Files
wehub-resource-sync d68f003000
CI / Change detection (push) Has been cancelled
CI / Version drift (push) Has been cancelled
CI / Lint (push) Has been cancelled
CI / Workflow RLM cache (push) Has been cancelled
CI / Test (macos-latest) (push) Has been cancelled
CI / Test (ubuntu-latest) (push) Has been cancelled
CI / Test (windows-latest) (push) Has been cancelled
CI / npm wrapper smoke (push) Has been cancelled
CI / Mobile runtime smoke (push) Has been cancelled
CI / Workflow lint (push) Has been cancelled
CI / Documentation (push) Has been cancelled
Web Frontend / Lint & Type Check (push) Failing after 1s
Auto-close harvested PRs / close (push) Failing after 1s
cargo-deny / cargo-deny (bans licenses sources) (push) Failing after 1s
Security audit / cargo-audit (push) Failing after 1s
Sync to CNB / sync (push) Failing after 1s
cargo-deny / cargo-deny (advisories) (push) Failing after 3s
Web Frontend / Deploy to Cloudflare (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:08:23 +08:00

329 lines
11 KiB
JavaScript

const https = require("https");
const http = require("http");
const {
allAssetNames,
allReleaseAssetNames,
checksumManifestUrl,
releaseAssetUrl,
} = require("./artifacts");
const pkg = require("../package.json");
function resolveBinaryVersion() {
const configuredVersion =
process.env.DEEPSEEK_TUI_VERSION ||
process.env.DEEPSEEK_VERSION ||
pkg.codewhaleBinaryVersion || pkg.deepseekBinaryVersion ||
pkg.version;
return String(configuredVersion).trim();
}
function resolveRepo() {
return process.env.DEEPSEEK_TUI_GITHUB_REPO || process.env.DEEPSEEK_GITHUB_REPO || "Hmbown/CodeWhale";
}
function hasReleaseBaseOverride() {
return Boolean(
process.env.CODEWHALE_RELEASE_BASE_URL ||
process.env.DEEPSEEK_TUI_RELEASE_BASE_URL ||
process.env.DEEPSEEK_RELEASE_BASE_URL ||
process.env.CODEWHALE_USE_CNB_MIRROR,
);
}
function packageVersionMatchesBinaryVersion(version) {
return String(pkg.version).trim() === version;
}
function assertPackageVersionMatchesBinaryVersion(version) {
if (packageVersionMatchesBinaryVersion(version)) {
return;
}
if (process.env.CODEWHALE_ALLOW_NPM_BINARY_MISMATCH === "1") {
console.log(
`npm package version ${pkg.version} points at binary release ${version} (allowed packaging-only mismatch).`,
);
return;
}
throw new Error(
`npm package version ${pkg.version} does not match codewhaleBinaryVersion ${version}. ` +
"Set CODEWHALE_ALLOW_NPM_BINARY_MISMATCH=1 only for an intentional packaging-only npm release.",
);
}
function requestStatus(url, method = "HEAD", redirects = 0) {
if (redirects > 10) {
throw new Error(`Too many redirects while checking ${url}`);
}
const client = url.startsWith("https:") ? https : http;
return new Promise((resolve, reject) => {
const req = client.request(
url,
{
method,
headers: {
"User-Agent": "codewhale-npm-release-check",
},
},
(res) => {
const status = res.statusCode || 0;
const location = res.headers.location;
res.resume();
if (status >= 300 && status < 400 && location) {
const next = new URL(location, url).toString();
resolve(requestStatus(next, method, redirects + 1));
return;
}
resolve(status);
},
);
req.on("error", reject);
req.end();
});
}
async function verifyAsset(url, label) {
let status = await requestStatus(url, "HEAD");
if (status === 403 || status === 405) {
status = await requestStatus(url, "GET");
}
if (status < 200 || status >= 400) {
throw new Error(`${label} returned HTTP ${status} (${url})`);
}
}
async function downloadText(url, redirects = 0) {
if (redirects > 10) {
throw new Error(`Too many redirects while downloading ${url}`);
}
const client = url.startsWith("https:") ? https : http;
return new Promise((resolve, reject) => {
client
.get(
url,
{
headers: {
"User-Agent": "codewhale-npm-release-check",
},
},
(res) => {
const status = res.statusCode || 0;
if (status >= 300 && status < 400 && res.headers.location) {
const next = new URL(res.headers.location, url).toString();
res.resume();
resolve(downloadText(next, redirects + 1));
return;
}
if (status !== 200) {
reject(new Error(`Request failed with status ${status}: ${url}`));
res.resume();
return;
}
const chunks = [];
res.setEncoding("utf8");
res.on("data", (chunk) => chunks.push(chunk));
res.on("end", () => resolve(chunks.join("")));
},
)
.on("error", reject);
});
}
async function downloadJson(url, redirects = 0) {
if (redirects > 10) {
throw new Error(`Too many redirects while downloading ${url}`);
}
const client = url.startsWith("https:") ? https : http;
return new Promise((resolve, reject) => {
const headers = {
Accept: "application/vnd.github+json",
"User-Agent": "codewhale-npm-release-check",
"X-GitHub-Api-Version": "2022-11-28",
};
const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
if (token) {
headers.Authorization = `Bearer ${token}`;
}
client
.get(url, { headers }, (res) => {
const status = res.statusCode || 0;
if (status >= 300 && status < 400 && res.headers.location) {
const next = new URL(res.headers.location, url).toString();
res.resume();
resolve(downloadJson(next, redirects + 1));
return;
}
const chunks = [];
res.setEncoding("utf8");
res.on("data", (chunk) => chunks.push(chunk));
res.on("end", () => {
const body = chunks.join("");
let parsed;
try {
parsed = body ? JSON.parse(body) : {};
} catch (error) {
reject(new Error(`Invalid JSON from ${url}: ${error.message}`));
return;
}
if (status < 200 || status >= 300) {
const message = parsed.message ? `: ${parsed.message}` : "";
reject(new Error(`GitHub API request failed with status ${status}${message} (${url})`));
return;
}
resolve(parsed);
});
})
.on("error", reject);
});
}
function githubApiUrl(repo, path) {
return `https://api.github.com/repos/${repo}${path}`;
}
async function githubApi(repo, path) {
return downloadJson(githubApiUrl(repo, path));
}
async function resolveTagCommitSha(repo, tag) {
const ref = await githubApi(repo, `/git/ref/tags/${encodeURIComponent(tag)}`);
if (!ref.object || !ref.object.sha || !ref.object.type) {
throw new Error(`GitHub tag ref ${tag} did not include an object SHA`);
}
if (ref.object.type === "commit") {
return ref.object.sha;
}
if (ref.object.type !== "tag") {
throw new Error(`GitHub tag ref ${tag} points at ${ref.object.type}, not a commit or annotated tag`);
}
const tagObject = await githubApi(repo, `/git/tags/${ref.object.sha}`);
if (!tagObject.object || tagObject.object.type !== "commit" || !tagObject.object.sha) {
throw new Error(`Annotated tag ${tag} did not peel to a commit SHA`);
}
return tagObject.object.sha;
}
async function findReleaseWorkflowRun(repo, tag, tagSha) {
const runs = await githubApi(repo, "/actions/workflows/release.yml/runs?per_page=100");
const matches = (runs.workflow_runs || [])
.filter((run) => run.head_sha === tagSha)
.filter((run) => run.conclusion === "success")
.filter((run) => run.event === "push" || run.event === "workflow_dispatch")
.sort((a, b) => String(b.updated_at).localeCompare(String(a.updated_at)));
const tagBranchMatch = matches.find((run) => run.head_branch === tag);
const match = tagBranchMatch || matches[0];
if (!match) {
throw new Error(
`No successful release.yml workflow run found for ${tag} at ${tagSha}. ` +
"Rerun the Release workflow before publishing npm, or increase the verifier's last-100-runs search window.",
);
}
return match;
}
function parseGitHubTime(value, label) {
const timestamp = Date.parse(value);
if (!Number.isFinite(timestamp)) {
throw new Error(`GitHub ${label} timestamp is invalid: ${value}`);
}
return timestamp;
}
function assertReleaseAssetsFresh(release, expectedAssets, run) {
const assetsByName = new Map((release.assets || []).map((asset) => [asset.name, asset]));
const missing = expectedAssets.filter((asset) => !assetsByName.has(asset));
if (missing.length > 0) {
throw new Error(`GitHub Release is missing required npm-facing asset(s): ${missing.join(", ")}`);
}
const runStartedAt = parseGitHubTime(run.run_started_at || run.created_at, "workflow run start");
const stale = [];
for (const expected of expectedAssets) {
const asset = assetsByName.get(expected);
if (asset.state && asset.state !== "uploaded") {
stale.push(`${expected} has state ${asset.state}`);
continue;
}
const updatedAt = parseGitHubTime(asset.updated_at || asset.created_at, `${expected} update`);
if (updatedAt < runStartedAt) {
stale.push(`${expected} updated at ${asset.updated_at || asset.created_at}`);
}
}
if (stale.length > 0) {
throw new Error(
`GitHub Release asset set is stale for workflow run ${run.database_id || run.id}: ${stale.join("; ")}`,
);
}
}
async function verifyGitHubReleaseFreshness(repo, version, expectedAssets) {
const tag = `v${version}`;
const tagSha = await resolveTagCommitSha(repo, tag);
const release = await githubApi(repo, `/releases/tags/${encodeURIComponent(tag)}`);
const run = await findReleaseWorkflowRun(repo, tag, tagSha);
assertReleaseAssetsFresh(release, expectedAssets, run);
console.log(
`GitHub release asset freshness OK: ${expectedAssets.length} npm-facing assets for ${tag} were produced by run ${run.database_id || run.id} at ${tagSha.slice(0, 12)}.`,
);
}
function parseChecksumManifest(text) {
const checksums = new Map();
for (const line of text.split(/\r?\n/)) {
const trimmed = line.trim();
if (!trimmed) {
continue;
}
const match = trimmed.match(/^([a-fA-F0-9]{64})\s+\*?(.+)$/);
if (!match) {
throw new Error(`Invalid checksum manifest line: ${trimmed}`);
}
checksums.set(match[2], match[1].toLowerCase());
}
return checksums;
}
async function run() {
const version = resolveBinaryVersion();
const repo = resolveRepo();
const assets = allReleaseAssetNames();
assertPackageVersionMatchesBinaryVersion(version);
console.log(`Verifying ${assets.length} release assets for ${repo}@v${version}...`);
if (hasReleaseBaseOverride()) {
console.log("Skipping GitHub workflow freshness check because a release asset mirror/base URL override is set.");
} else {
await verifyGitHubReleaseFreshness(repo, version, assets);
}
for (const asset of assets) {
const url = releaseAssetUrl(asset, version, repo);
await verifyAsset(url, asset);
console.log(` ok ${asset}`);
}
const checksums = parseChecksumManifest(
await downloadText(checksumManifestUrl(version, repo)),
);
for (const asset of allAssetNames()) {
if (!checksums.has(asset)) {
throw new Error(`Checksum manifest is missing ${asset}`);
}
}
console.log("Release assets verified.");
}
if (require.main === module) {
run().catch((error) => {
console.error("Release asset verification failed:", error.message);
process.exit(1);
});
}
module.exports = {
assertPackageVersionMatchesBinaryVersion,
assertReleaseAssetsFresh,
hasReleaseBaseOverride,
parseChecksumManifest,
};