102 lines
8.1 KiB
TypeScript
102 lines
8.1 KiB
TypeScript
import { spawnSync } from "node:child_process";
|
|
|
|
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
|
|
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
|
|
}
|
|
|
|
function asRecord(value: unknown, label: string): Record<string, unknown> {
|
|
assertCondition(typeof value === "object" && value !== null && !Array.isArray(value), `${label} must be an object`, value);
|
|
return value as Record<string, unknown>;
|
|
}
|
|
|
|
function runDeployPlan(environment: "dev" | "prod", serviceId: string): Record<string, unknown> {
|
|
const result = spawnSync("bun", ["scripts/cli.ts", "deploy", "plan", "--env", environment, "--service", serviceId], {
|
|
cwd: process.cwd(),
|
|
encoding: "utf8",
|
|
maxBuffer: 8 * 1024 * 1024,
|
|
});
|
|
assertCondition(result.status === 0, `deploy plan should exit 0 for ${environment}/${serviceId}`, {
|
|
status: result.status,
|
|
stdout: result.stdout.slice(-2000),
|
|
stderr: result.stderr.slice(-2000),
|
|
});
|
|
const envelope = asRecord(JSON.parse(result.stdout) as unknown, "cli envelope");
|
|
assertCondition(envelope.ok === true, `deploy plan envelope should be ok for ${environment}/${serviceId}`, envelope);
|
|
const data = asRecord(envelope.data, "deploy plan data");
|
|
const services = Array.isArray(data.services) ? data.services : [];
|
|
assertCondition(services.length === 1, `deploy plan should return one service for ${environment}/${serviceId}`, data);
|
|
return asRecord(services[0], "service plan");
|
|
}
|
|
|
|
function listIncludes(value: unknown, expected: string): boolean {
|
|
return Array.isArray(value) && value.some((item) => item === expected);
|
|
}
|
|
|
|
const findjob = runDeployPlan("dev", "findjob");
|
|
const findjobArtifact = asRecord(findjob.artifactConsumer, "findjob artifactConsumer");
|
|
const findjobTarget = asRecord(findjob.target, "findjob target");
|
|
assertCondition(findjobArtifact.consumerKind === "d601-direct-compose", "findjob dev must be a D601 direct Compose artifact consumer", findjobArtifact);
|
|
assertCondition(findjobArtifact.noRuntimeSourceBuild === true, "findjob dry-run must declare no runtime source build", findjobArtifact);
|
|
assertCondition(findjobTarget.runtimeHost === "D601", "findjob target should be D601", findjobTarget);
|
|
assertCondition(findjobTarget.composeService === "server", "findjob compose service should be server", findjobTarget);
|
|
assertCondition(listIncludes(findjobTarget.forbiddenActions, "docker compose build"), "findjob plan should forbid Compose build", findjobTarget);
|
|
|
|
const backendCoreDev = runDeployPlan("dev", "backend-core");
|
|
const backendCoreArtifact = asRecord(backendCoreDev.artifactConsumer, "backend-core dev artifactConsumer");
|
|
const backendCoreTarget = asRecord(backendCoreDev.target, "backend-core dev target");
|
|
const backendCoreRegistry = asRecord(backendCoreArtifact.registry, "backend-core dev registry");
|
|
const backendCoreSource = asRecord(backendCoreArtifact.source, "backend-core dev source");
|
|
const backendCoreBuild = asRecord(backendCoreArtifact.build, "backend-core dev build");
|
|
assertCondition(backendCoreDev.deploymentPath === "d601-registry-artifact-consumer", "backend-core dev deployment path must be artifact consumer", backendCoreDev);
|
|
assertCondition(backendCoreArtifact.consumerKind === "d601-k3s-managed", "backend-core dev must be a D601 k3s-managed artifact consumer", backendCoreArtifact);
|
|
assertCondition(backendCoreArtifact.noRuntimeSourceBuild === true, "backend-core dev plan must declare no runtime source build", backendCoreArtifact);
|
|
assertCondition(String(backendCoreArtifact.registryImage ?? "").includes("127.0.0.1:5000/unidesk/backend-core:"), "backend-core dev registry image missing", backendCoreArtifact);
|
|
assertCondition(backendCoreRegistry.repository === "unidesk/backend-core", "backend-core dev registry repository mismatch", backendCoreRegistry);
|
|
assertCondition(backendCoreRegistry.digest === null, "backend-core dev plan must not fake digest", backendCoreRegistry);
|
|
assertCondition(String(backendCoreRegistry.digestSource ?? "").includes("manifest HEAD"), "backend-core dev digest source should name manifest HEAD", backendCoreRegistry);
|
|
assertCondition(backendCoreSource.repo === "https://github.com/pikasTech/unidesk", "backend-core dev source repo mismatch", backendCoreSource);
|
|
assertCondition(backendCoreBuild.willCompile === false, "backend-core dev plan must not compile in CD", backendCoreBuild);
|
|
assertCondition(backendCoreBuild.willRunCargoBuild === false, "backend-core dev plan must not run cargo build in CD", backendCoreBuild);
|
|
assertCondition(backendCoreBuild.willRunDockerBuild === false, "backend-core dev plan must not run docker build in CD", backendCoreBuild);
|
|
assertCondition(backendCoreBuild.producerBoundary === "ci publish-backend-core", "backend-core dev producer boundary mismatch", backendCoreBuild);
|
|
assertCondition(backendCoreTarget.namespace === "unidesk-dev", "backend-core dev target namespace should be unidesk-dev", backendCoreTarget);
|
|
assertCondition(backendCoreTarget.deployment === "backend-core-dev", "backend-core dev deployment should be backend-core-dev", backendCoreTarget);
|
|
assertCondition(backendCoreTarget.service === "backend-core-dev", "backend-core dev service should be backend-core-dev", backendCoreTarget);
|
|
assertCondition(backendCoreTarget.targetImage === "unidesk-backend-core:dev", "backend-core dev target image mismatch", backendCoreTarget);
|
|
assertCondition(listIncludes(backendCoreTarget.forbiddenActions, "docker build"), "backend-core dev plan should forbid docker build", backendCoreTarget);
|
|
assertCondition(listIncludes(backendCoreTarget.forbiddenActions, "docker compose build"), "backend-core dev plan should forbid compose build", backendCoreTarget);
|
|
|
|
const mdtodo = runDeployPlan("prod", "mdtodo");
|
|
const mdtodoArtifact = asRecord(mdtodo.artifactConsumer, "mdtodo artifactConsumer");
|
|
const mdtodoTarget = asRecord(mdtodo.target, "mdtodo target");
|
|
assertCondition(mdtodoArtifact.consumerKind === "d601-k3s-managed", "mdtodo prod must be a D601 k3s-managed artifact consumer", mdtodoArtifact);
|
|
assertCondition(mdtodoArtifact.noRuntimeSourceBuild === true, "mdtodo dry-run must declare no runtime source build", mdtodoArtifact);
|
|
assertCondition(mdtodoTarget.namespace === "unidesk", "mdtodo prod target namespace should be unidesk", mdtodoTarget);
|
|
assertCondition(listIncludes(mdtodoTarget.forbiddenActions, "NodePort"), "mdtodo plan should forbid NodePort", mdtodoTarget);
|
|
|
|
const metNonlinear = runDeployPlan("prod", "met-nonlinear");
|
|
const metArtifact = asRecord(metNonlinear.artifactConsumer, "met-nonlinear artifactConsumer");
|
|
assertCondition(metArtifact.consumerKind === "d601-direct-compose", "met-nonlinear should remain D601 direct Compose", metArtifact);
|
|
assertCondition(metArtifact.dryRunOnly === true, "met-nonlinear must remain dry-run only", metArtifact);
|
|
assertCondition(String(metArtifact.blockedReason ?? "").includes("runtime-verification-blocked"), "met-nonlinear blocked reason should mention runtime verification", metArtifact);
|
|
|
|
const k3sctl = runDeployPlan("prod", "k3sctl-adapter");
|
|
const k3sctlArtifact = asRecord(k3sctl.artifactConsumer, "k3sctl-adapter artifactConsumer");
|
|
const k3sctlTarget = asRecord(k3sctl.target, "k3sctl-adapter target");
|
|
assertCondition(k3sctlArtifact.consumerKind === "d601-direct-compose", "k3sctl-adapter should be D601 direct Compose", k3sctlArtifact);
|
|
assertCondition(k3sctlArtifact.dryRunOnly === true, "k3sctl-adapter must be dry-run only for worker automation", k3sctlArtifact);
|
|
assertCondition(String(k3sctlArtifact.blockedReason ?? "").includes("supervisor"), "k3sctl-adapter blocked reason should mention supervisor confirmation", k3sctlArtifact);
|
|
assertCondition(k3sctlTarget.composeService === "k3sctl-adapter", "k3sctl target service should be k3sctl-adapter", k3sctlTarget);
|
|
|
|
process.stdout.write(`${JSON.stringify({
|
|
ok: true,
|
|
checks: [
|
|
"deploy plan models dev backend-core as a no-build D601 k3s artifact consumer",
|
|
"dev backend-core plan exposes registry/source/build boundaries and target metadata",
|
|
"deploy plan distinguishes D601 direct Compose from D601 k3s-managed artifact consumers",
|
|
"deploy plan exposes no-runtime-source-build and forbidden build/public-port actions",
|
|
"met-nonlinear remains runtime-verification-blocked",
|
|
"k3sctl-adapter remains supervisor-only dry-run",
|
|
],
|
|
}, null, 2)}\n`);
|