|
||||
|| fail "publish workflow must have the shared stage/production name."
|
||||
grep -Fq "workflow_dispatch:" "$publish_workflow" \
|
||||
|| fail "publish workflow must be manually dispatchable."
|
||||
if grep -Fq "source_ref:" "$publish_workflow"; then
|
||||
@@ -37,21 +39,40 @@ grep -Fq 'git rev-parse --short=4 HEAD' "$publish_workflow" \
|
||||
grep -Fq 'image_tag="${VERSION_PREFIX}.${short_sha}"' "$publish_workflow" \
|
||||
|| fail "publish workflow must append the 4-character commit hash as the last version segment."
|
||||
grep -Fq "steps.version.outputs.image_tag" "$publish_workflow" \
|
||||
|| fail "publish workflow must use the computed image tag for pushed images."
|
||||
grep -Fq "Upload pushed images to WORKS Drive archive" "$publish_workflow" \
|
||||
|| fail "publish workflow must archive the exact pushed images to WORKS Drive."
|
||||
grep -Fq "docker pull" "$publish_workflow" \
|
||||
|| fail "publish workflow must pull the pushed image before WORKS archive upload."
|
||||
|| fail "publish workflow must use the computed image tag for built image archives."
|
||||
grep -Fq "Upload built images to WORKS Drive archive" "$publish_workflow" \
|
||||
|| fail "publish workflow must archive locally built images to WORKS Drive."
|
||||
grep -Fq "scripts/docker-image/upload_works_drive.sh" "$publish_workflow" \
|
||||
|| fail "publish workflow must use the shared WORKS Drive image archive script."
|
||||
grep -Fq "docker/login-action@v3" "$publish_workflow" \
|
||||
|| fail "publish workflow must login to the shared registry."
|
||||
grep -Fq "docker/build-push-action@v5" "$publish_workflow" \
|
||||
|| fail "publish workflow must build and push images."
|
||||
|| fail "publish workflow must build images."
|
||||
grep -Fq "load: true" "$publish_workflow" \
|
||||
|| fail "publish workflow must load built images into the local Docker daemon for WORKS archive upload."
|
||||
for image in backend userfront adminfront devfront orgfront; do
|
||||
grep -Fq "/baron_sso/${image}:" "$publish_workflow" \
|
||||
|| fail "publish workflow must push ${image} image."
|
||||
grep -Fq "baron_sso/${image}:" "$publish_workflow" \
|
||||
|| fail "publish workflow must build ${image} image."
|
||||
done
|
||||
grep -Fq "WORKS_DRIVE_ACCESS_TOKEN_INPUT: \${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}" "$publish_workflow" \
|
||||
|| fail "publish workflow must support direct WORKS Drive access token auth."
|
||||
grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN: \${{ secrets.WORKS_DRIVE_OAUTH_REFRESH_TOKEN }}" "$publish_workflow" \
|
||||
|| fail "publish workflow must support WORKS Drive refresh-token auth."
|
||||
grep -Fq "WORKS_DRIVE_PARENT_FILE_ID" "$publish_workflow" \
|
||||
|| fail "publish workflow must target a WORKS Drive folder."
|
||||
grep -Fq "Resolve WORKS Drive access token" "$publish_workflow" \
|
||||
|| fail "publish workflow must resolve a short-lived WORKS Drive access token before uploads."
|
||||
grep -Fq "WORKS_DRIVE_ACCESS_TOKEN_INPUT" "$publish_workflow" \
|
||||
|| fail "publish workflow must avoid passing the long-lived access-token secret name into upload steps directly."
|
||||
grep -Fq "grant_type=refresh_token" "$publish_workflow" \
|
||||
|| fail "publish workflow must support issuing an access token from WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
||||
grep -Fq "WORKS_DRIVE_ACCESS_TOKEN=" "$publish_workflow" \
|
||||
|| fail "publish workflow must export the resolved access token through GITHUB_ENV."
|
||||
grep -Fq "::add-mask::" "$publish_workflow" \
|
||||
|| fail "publish workflow must mask resolved WORKS tokens in logs."
|
||||
grep -Fq "rotated_refresh_token_file" "$publish_workflow" \
|
||||
|| fail "publish workflow must capture rotated refresh tokens when WORKS returns one."
|
||||
if grep -Eiq 'harbor|docker/login-action|push:[[:space:]]*true|docker pull|docker push|HARBOR_' "$publish_workflow"; then
|
||||
fail "shared image publish workflow must not depend on Harbor registry login/push/pull."
|
||||
fi
|
||||
|
||||
grep -Fq "name: Deploy Baron SSO Staging Images" "$staging_deploy_workflow" \
|
||||
|| fail "staging deploy workflow must have the expected name."
|
||||
|
||||
Reference in New Issue
Block a user