#!/usr/bin/env bash set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" assert_contains() { local file="$1" local pattern="$2" if ! grep -Fq -- "$pattern" "$file"; then echo "ERROR: missing pattern in $file: $pattern" >&2 exit 1 fi } assert_not_contains() { local file="$1" local pattern="$2" if grep -Fq -- "$pattern" "$file"; then echo "ERROR: forbidden pattern remains in $file: $pattern" >&2 exit 1 fi } build_rc="$ROOT_DIR/.gitea/workflows/build_RC.yml" staging_release="$ROOT_DIR/.gitea/workflows/staging_release.yml" production_release="$ROOT_DIR/.gitea/workflows/production_release.yml" production_compose="$ROOT_DIR/docker/docker-compose.template.yaml" for file in "$build_rc" "$staging_release" "$production_release" "$production_compose"; do if [[ ! -f "$file" ]]; then echo "ERROR: expected file not found: $file" >&2 exit 1 fi done for app in adminfront devfront orgfront; do assert_contains "$build_rc" "Build and push $app RC image" assert_contains "$build_rc" "file: ./$app/Dockerfile" assert_contains "$build_rc" "build-args: |" assert_contains "$build_rc" "VITE_OIDC_AUTHORITY=\${{ vars.VITE_OIDC_AUTHORITY }}" done assert_contains "$build_rc" "Validate RC build configuration" assert_contains "$build_rc" "Missing required RC build value" assert_contains "$build_rc" "Check Gitea repo variables/secrets" assert_contains "$build_rc" "VITE_ADMIN_PUBLIC_URL=\${{ vars.ADMINFRONT_URL }}" assert_contains "$build_rc" "VITE_DEVFRONT_PUBLIC_URL=\${{ vars.DEVFRONT_URL }}" assert_contains "$build_rc" "VITE_ORGFRONT_PUBLIC_URL=\${{ vars.ORGFRONT_URL }}" assert_contains "$build_rc" "ORGFRONT_URL=\${{ vars.ORGFRONT_URL }}" assert_contains "$staging_release" "CLICKHOUSE_PASSWORD=\${{ secrets.CLICKHOUSE_PASSWORD }}" assert_not_contains "$staging_release" "CLICKHOUSE_PASSWORD=\${{ vars.CLICKHOUSE_PASSWORD }}" assert_contains "$staging_release" "PROFILE_CACHE_TTL=\${{ vars.PROFILE_CACHE_TTL }}" assert_contains "$staging_release" "KRATOS_UI_NODE_VERSION=\${{ vars.KRATOS_UI_NODE_VERSION }}" assert_contains "$staging_release" "Missing required staging .env value" assert_contains "$staging_release" "Check Gitea repo variables/secrets" assert_contains "$staging_release" "scp scripts/render_ory_config.sh" assert_contains "$staging_release" "scp compose.ory.yaml" assert_not_contains "$staging_release" "scp docker/compose.ory.yaml" assert_contains "$staging_release" "bash scripts/render_ory_config.sh" assert_contains "$staging_release" "chmod -R 777 config/.generated/ory" assert_contains "$production_release" "for image in backend userfront adminfront devfront orgfront; do" assert_contains "$production_release" 'docker://${HARBOR_HOSTNAME}/baron_sso/${image}:${BASE_TAG}' assert_contains "$production_release" 'docker://${HARBOR_HOSTNAME}/baron_sso/${image}:${RE_TAG}' assert_contains "$production_release" "ADMINFRONT_IMAGE_NAME: \${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront" assert_contains "$production_release" "DEVFRONT_IMAGE_NAME: \${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront" assert_contains "$production_release" "ORGFRONT_IMAGE_NAME: \${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront" assert_contains "$production_release" "USERFRONT_URL=\${{ vars.PROD_FRONTEND_URL }}" assert_contains "$production_release" "BACKEND_URL=\${{ vars.PROD_BACKEND_URL }}" assert_contains "$production_release" "USERFRONT_PORT=\${{ vars.PROD_FRONTEND_PORT }}" assert_contains "$production_release" "PROD_BACKEND_PORT=\${{ vars.PROD_BACKEND_PORT }}" assert_contains "$production_release" "BACKEND_PORT=3000" assert_contains "$production_release" "ADMINFRONT_URL=\${{ vars.ADMINFRONT_URL }}" assert_contains "$production_release" "DEVFRONT_URL=\${{ vars.DEVFRONT_URL }}" assert_contains "$production_release" "ORGFRONT_URL=\${{ vars.ORGFRONT_URL }}" assert_contains "$production_release" "VITE_OIDC_AUTHORITY=\${{ vars.VITE_OIDC_AUTHORITY }}" assert_contains "$production_release" "ADMINFRONT_CALLBACK_URLS=\${{ vars.ADMINFRONT_CALLBACK_URLS }}" assert_contains "$production_release" "DEVFRONT_CALLBACK_URLS=\${{ vars.DEVFRONT_CALLBACK_URLS }}" assert_contains "$production_release" "ORGFRONT_CALLBACK_URLS=\${{ vars.ORGFRONT_CALLBACK_URLS }}" assert_contains "$production_release" "ADMINFRONT_PORT=\${{ vars.ADMINFRONT_PORT }}" assert_contains "$production_release" "DEVFRONT_PORT=\${{ vars.DEVFRONT_PORT }}" assert_contains "$production_release" "ORGFRONT_PORT=\${{ vars.ORGFRONT_PORT }}" assert_contains "$production_release" "export ADMINFRONT_IMAGE_NAME='\${ADMINFRONT_IMAGE_NAME}'" assert_contains "$production_release" "export DEVFRONT_IMAGE_NAME='\${DEVFRONT_IMAGE_NAME}'" assert_contains "$production_release" "export ORGFRONT_IMAGE_NAME='\${ORGFRONT_IMAGE_NAME}'" assert_contains "$production_release" "Missing required production .env value" assert_not_contains "$production_release" "PROD_USERFRONT_URL" assert_not_contains "$production_release" "PROD_USERFRONT_PORT" for app in adminfront devfront orgfront; do assert_contains "$production_compose" "$app:" done assert_contains "$production_compose" 'image: ${ADMINFRONT_IMAGE_NAME}:${IMAGE_TAG}' assert_contains "$production_compose" 'image: ${DEVFRONT_IMAGE_NAME}:${IMAGE_TAG}' assert_contains "$production_compose" 'image: ${ORGFRONT_IMAGE_NAME}:${IMAGE_TAG}' assert_contains "$production_compose" 'API_PROXY_TARGET=http://baron_backend:${BACKEND_PORT:-3000}' assert_contains "$production_compose" '${PROD_BACKEND_PORT:-3010}:3000' assert_contains "$production_compose" '${USERFRONT_PORT:-80}:5000' assert_contains "$production_compose" 'BACKEND_PORT=3000' assert_contains "$production_compose" 'http://127.0.0.1:3000/health' echo "production image release policy checks passed"