Files

120 lines
4.2 KiB
JavaScript

#!/usr/bin/env node
// SPEC: PJ2026-01060703 CI/CD branch follower runtime GitOps verify.
// Responsibility: fail publish before Argo when rendered runtime GitOps violates UniDesk overlay gates.
import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
import path from "node:path";
const repoDir = process.cwd();
const overlay = readOverlay();
const runtimePath = requiredOverlayString("runtimePath");
const runtimeDir = path.resolve(repoDir, runtimePath);
const prometheusOperatorKinds = new Set(["ServiceMonitor", "PrometheusRule", "PodMonitor", "Probe"]);
if (!existsSync(runtimeDir)) {
fail("runtime-path-missing", { runtimePath });
}
const checks = [];
if (overlay?.observability?.prometheusOperator === false) {
checks.push("prometheus-operator-disabled");
const refs = findPrometheusOperatorResources();
if (refs.length > 0) fail("prometheus-operator-resource-present", { runtimePath, refs: refs.slice(0, 12), refCount: refs.length });
}
console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: true, runtimePath, checks }));
function findPrometheusOperatorResources() {
const refs = [];
for (const file of listYamlFiles(runtimeDir)) {
const rel = path.relative(repoDir, file);
for (const doc of splitYamlDocuments(readFileSync(file, "utf8"))) {
refs.push(...prometheusOperatorResourceRefs(doc, rel));
}
}
return refs;
}
function splitYamlDocuments(text) {
return text.split(/^---[ \t]*(?:#.*)?$/mu).map((doc) => doc.trim()).filter(Boolean);
}
function prometheusOperatorResourceRefs(text, file) {
const jsonRefs = prometheusOperatorJsonResourceRefs(text, file);
if (jsonRefs !== null) return jsonRefs;
const api = text.match(/^\s*apiVersion:\s*["']?(monitoring\.coreos\.com\/[^"'\s#]+)["']?\s*(?:#.*)?$/mu);
const kind = text.match(/^\s*kind:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu);
if (!api || !kind || !prometheusOperatorKinds.has(kind[1])) return [];
const name = text.match(/^\s*name:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu);
return [{ file, kind: kind[1], name: name ? name[1] : null, container: null }];
}
function prometheusOperatorJsonResourceRefs(text, file) {
const parsed = parseJsonDocument(text);
if (parsed === null) return null;
const items = isKubernetesList(parsed) ? parsed.items : [parsed];
return items.filter(isPrometheusOperatorResource).map((item) => ({
file,
kind: item.kind,
name: typeof item.metadata?.name === "string" ? item.metadata.name : null,
container: isKubernetesList(parsed) ? "List.items" : null,
}));
}
function isPrometheusOperatorResource(value) {
if (!value || typeof value !== "object" || Array.isArray(value)) return false;
return typeof value.apiVersion === "string"
&& value.apiVersion.startsWith("monitoring.coreos.com/")
&& typeof value.kind === "string"
&& prometheusOperatorKinds.has(value.kind);
}
function isKubernetesList(value) {
return value
&& typeof value === "object"
&& !Array.isArray(value)
&& value.apiVersion === "v1"
&& value.kind === "List"
&& Array.isArray(value.items);
}
function parseJsonDocument(text) {
const trimmed = text.trim();
if (!trimmed.startsWith("{") && !trimmed.startsWith("[")) return null;
try {
return JSON.parse(trimmed);
} catch {
return null;
}
}
function listYamlFiles(root) {
const out = [];
for (const name of readdirSync(root)) {
const file = path.join(root, name);
const stat = statSync(file);
if (stat.isDirectory()) {
out.push(...listYamlFiles(file));
} else if (/\.(ya?ml)$/u.test(name)) {
out.push(file);
}
}
return out.sort();
}
function readOverlay() {
const encoded = process.env.UNIDESK_RUNTIME_GITOPS_OVERLAY_B64;
if (!encoded) throw new Error("UNIDESK_RUNTIME_GITOPS_OVERLAY_B64 is required");
return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
}
function requiredOverlayString(name) {
const value = overlay[name];
if (typeof value !== "string" || value.length === 0) throw new Error(`overlay.${name} is required`);
return value;
}
function fail(reason, extra = {}) {
console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: false, reason, ...extra }));
process.exit(48);
}