fix: tighten branch follower gate runtime inputs

This commit is contained in:
Codex
2026-07-04 04:49:41 +00:00
parent 8d37a7a6a5
commit 5c035a85ee
4 changed files with 179 additions and 38 deletions
+21 -35
View File
@@ -3,6 +3,7 @@ import { execFileSync } from "node:child_process";
import { existsSync, readFileSync } from "node:fs";
import http from "node:http";
import https from "node:https";
import { parseRuntimeReuseConfig, summarizeRuntimeReuseConfig } from "./reuse-config-summary.mjs";
const gate = requiredEnv("GATE");
const follower = requiredEnv("FOLLOWER_ID");
@@ -19,6 +20,8 @@ const argoApplication = process.env.ARGO_APPLICATION || "";
const runtimeNamespace = process.env.RUNTIME_NAMESPACE || "";
const workloads = parseWorkloads(process.env.WORKLOADS_B64 || "");
const healthUrl = process.env.HEALTH_URL || "";
const slowTaskSeconds = requiredPositiveIntEnv("SLOW_TASK_SECONDS");
const healthTimeoutMs = requiredPositiveIntEnv("HEALTH_TIMEOUT_MS");
const errors = [];
const branchCommit = rev(`refs/heads/${sourceBranch}`);
@@ -49,6 +52,10 @@ console.log(JSON.stringify({
follower,
source,
evidence,
policy: {
slowTaskSeconds,
healthTimeoutMs,
},
errors: errors.slice(0, 6),
statusAuthority: "kubernetes-api-serviceaccount",
parsedDownstreamCliOutput: false,
@@ -110,47 +117,18 @@ function readReuseConfig(commit) {
if (!commit || !sourceStageRef) return { present: false, reason: "source-commit-missing" };
try {
const text = execFileSync("git", [`--git-dir=${repoPath}`, "show", `${sourceStageRef}:gitops/reuse.ymal`], { encoding: "utf8", maxBuffer: 256 * 1024 });
const services = reuseServiceIds(text);
const parsed = parseRuntimeReuseConfig(text, { sourceCommit: commit, stageRef: sourceStageRef });
const summary = summarizeRuntimeReuseConfig(parsed);
return {
present: true,
path: "gitops/reuse.ymal",
...summary,
bytes: Buffer.byteLength(text, "utf8"),
sha256: createHash("sha256").update(text).digest("hex"),
serviceCount: services.length,
serviceIds: services.slice(0, 12),
runtimeReuseMentioned: /\bruntimeReuse\b/u.test(text),
envReuseMentioned: /\benvReuse\b/u.test(text),
sha256: summary.sha256 ?? createHash("sha256").update(text).digest("hex"),
};
} catch (error) {
return { present: false, path: "gitops/reuse.ymal", reason: shortText(error?.message || String(error)) };
}
}
function reuseServiceIds(text) {
const ids = new Set([...text.matchAll(/(?:^|\n)\s*-\s*id:\s*([A-Za-z0-9_.-]+)/gu)].map((match) => match[1]).filter(Boolean));
const lines = text.split(/\r?\n/u);
let inServices = false;
let servicesIndent = 0;
for (const line of lines) {
const services = /^(\s*)services:\s*$/u.exec(line);
if (services) {
inServices = true;
servicesIndent = services[1].length;
continue;
}
if (!inServices) continue;
const match = /^(\s*)([A-Za-z0-9_.-]+):\s*$/u.exec(line);
if (!match) continue;
const indent = match[1].length;
if (indent <= servicesIndent) {
inServices = false;
continue;
}
if (indent === servicesIndent + 2) ids.add(match[2]);
}
return Array.from(ids);
}
function gitMirrorSummary(commit) {
const localSource = rev(`refs/heads/${sourceBranch}`);
const githubSource = rev(`refs/mirror-stage/heads/${sourceBranch}`);
@@ -277,9 +255,10 @@ function taskRunsSummary(list) {
});
const failed = rows.filter((item) => item.status === "False");
const active = rows.filter((item) => item.status !== "True" && item.status !== "False");
const slow = rows.filter((item) => typeof item.durationSeconds === "number" && item.durationSeconds >= 60);
const slow = rows.filter((item) => typeof item.durationSeconds === "number" && item.durationSeconds >= slowTaskSeconds);
return {
count: rows.length,
slowThresholdSeconds: slowTaskSeconds,
failedCount: failed.length,
activeCount: active.length,
slowCount: slow.length,
@@ -321,7 +300,7 @@ async function httpProbe(url) {
const client = url.startsWith("https:") ? https : http;
const started = Date.now();
return await new Promise((resolve) => {
const req = client.get(url, { timeout: 5000 }, (res) => {
const req = client.get(url, { timeout: healthTimeoutMs }, (res) => {
res.resume();
res.on("end", () => resolve({ url, ok: (res.statusCode || 0) >= 200 && (res.statusCode || 0) < 300, statusCode: res.statusCode || null, elapsedMs: Date.now() - started }));
});
@@ -382,6 +361,13 @@ function requiredEnv(name) {
return value;
}
function requiredPositiveIntEnv(name) {
const value = requiredEnv(name);
const parsed = Number(value);
if (!Number.isInteger(parsed) || parsed <= 0) fail(`${name} must be a positive integer`);
return parsed;
}
function fail(message) {
console.error(message);
process.exit(1);
@@ -0,0 +1,9 @@
#!/bin/sh
set -eu
script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
/etc/unidesk-cicd-branch-follower/sync-source.sh "$REPOSITORY" "$SOURCE_BRANCH" "$SNAPSHOT_PREFIX" "$REPO_PATH" >/tmp/bf-gate-source-sync.json 2>/tmp/bf-gate-source-sync.err || true
cd "$script_dir"
exec bun ./branch-follower-gate.mjs
@@ -0,0 +1,134 @@
// SPEC: PJ2026-01060703 CI/CD branch follower reuse config.
// Responsibility: native target-side parser for runtime/env reuse declarations.
import { createHash } from "node:crypto";
export const RUNTIME_REUSE_CONFIG_PATH = "gitops/reuse.ymal";
export function parseRuntimeReuseConfig(text, source) {
const errors = [];
let parsed = null;
try {
parsed = Bun.YAML.parse(text);
} catch (error) {
errors.push(`${RUNTIME_REUSE_CONFIG_PATH} YAML parse failed: ${error instanceof Error ? error.message : String(error)}`);
}
const root = asOptionalRecord(parsed);
if (root === null) errors.push(`${RUNTIME_REUSE_CONFIG_PATH} must be a YAML object`);
const spec = asOptionalRecord(root?.spec) ?? root ?? {};
const services = parseServices(spec, errors);
if (services.length === 0) errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.spec.services must declare at least one service`);
const kind = stringOrNull(root?.kind);
if (kind !== null && kind !== "RuntimeReuseConfig") errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.kind must be RuntimeReuseConfig`);
return {
ok: errors.length === 0,
present: true,
path: RUNTIME_REUSE_CONFIG_PATH,
sourceCommit: source.sourceCommit,
stageRef: source.stageRef,
sha256: createHash("sha256").update(text).digest("hex"),
apiVersion: stringOrNull(root?.apiVersion),
kind,
serviceCount: services.length,
services,
errors,
valuesRedacted: true,
};
}
export function summarizeRuntimeReuseConfig(config) {
return {
ok: config.ok,
present: config.present,
path: config.path,
sourceCommit: config.sourceCommit,
stageRef: config.stageRef,
sha256: config.sha256,
serviceCount: config.serviceCount,
serviceIds: config.services.map((service) => service.id).sort(),
errors: config.errors.slice(0, 5),
valuesRedacted: true,
};
}
function parseServices(spec, errors) {
const raw = spec.services;
const items = Array.isArray(raw)
? raw.map((value, index) => ({ id: stringOrNull(asOptionalRecord(value)?.id) ?? String(index), value, path: `services[${index}]` }))
: Object.entries(asOptionalRecord(raw) ?? {}).map(([id, value]) => ({ id, value, path: `services.${id}` }));
return items.flatMap(({ id, value, path }) => {
const record = asOptionalRecord(value);
if (record === null) {
errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.spec.${path} must be an object`);
return [];
}
const serviceId = stringOrNull(record.id) ?? id;
if (serviceId.length === 0) errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.spec.${path}.id is required`);
return [{
id: serviceId,
runtimeReuse: parseRuntimeReuse(asOptionalRecord(record.runtimeReuse), `${path}.runtimeReuse`, errors),
envReuse: parseEnvReuse(asOptionalRecord(record.envReuse), `${path}.envReuse`, errors),
}];
});
}
function parseRuntimeReuse(record, path, errors) {
if (record === null) return null;
return {
enabled: booleanOrNull(record.enabled),
codeIdentityPaths: safePathArray(asOptionalRecord(record.codeIdentity)?.paths ?? record.codeIdentityPaths, `${path}.codeIdentity.paths`, errors),
envIdentityPaths: safePathArray(asOptionalRecord(record.envIdentity)?.paths ?? record.envIdentityPaths, `${path}.envIdentity.paths`, errors),
};
}
function parseEnvReuse(record, path, errors) {
if (record === null) return null;
return {
enabled: booleanOrNull(record.enabled),
mode: stringOrNull(record.mode),
nodeDepsPath: stringOrNull(record.nodeDepsPath),
envIdentityFiles: safePathArray(record.envIdentityFiles ?? asOptionalRecord(record.envIdentity)?.paths, `${path}.envIdentityFiles`, errors),
buildArgs: stringRecord(asOptionalRecord(record.buildArgs), `${path}.buildArgs`, errors),
};
}
function safePathArray(value, path, errors) {
if (value === undefined || value === null) return [];
if (!Array.isArray(value)) {
errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.spec.${path} must be a string array`);
return [];
}
return value.flatMap((item, index) => {
if (typeof item !== "string" || item.length === 0) {
errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.spec.${path}[${index}] must be a non-empty string`);
return [];
}
if (item.startsWith("/") || item.includes("..")) {
errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.spec.${path}[${index}] must be a relative path without ..`);
return [];
}
return [item];
});
}
function stringRecord(record, path, errors) {
if (record === null) return {};
const out = {};
for (const [key, value] of Object.entries(record)) {
if (typeof value !== "string") errors.push(`${RUNTIME_REUSE_CONFIG_PATH}.spec.${path}.${key} must be a string`);
else out[key] = value;
}
return out;
}
function asOptionalRecord(value) {
return typeof value === "object" && value !== null && !Array.isArray(value) ? value : null;
}
function stringOrNull(value) {
return typeof value === "string" && value.length > 0 ? value : null;
}
function booleanOrNull(value) {
return typeof value === "boolean" ? value : null;
}