fix(cicd): inject runtime gitops guard in native refresh

This commit is contained in:
Codex
2026-07-04 11:05:21 +00:00
parent bdd7fcfc7b
commit 7cc6f24293
5 changed files with 290 additions and 2 deletions
@@ -0,0 +1,130 @@
#!/usr/bin/env node
// SPEC: PJ2026-01060703 CI/CD branch follower runtime GitOps postprocess.
// Responsibility: mutate rendered runtime GitOps files after HWLAB source render, before publish.
import { existsSync, readdirSync, readFileSync, statSync, unlinkSync, writeFileSync } from "node:fs";
import path from "node:path";
const repoDir = process.cwd();
const overlay = readOverlay();
const runtimePath = requiredOverlayString("runtimePath");
const runtimeDir = path.resolve(repoDir, runtimePath);
const prometheusOperatorKinds = new Set(["ServiceMonitor", "PrometheusRule", "PodMonitor", "Probe"]);
if (!existsSync(runtimeDir)) {
emit({ ok: false, reason: "runtime-path-missing", runtimePath });
process.exit(45);
}
const result = postprocessRuntimeGitops();
emit({ ok: true, runtimePath, ...result });
function postprocessRuntimeGitops() {
const prometheusOperatorDisabled = overlay?.observability?.prometheusOperator === false;
if (!prometheusOperatorDisabled) {
return { observabilityPrometheusOperator: overlay?.observability?.prometheusOperator ?? null, observabilityWorkloadsChanged: false, kustomizationChanged: false };
}
const changedFiles = [];
const deletedFiles = [];
for (const file of listYamlFiles(runtimeDir)) {
const changed = stripPrometheusOperatorResourcesFromFile(file);
if (changed === "deleted") deletedFiles.push(path.relative(repoDir, file));
if (changed === "changed") changedFiles.push(path.relative(repoDir, file));
}
const kustomizationChanged = pruneMissingKustomizationResources();
return {
observabilityPrometheusOperator: false,
observabilityWorkloadsChanged: changedFiles.length > 0 || deletedFiles.length > 0,
kustomizationChanged,
changedFiles,
deletedFiles,
};
}
function stripPrometheusOperatorResourcesFromFile(file) {
const original = readFileSync(file, "utf8");
const docs = splitYamlDocuments(original);
const nextDocs = docs.filter((doc) => !isPrometheusOperatorDocument(doc));
if (nextDocs.length === docs.length) return "unchanged";
if (nextDocs.length === 0) {
unlinkSync(file);
return "deleted";
}
writeFileSync(file, `${nextDocs.map((doc) => doc.trimEnd()).join("\n---\n")}\n`, "utf8");
return "changed";
}
function pruneMissingKustomizationResources() {
const file = path.join(runtimeDir, "kustomization.yaml");
if (!existsSync(file)) return false;
const original = readFileSync(file, "utf8");
const lines = original.split(/\n/u);
const next = [];
let changed = false;
let inResources = false;
let resourcesIndent = 0;
for (const line of lines) {
const resourcesMatch = line.match(/^(\s*)resources:\s*(?:#.*)?$/u);
if (resourcesMatch) {
inResources = true;
resourcesIndent = resourcesMatch[1].length;
next.push(line);
continue;
}
if (inResources && line.trim() !== "" && !line.match(/^\s*-/u) && leadingSpaces(line) <= resourcesIndent) inResources = false;
if (inResources) {
const item = line.match(/^(\s*)-\s+["']?([^"'#\s]+)["']?\s*(?:#.*)?$/u);
if (item && !existsSync(path.resolve(runtimeDir, item[2]))) {
changed = true;
continue;
}
}
next.push(line);
}
if (changed) writeFileSync(file, next.join("\n"), "utf8");
return changed;
}
function splitYamlDocuments(text) {
return text.split(/^---[ \t]*(?:#.*)?$/mu).map((doc) => doc.trim()).filter(Boolean);
}
function isPrometheusOperatorDocument(text) {
const api = text.match(/^\s*apiVersion:\s*["']?(monitoring\.coreos\.com\/[^"'\s#]+)["']?\s*(?:#.*)?$/mu);
const kind = text.match(/^\s*kind:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu);
return Boolean(api && kind && prometheusOperatorKinds.has(kind[1]));
}
function leadingSpaces(value) {
const match = value.match(/^ */u);
return match ? match[0].length : 0;
}
function listYamlFiles(root) {
const out = [];
for (const name of readdirSync(root)) {
const file = path.join(root, name);
const stat = statSync(file);
if (stat.isDirectory()) {
out.push(...listYamlFiles(file));
} else if (/\.(ya?ml)$/u.test(name)) {
out.push(file);
}
}
return out.sort();
}
function readOverlay() {
const encoded = process.env.UNIDESK_RUNTIME_GITOPS_OVERLAY_B64;
if (!encoded) throw new Error("UNIDESK_RUNTIME_GITOPS_OVERLAY_B64 is required");
return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
}
function requiredOverlayString(name) {
const value = overlay[name];
if (typeof value !== "string" || value.length === 0) throw new Error(`overlay.${name} is required`);
return value;
}
function emit(fields) {
console.error(JSON.stringify({ event: "unidesk-runtime-gitops-postprocess", ...fields }));
}
@@ -0,0 +1,79 @@
#!/usr/bin/env node
// SPEC: PJ2026-01060703 CI/CD branch follower runtime GitOps verify.
// Responsibility: fail publish before Argo when rendered runtime GitOps violates UniDesk overlay gates.
import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
import path from "node:path";
const repoDir = process.cwd();
const overlay = readOverlay();
const runtimePath = requiredOverlayString("runtimePath");
const runtimeDir = path.resolve(repoDir, runtimePath);
const prometheusOperatorKinds = new Set(["ServiceMonitor", "PrometheusRule", "PodMonitor", "Probe"]);
if (!existsSync(runtimeDir)) {
fail("runtime-path-missing", { runtimePath });
}
const checks = [];
if (overlay?.observability?.prometheusOperator === false) {
checks.push("prometheus-operator-disabled");
const refs = findPrometheusOperatorResources();
if (refs.length > 0) fail("prometheus-operator-resource-present", { runtimePath, refs: refs.slice(0, 12), refCount: refs.length });
}
console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: true, runtimePath, checks }));
function findPrometheusOperatorResources() {
const refs = [];
for (const file of listYamlFiles(runtimeDir)) {
const rel = path.relative(repoDir, file);
for (const doc of splitYamlDocuments(readFileSync(file, "utf8"))) {
const ref = prometheusOperatorResourceRef(doc, rel);
if (ref !== null) refs.push(ref);
}
}
return refs;
}
function splitYamlDocuments(text) {
return text.split(/^---[ \t]*(?:#.*)?$/mu).map((doc) => doc.trim()).filter(Boolean);
}
function prometheusOperatorResourceRef(text, file) {
const api = text.match(/^\s*apiVersion:\s*["']?(monitoring\.coreos\.com\/[^"'\s#]+)["']?\s*(?:#.*)?$/mu);
const kind = text.match(/^\s*kind:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu);
if (!api || !kind || !prometheusOperatorKinds.has(kind[1])) return null;
const name = text.match(/^\s*name:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu);
return { file, kind: kind[1], name: name ? name[1] : null, container: null };
}
function listYamlFiles(root) {
const out = [];
for (const name of readdirSync(root)) {
const file = path.join(root, name);
const stat = statSync(file);
if (stat.isDirectory()) {
out.push(...listYamlFiles(file));
} else if (/\.(ya?ml)$/u.test(name)) {
out.push(file);
}
}
return out.sort();
}
function readOverlay() {
const encoded = process.env.UNIDESK_RUNTIME_GITOPS_OVERLAY_B64;
if (!encoded) throw new Error("UNIDESK_RUNTIME_GITOPS_OVERLAY_B64 is required");
return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
}
function requiredOverlayString(name) {
const value = overlay[name];
if (typeof value !== "string" || value.length === 0) throw new Error(`overlay.${name} is required`);
return value;
}
function fail(reason, extra = {}) {
console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: false, reason, ...extra }));
process.exit(48);
}