Files
elizaos--eliza/scripts/certification/check-commit-drift.mjs
T
wehub-resource-sync 426e9eeabd
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Waiting to run
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Waiting to run
Build Agent Image / build-and-push (push) Waiting to run
Chat shell gestures / Chat shell gesture + parity e2e (push) Waiting to run
Cloud Gateway Discord / Test (push) Waiting to run
Cloud Gateway Webhook / Test (push) Waiting to run
Cloud Tests / lint-and-types (push) Waiting to run
Cloud Tests / unit-tests (push) Waiting to run
Cloud Tests / integration-tests (push) Waiting to run
Cloud Tests / e2e-tests (push) Blocked by required conditions
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Deploy Apps Worker (Product 2) / Determine environment (push) Waiting to run
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Blocked by required conditions
Deploy Eliza Provisioning Worker / Determine environment (push) Waiting to run
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Blocked by required conditions
Dev Smoke / Classify changed paths (push) Waiting to run
Dev Smoke / bun run dev onboarding chat (push) Blocked by required conditions
Dev Smoke / Vite HMR dependency-level smoke (push) Blocked by required conditions
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Waiting to run
Publish @elizaos/example-code / check_npm (push) Waiting to run
Publish @elizaos/example-code / publish_npm (push) Blocked by required conditions
Publish @elizaos/plugin-elizacloud / verify_version (push) Waiting to run
Publish @elizaos/plugin-elizacloud / publish_npm (push) Blocked by required conditions
Sandbox Live Smoke / Sandbox live smoke (push) Waiting to run
Snap Build & Test / Build Snap (amd64) (push) Waiting to run
Snap Build & Test / Build Snap (arm64) (push) Waiting to run
supply-chain / sbom (push) Waiting to run
supply-chain / vulnerability-scan (push) Waiting to run
Build, Push & Deploy to Phala Cloud / build-and-push (push) Waiting to run
Test Packaging / Validate Packaging Configs (push) Waiting to run
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Waiting to run
Test Packaging / Pack & Test JS Tarballs (push) Waiting to run
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Waiting to run
UI Fixture E2E / ui-fixture-e2e (push) Waiting to run
UI Fixture E2E / fixture-e2e (push) Waiting to run
UI Story Gate / story-gate (push) Waiting to run
vault-ci / test (macos-latest) (push) Waiting to run
vault-ci / test (ubuntu-latest) (push) Waiting to run
vault-ci / test (windows-latest) (push) Waiting to run
vault-ci / app-core wiring tests (push) Waiting to run
verify-patches / verify patches/CHECKSUMS.sha256 (push) Waiting to run
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Waiting to run
Voice Benchmark Smoke / voice bench smoke summary (push) Blocked by required conditions
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Waiting to run
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Waiting to run
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Waiting to run
Test Packaging / Build & Test PyPI Package (push) Waiting to run
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / lint-and-format (push) Has been cancelled
ci / build (push) Has been cancelled
ci / dev-startup (push) Has been cancelled
gitleaks / gitleaks (push) Has been cancelled
Markdown Links / Relative Markdown Links (push) Has been cancelled
Quality (Extended) / Homepage Build (PR smoke) (push) Has been cancelled
Quality (Extended) / Comment-only diff guard (push) Has been cancelled
Quality (Extended) / Format + Type Safety Ratchet (push) Has been cancelled
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Has been cancelled
Quality (Extended) / Develop Gate (lint) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:43:05 +08:00

242 lines
7.7 KiB
JavaScript

#!/usr/bin/env node
/**
* Commit-drift check for the develop→main certification gate (#14547). A
* certification signs one exact commit, but a promotion branch may pick up
* non-source commits after signing (README and docs touch-ups). This
* helper decides whether the PR head is still covered by the certification:
* pass iff head == cert.commit, or cert.commit is an ancestor of head and
* every path in `git diff cert.commit..head` matches the docs-only allowlist.
*
* The allowlist is deliberately narrow: docs/**, packages/docs/**, any *.md,
* and the certification artifacts. GitHub workflow/policy/config drift must
* force re-certification, never ride the docs allowlist.
*
* Consumed by .github/workflows/certification-verify.yml; it reads the
* certification only to extract `commit` — all cryptographic and schema
* verification stays in `packages/evidence certify:verify`.
*/
import { execFileSync } from "node:child_process";
import { appendFileSync, readFileSync, writeFileSync } from "node:fs";
import { pathToFileURL } from "node:url";
/** Paths that may change after certification without re-certifying. */
export function isAllowedDriftPath(filePath) {
// Trust anchor and gate plumbing: never allowed as post-certification drift.
if (filePath.startsWith(".github/certification/")) return false;
if (filePath === ".github/workflows/certification-verify.yml") return false;
if (filePath.startsWith("scripts/certification/")) return false;
// The certification artifacts themselves necessarily land AFTER the
// certified commit (the signature covers the commit sha, so the commit that
// adds the file can never be the signed one). Their integrity is enforced
// cryptographically — signature over the payload, bundleSha over the bundle
// — not by the drift rule, so allowing them here weakens nothing.
if (filePath === "certification.json") return true;
if (filePath.startsWith("evidence/bundle/")) return true;
if (filePath.startsWith("docs/")) return true;
if (filePath.startsWith("packages/docs/")) return true;
if (filePath.endsWith(".md")) return true;
return false;
}
const SHA_RE = /^[0-9a-f]{40}$/;
function git(repoDir, args) {
return execFileSync("git", args, {
cwd: repoDir,
encoding: "utf8",
stdio: ["ignore", "pipe", "pipe"],
});
}
/** Read `commit` out of a certification.json without validating anything else. */
export function readCertCommit(certPath) {
let raw;
try {
raw = readFileSync(certPath, "utf8");
} catch (error) {
return { error: `certification unreadable: ${error.message}` };
}
let parsed;
try {
parsed = JSON.parse(raw);
} catch (error) {
return { error: `certification is not valid JSON: ${error.message}` };
}
const commit = parsed?.commit;
if (typeof commit !== "string" || !SHA_RE.test(commit)) {
return {
error: `certification \`commit\` is not a full 40-hex sha: ${JSON.stringify(commit)}`,
};
}
return { commit };
}
/**
* Evaluate drift between the certified commit and the PR head.
* Result shape: { result, certCommit, headCommit, driftPaths, disallowedPaths, detail }
* where result is one of:
* match | allowed-drift → covered by the certification
* cert-commit-unknown | not-ancestor | disallowed-drift → not covered
*/
export function evaluateCommitDrift({ certCommit, headCommit, repoDir }) {
const base = {
certCommit,
headCommit,
driftPaths: [],
disallowedPaths: [],
};
if (certCommit === headCommit) {
return {
...base,
result: "match",
detail: "certification commit equals the PR head",
};
}
try {
git(repoDir, ["cat-file", "-e", `${certCommit}^{commit}`]);
} catch {
// A cert for a commit this repository has never seen (or outside the
// fetched history window) cannot cover this head. Shallow clones can
// produce this for very old certs — that fails safe: stale certs must
// re-certify anyway.
return {
...base,
result: "cert-commit-unknown",
detail: `certified commit ${certCommit} is not present in this repository's fetched history`,
};
}
let isAncestor = true;
try {
git(repoDir, ["merge-base", "--is-ancestor", certCommit, headCommit]);
} catch (error) {
if (error.status === 1) {
isAncestor = false;
} else {
throw error;
}
}
if (!isAncestor) {
return {
...base,
result: "not-ancestor",
detail: `certified commit ${certCommit} is not an ancestor of head ${headCommit} — the certified tree was never part of this branch`,
};
}
const driftPaths = git(repoDir, [
"diff",
"--name-only",
"-z",
certCommit,
headCommit,
])
.split("\0")
.filter((entry) => entry.length > 0);
const disallowedPaths = driftPaths.filter(
(entry) => !isAllowedDriftPath(entry),
);
if (disallowedPaths.length > 0) {
return {
...base,
driftPaths,
disallowedPaths,
result: "disallowed-drift",
detail: `${disallowedPaths.length} of ${driftPaths.length} drifted path(s) fall outside the docs-only allowlist — re-certify at the current head`,
};
}
return {
...base,
driftPaths,
result: "allowed-drift",
detail: `${driftPaths.length} drifted path(s), all inside the docs-only allowlist`,
};
}
function parseArgs(argv) {
const args = { repoDir: process.cwd() };
for (let index = 0; index < argv.length; index += 1) {
const flag = argv[index];
const value = () => {
const next = argv[index + 1];
if (next === undefined) {
console.error(`${flag} requires a value`);
process.exit(2);
}
index += 1;
return next;
};
if (flag === "--cert") args.certPath = value();
else if (flag === "--head") args.headCommit = value();
else if (flag === "--repo") args.repoDir = value();
else if (flag === "--json-out") args.jsonOut = value();
else if (flag === "--github-output") args.githubOutput = value();
else {
console.error(`unknown argument: ${flag}`);
process.exit(2);
}
}
if (args.certPath === undefined || args.headCommit === undefined) {
console.error(
"Usage: check-commit-drift.mjs --cert <certification.json> --head <sha> [--repo <dir>] [--json-out <file>] [--github-output <file>]",
);
process.exit(2);
}
if (!SHA_RE.test(args.headCommit)) {
console.error(`--head must be a full 40-hex sha, got: ${args.headCommit}`);
process.exit(2);
}
return args;
}
function main() {
const args = parseArgs(process.argv.slice(2));
const certRead = readCertCommit(args.certPath);
const outcome =
"error" in certRead
? {
result: "cert-unreadable",
certCommit: null,
headCommit: args.headCommit,
driftPaths: [],
disallowedPaths: [],
detail: certRead.error,
}
: evaluateCommitDrift({
certCommit: certRead.commit,
headCommit: args.headCommit,
repoDir: args.repoDir,
});
if (args.jsonOut !== undefined) {
writeFileSync(args.jsonOut, `${JSON.stringify(outcome, null, 2)}\n`);
}
if (args.githubOutput !== undefined) {
appendFileSync(
args.githubOutput,
`cert-commit=${outcome.certCommit ?? ""}\nresult=${outcome.result}\n`,
);
}
const ok = outcome.result === "match" || outcome.result === "allowed-drift";
console.log(`[check-commit-drift] ${outcome.result}: ${outcome.detail}`);
for (const entry of outcome.driftPaths) {
const marker = outcome.disallowedPaths.includes(entry)
? "DISALLOWED"
: "allowed ";
console.log(` ${marker} ${entry}`);
}
process.exit(ok ? 0 : 1);
}
if (
process.argv[1] &&
import.meta.url === pathToFileURL(process.argv[1]).href
) {
main();
}