Files
wehub-resource-sync 426e9eeabd
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Waiting to run
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Waiting to run
Build Agent Image / build-and-push (push) Waiting to run
Chat shell gestures / Chat shell gesture + parity e2e (push) Waiting to run
ci / test (push) Waiting to run
ci / lint-and-format (push) Waiting to run
ci / build (push) Waiting to run
ci / dev-startup (push) Waiting to run
Cloud Gateway Discord / Test (push) Waiting to run
Cloud Gateway Webhook / Test (push) Waiting to run
Cloud Tests / lint-and-types (push) Waiting to run
Cloud Tests / unit-tests (push) Waiting to run
Cloud Tests / integration-tests (push) Waiting to run
Cloud Tests / e2e-tests (push) Blocked by required conditions
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Deploy Apps Worker (Product 2) / Determine environment (push) Waiting to run
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Blocked by required conditions
Deploy Eliza Provisioning Worker / Determine environment (push) Waiting to run
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Blocked by required conditions
Dev Smoke / Classify changed paths (push) Waiting to run
Dev Smoke / bun run dev onboarding chat (push) Blocked by required conditions
Dev Smoke / Vite HMR dependency-level smoke (push) Blocked by required conditions
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Waiting to run
gitleaks / gitleaks (push) Waiting to run
Markdown Links / Relative Markdown Links (push) Waiting to run
Publish @elizaos/example-code / check_npm (push) Waiting to run
Publish @elizaos/example-code / publish_npm (push) Blocked by required conditions
Publish @elizaos/plugin-elizacloud / verify_version (push) Waiting to run
Publish @elizaos/plugin-elizacloud / publish_npm (push) Blocked by required conditions
Quality (Extended) / Homepage Build (PR smoke) (push) Waiting to run
Quality (Extended) / Comment-only diff guard (push) Waiting to run
Quality (Extended) / Format + Type Safety Ratchet (push) Waiting to run
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Waiting to run
Quality (Extended) / Develop Gate (lint) (push) Waiting to run
Sandbox Live Smoke / Sandbox live smoke (push) Waiting to run
Snap Build & Test / Build Snap (amd64) (push) Waiting to run
Snap Build & Test / Build Snap (arm64) (push) Waiting to run
supply-chain / sbom (push) Waiting to run
supply-chain / vulnerability-scan (push) Waiting to run
Build, Push & Deploy to Phala Cloud / build-and-push (push) Waiting to run
Test Packaging / Validate Packaging Configs (push) Waiting to run
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Waiting to run
Test Packaging / Pack & Test JS Tarballs (push) Waiting to run
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Waiting to run
UI Fixture E2E / ui-fixture-e2e (push) Waiting to run
UI Fixture E2E / fixture-e2e (push) Waiting to run
UI Story Gate / story-gate (push) Waiting to run
vault-ci / test (macos-latest) (push) Waiting to run
vault-ci / test (ubuntu-latest) (push) Waiting to run
vault-ci / test (windows-latest) (push) Waiting to run
vault-ci / app-core wiring tests (push) Waiting to run
verify-patches / verify patches/CHECKSUMS.sha256 (push) Waiting to run
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Waiting to run
Voice Benchmark Smoke / voice bench smoke summary (push) Blocked by required conditions
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Waiting to run
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Waiting to run
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Waiting to run
Test Packaging / Build & Test PyPI Package (push) Waiting to run
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:43:05 +08:00

148 lines
5.1 KiB
Bash
Executable File

#!/usr/bin/env bash
# elizaOS release verification helper.
#
# Walks the layered trust stack that the OS release pipeline ships:
#
# 1. SHA256SUMS roundtrip (required; uses sha256sum or shasum -a 256)
# 2. GitHub artifact attestations (optional; uses gh CLI)
# 3. GPG signature on SHA256SUMS (optional; uses gpg)
# 4. SBOM summary (optional; uses jq)
#
# Each optional layer is skipped with a notice if its tool is missing —
# the script is useful even with only coreutils installed. Every layer
# runs to completion so the user sees the full picture before the
# script exits.
#
# Usage:
# verify-release.sh [DIR]
# DIR Directory containing downloaded release artifacts + SHA256SUMS.
# Defaults to the current directory.
#
# Exit codes:
# 0 every required check passed (optional layers may have been
# skipped or warned)
# 1 SHA256SUMS missing or roundtrip failed
# 2 an optional layer detected real corruption / tampering
# (e.g. a mix of valid and invalid attestations, or a bad GPG
# signature). Pure-absence does NOT trigger exit 2.
set -euo pipefail
DIR="${1:-.}"
cd "$DIR" || { echo "ERROR: cannot enter $DIR" >&2; exit 1; }
note() { printf '\033[1;34m==>\033[0m %s\n' "$*"; }
ok() { printf '\033[1;32m[OK]\033[0m %s\n' "$*"; }
warn() { printf '\033[1;33m[--]\033[0m %s\n' "$*"; }
fail() { printf '\033[1;31m[XX]\033[0m %s\n' "$*"; }
EXIT=0
# ---- 1. SHA256SUMS ---------------------------------------------------------
note "Checking SHA256SUMS"
if [ ! -f SHA256SUMS ]; then
fail "SHA256SUMS not found in $(pwd)"
exit 1
fi
# sha256sum is Linux coreutils; fall back to shasum -a 256 on macOS.
SHA256CMD=sha256sum
if ! command -v sha256sum >/dev/null 2>&1; then
if command -v shasum >/dev/null 2>&1; then
SHA256CMD="shasum -a 256"
else
fail "neither sha256sum nor shasum found; cannot verify checksums"
exit 1
fi
fi
# grep -c returns exit 1 when there are 0 matching lines; || true prevents
# set -e from aborting if SHA256SUMS contains only comment lines.
entry_count=$(grep -cE '^[a-f0-9]{64}' SHA256SUMS || true)
if $SHA256CMD -c SHA256SUMS --ignore-missing --quiet; then
ok "SHA256SUMS roundtrip verified (${entry_count} entries)"
else
fail "SHA256SUMS roundtrip FAILED — re-download required"
exit 1
fi
# ---- 2. GitHub attestations ------------------------------------------------
if command -v gh >/dev/null 2>&1; then
note "Checking GitHub artifact attestations (gh attestation verify)"
attest_pass=0
attest_fail=0
while IFS= read -r line; do
case "$line" in '' | '#'*) continue ;; esac
file=$(printf '%s\n' "$line" | awk '{print $2}' | sed 's|^\*||')
[ -z "$file" ] && continue
[ -f "$file" ] || continue
if gh attestation verify "$file" --owner elizaOS >/dev/null 2>&1; then
ok "attestation valid: $file"
attest_pass=$((attest_pass + 1))
else
fail "attestation NOT verified: $file"
attest_fail=$((attest_fail + 1))
fi
done < SHA256SUMS
note "attestations: ${attest_pass} valid, ${attest_fail} not verified"
# Classification:
# pass>0, fail>0 : mixed — likely tampering or pipeline issue. Exit 2.
# pass=0, fail>0 : either pre-attestation release OR full-on tampering.
# Cannot distinguish from this client. Warn, do not
# exit 2, so users get the rest of the report.
# pass>0, fail=0 : clean.
if [ "$attest_pass" -gt 0 ] && [ "$attest_fail" -gt 0 ]; then
fail "mixed attestation results — some valid, some not. Investigate."
EXIT=2
elif [ "$attest_pass" -eq 0 ] && [ "$attest_fail" -gt 0 ]; then
warn "no artifact attestations verified. Expected for releases predating attestation rollout; treat as untrusted otherwise."
fi
else
warn "skipping GitHub attestation verification (gh CLI not installed)"
fi
# ---- 3. GPG signature on SHA256SUMS ---------------------------------------
SIG=""
if [ -f SHA256SUMS.asc ]; then
SIG=SHA256SUMS.asc
elif [ -f SHA256SUMS.sig ]; then
SIG=SHA256SUMS.sig
fi
if [ -n "$SIG" ]; then
if command -v gpg >/dev/null 2>&1; then
note "Checking GPG signature on SHA256SUMS"
if gpg --verify "$SIG" SHA256SUMS 2>&1 | grep -q "Good signature"; then
ok "GPG signature verified"
else
fail "GPG signature FAILED — output:"
gpg --verify "$SIG" SHA256SUMS 2>&1 | sed 's/^/ /'
EXIT=2
fi
else
warn "${SIG} present but gpg is not installed; skipping"
fi
else
warn "no SHA256SUMS.asc or .sig found; skipping GPG verification (release may not be GPG-signed yet)"
fi
# ---- 4. SBOM summary -------------------------------------------------------
shopt -s nullglob
sboms=( *.spdx.json )
shopt -u nullglob
if [ "${#sboms[@]}" -gt 0 ]; then
if command -v jq >/dev/null 2>&1; then
note "SBOM summary (jq)"
for sbom in "${sboms[@]}"; do
count=$(jq '.packages | length' "$sbom" 2>/dev/null || echo "?")
ok "${sbom}: ${count} packages"
done
else
warn "${#sboms[@]} SBOM file(s) found but jq is not installed; skipping package count"
fi
else
warn "no .spdx.json SBOM found in $(pwd); skipping SBOM summary"
fi
note "Verification complete."
exit "$EXIT"