426e9eeabd
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Waiting to run
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Waiting to run
Build Agent Image / build-and-push (push) Waiting to run
Chat shell gestures / Chat shell gesture + parity e2e (push) Waiting to run
Cloud Gateway Discord / Test (push) Waiting to run
Cloud Gateway Webhook / Test (push) Waiting to run
Cloud Tests / lint-and-types (push) Waiting to run
Cloud Tests / unit-tests (push) Waiting to run
Cloud Tests / integration-tests (push) Waiting to run
Cloud Tests / e2e-tests (push) Blocked by required conditions
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Deploy Apps Worker (Product 2) / Determine environment (push) Waiting to run
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Blocked by required conditions
Deploy Eliza Provisioning Worker / Determine environment (push) Waiting to run
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Blocked by required conditions
Dev Smoke / Classify changed paths (push) Waiting to run
Dev Smoke / bun run dev onboarding chat (push) Blocked by required conditions
Dev Smoke / Vite HMR dependency-level smoke (push) Blocked by required conditions
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Waiting to run
Publish @elizaos/example-code / check_npm (push) Waiting to run
Publish @elizaos/example-code / publish_npm (push) Blocked by required conditions
Publish @elizaos/plugin-elizacloud / verify_version (push) Waiting to run
Publish @elizaos/plugin-elizacloud / publish_npm (push) Blocked by required conditions
Sandbox Live Smoke / Sandbox live smoke (push) Waiting to run
Snap Build & Test / Build Snap (amd64) (push) Waiting to run
Snap Build & Test / Build Snap (arm64) (push) Waiting to run
supply-chain / sbom (push) Waiting to run
supply-chain / vulnerability-scan (push) Waiting to run
Build, Push & Deploy to Phala Cloud / build-and-push (push) Waiting to run
Test Packaging / Validate Packaging Configs (push) Waiting to run
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Waiting to run
Test Packaging / Pack & Test JS Tarballs (push) Waiting to run
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Waiting to run
UI Fixture E2E / ui-fixture-e2e (push) Waiting to run
UI Fixture E2E / fixture-e2e (push) Waiting to run
UI Story Gate / story-gate (push) Waiting to run
vault-ci / test (macos-latest) (push) Waiting to run
vault-ci / test (ubuntu-latest) (push) Waiting to run
vault-ci / test (windows-latest) (push) Waiting to run
vault-ci / app-core wiring tests (push) Waiting to run
verify-patches / verify patches/CHECKSUMS.sha256 (push) Waiting to run
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Waiting to run
Voice Benchmark Smoke / voice bench smoke summary (push) Blocked by required conditions
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Waiting to run
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Waiting to run
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Waiting to run
Test Packaging / Build & Test PyPI Package (push) Waiting to run
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / lint-and-format (push) Has been cancelled
ci / build (push) Has been cancelled
ci / dev-startup (push) Has been cancelled
gitleaks / gitleaks (push) Has been cancelled
Markdown Links / Relative Markdown Links (push) Has been cancelled
Quality (Extended) / Homepage Build (PR smoke) (push) Has been cancelled
Quality (Extended) / Comment-only diff guard (push) Has been cancelled
Quality (Extended) / Format + Type Safety Ratchet (push) Has been cancelled
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Has been cancelled
Quality (Extended) / Develop Gate (lint) (push) Has been cancelled
242 lines
7.7 KiB
JavaScript
242 lines
7.7 KiB
JavaScript
#!/usr/bin/env node
|
|
/**
|
|
* Commit-drift check for the develop→main certification gate (#14547). A
|
|
* certification signs one exact commit, but a promotion branch may pick up
|
|
* non-source commits after signing (README and docs touch-ups). This
|
|
* helper decides whether the PR head is still covered by the certification:
|
|
* pass iff head == cert.commit, or cert.commit is an ancestor of head and
|
|
* every path in `git diff cert.commit..head` matches the docs-only allowlist.
|
|
*
|
|
* The allowlist is deliberately narrow: docs/**, packages/docs/**, any *.md,
|
|
* and the certification artifacts. GitHub workflow/policy/config drift must
|
|
* force re-certification, never ride the docs allowlist.
|
|
*
|
|
* Consumed by .github/workflows/certification-verify.yml; it reads the
|
|
* certification only to extract `commit` — all cryptographic and schema
|
|
* verification stays in `packages/evidence certify:verify`.
|
|
*/
|
|
|
|
import { execFileSync } from "node:child_process";
|
|
import { appendFileSync, readFileSync, writeFileSync } from "node:fs";
|
|
import { pathToFileURL } from "node:url";
|
|
|
|
/** Paths that may change after certification without re-certifying. */
|
|
export function isAllowedDriftPath(filePath) {
|
|
// Trust anchor and gate plumbing: never allowed as post-certification drift.
|
|
if (filePath.startsWith(".github/certification/")) return false;
|
|
if (filePath === ".github/workflows/certification-verify.yml") return false;
|
|
if (filePath.startsWith("scripts/certification/")) return false;
|
|
|
|
// The certification artifacts themselves necessarily land AFTER the
|
|
// certified commit (the signature covers the commit sha, so the commit that
|
|
// adds the file can never be the signed one). Their integrity is enforced
|
|
// cryptographically — signature over the payload, bundleSha over the bundle
|
|
// — not by the drift rule, so allowing them here weakens nothing.
|
|
if (filePath === "certification.json") return true;
|
|
if (filePath.startsWith("evidence/bundle/")) return true;
|
|
|
|
if (filePath.startsWith("docs/")) return true;
|
|
if (filePath.startsWith("packages/docs/")) return true;
|
|
if (filePath.endsWith(".md")) return true;
|
|
return false;
|
|
}
|
|
|
|
const SHA_RE = /^[0-9a-f]{40}$/;
|
|
|
|
function git(repoDir, args) {
|
|
return execFileSync("git", args, {
|
|
cwd: repoDir,
|
|
encoding: "utf8",
|
|
stdio: ["ignore", "pipe", "pipe"],
|
|
});
|
|
}
|
|
|
|
/** Read `commit` out of a certification.json without validating anything else. */
|
|
export function readCertCommit(certPath) {
|
|
let raw;
|
|
try {
|
|
raw = readFileSync(certPath, "utf8");
|
|
} catch (error) {
|
|
return { error: `certification unreadable: ${error.message}` };
|
|
}
|
|
let parsed;
|
|
try {
|
|
parsed = JSON.parse(raw);
|
|
} catch (error) {
|
|
return { error: `certification is not valid JSON: ${error.message}` };
|
|
}
|
|
const commit = parsed?.commit;
|
|
if (typeof commit !== "string" || !SHA_RE.test(commit)) {
|
|
return {
|
|
error: `certification \`commit\` is not a full 40-hex sha: ${JSON.stringify(commit)}`,
|
|
};
|
|
}
|
|
return { commit };
|
|
}
|
|
|
|
/**
|
|
* Evaluate drift between the certified commit and the PR head.
|
|
* Result shape: { result, certCommit, headCommit, driftPaths, disallowedPaths, detail }
|
|
* where result is one of:
|
|
* match | allowed-drift → covered by the certification
|
|
* cert-commit-unknown | not-ancestor | disallowed-drift → not covered
|
|
*/
|
|
export function evaluateCommitDrift({ certCommit, headCommit, repoDir }) {
|
|
const base = {
|
|
certCommit,
|
|
headCommit,
|
|
driftPaths: [],
|
|
disallowedPaths: [],
|
|
};
|
|
if (certCommit === headCommit) {
|
|
return {
|
|
...base,
|
|
result: "match",
|
|
detail: "certification commit equals the PR head",
|
|
};
|
|
}
|
|
|
|
try {
|
|
git(repoDir, ["cat-file", "-e", `${certCommit}^{commit}`]);
|
|
} catch {
|
|
// A cert for a commit this repository has never seen (or outside the
|
|
// fetched history window) cannot cover this head. Shallow clones can
|
|
// produce this for very old certs — that fails safe: stale certs must
|
|
// re-certify anyway.
|
|
return {
|
|
...base,
|
|
result: "cert-commit-unknown",
|
|
detail: `certified commit ${certCommit} is not present in this repository's fetched history`,
|
|
};
|
|
}
|
|
|
|
let isAncestor = true;
|
|
try {
|
|
git(repoDir, ["merge-base", "--is-ancestor", certCommit, headCommit]);
|
|
} catch (error) {
|
|
if (error.status === 1) {
|
|
isAncestor = false;
|
|
} else {
|
|
throw error;
|
|
}
|
|
}
|
|
if (!isAncestor) {
|
|
return {
|
|
...base,
|
|
result: "not-ancestor",
|
|
detail: `certified commit ${certCommit} is not an ancestor of head ${headCommit} — the certified tree was never part of this branch`,
|
|
};
|
|
}
|
|
|
|
const driftPaths = git(repoDir, [
|
|
"diff",
|
|
"--name-only",
|
|
"-z",
|
|
certCommit,
|
|
headCommit,
|
|
])
|
|
.split("\0")
|
|
.filter((entry) => entry.length > 0);
|
|
const disallowedPaths = driftPaths.filter(
|
|
(entry) => !isAllowedDriftPath(entry),
|
|
);
|
|
if (disallowedPaths.length > 0) {
|
|
return {
|
|
...base,
|
|
driftPaths,
|
|
disallowedPaths,
|
|
result: "disallowed-drift",
|
|
detail: `${disallowedPaths.length} of ${driftPaths.length} drifted path(s) fall outside the docs-only allowlist — re-certify at the current head`,
|
|
};
|
|
}
|
|
return {
|
|
...base,
|
|
driftPaths,
|
|
result: "allowed-drift",
|
|
detail: `${driftPaths.length} drifted path(s), all inside the docs-only allowlist`,
|
|
};
|
|
}
|
|
|
|
function parseArgs(argv) {
|
|
const args = { repoDir: process.cwd() };
|
|
for (let index = 0; index < argv.length; index += 1) {
|
|
const flag = argv[index];
|
|
const value = () => {
|
|
const next = argv[index + 1];
|
|
if (next === undefined) {
|
|
console.error(`${flag} requires a value`);
|
|
process.exit(2);
|
|
}
|
|
index += 1;
|
|
return next;
|
|
};
|
|
if (flag === "--cert") args.certPath = value();
|
|
else if (flag === "--head") args.headCommit = value();
|
|
else if (flag === "--repo") args.repoDir = value();
|
|
else if (flag === "--json-out") args.jsonOut = value();
|
|
else if (flag === "--github-output") args.githubOutput = value();
|
|
else {
|
|
console.error(`unknown argument: ${flag}`);
|
|
process.exit(2);
|
|
}
|
|
}
|
|
if (args.certPath === undefined || args.headCommit === undefined) {
|
|
console.error(
|
|
"Usage: check-commit-drift.mjs --cert <certification.json> --head <sha> [--repo <dir>] [--json-out <file>] [--github-output <file>]",
|
|
);
|
|
process.exit(2);
|
|
}
|
|
if (!SHA_RE.test(args.headCommit)) {
|
|
console.error(`--head must be a full 40-hex sha, got: ${args.headCommit}`);
|
|
process.exit(2);
|
|
}
|
|
return args;
|
|
}
|
|
|
|
function main() {
|
|
const args = parseArgs(process.argv.slice(2));
|
|
const certRead = readCertCommit(args.certPath);
|
|
const outcome =
|
|
"error" in certRead
|
|
? {
|
|
result: "cert-unreadable",
|
|
certCommit: null,
|
|
headCommit: args.headCommit,
|
|
driftPaths: [],
|
|
disallowedPaths: [],
|
|
detail: certRead.error,
|
|
}
|
|
: evaluateCommitDrift({
|
|
certCommit: certRead.commit,
|
|
headCommit: args.headCommit,
|
|
repoDir: args.repoDir,
|
|
});
|
|
|
|
if (args.jsonOut !== undefined) {
|
|
writeFileSync(args.jsonOut, `${JSON.stringify(outcome, null, 2)}\n`);
|
|
}
|
|
if (args.githubOutput !== undefined) {
|
|
appendFileSync(
|
|
args.githubOutput,
|
|
`cert-commit=${outcome.certCommit ?? ""}\nresult=${outcome.result}\n`,
|
|
);
|
|
}
|
|
|
|
const ok = outcome.result === "match" || outcome.result === "allowed-drift";
|
|
console.log(`[check-commit-drift] ${outcome.result}: ${outcome.detail}`);
|
|
for (const entry of outcome.driftPaths) {
|
|
const marker = outcome.disallowedPaths.includes(entry)
|
|
? "DISALLOWED"
|
|
: "allowed ";
|
|
console.log(` ${marker} ${entry}`);
|
|
}
|
|
process.exit(ok ? 0 : 1);
|
|
}
|
|
|
|
if (
|
|
process.argv[1] &&
|
|
import.meta.url === pathToFileURL(process.argv[1]).href
|
|
) {
|
|
main();
|
|
}
|