Files
siriusscan--sirius/scripts/validate-public-compose-path.sh
wehub-resource-sync 161ef94b4f
Sirius CI/CD Pipeline / Merge API Manifest (push) Blocked by required conditions
Sirius CI/CD Pipeline / Build API (${{ matrix.platform }}) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Build UI (${{ matrix.platform }}) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Merge UI Manifest (push) Blocked by required conditions
Sirius CI/CD Pipeline / Build Engine (${{ matrix.platform }}) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Merge Engine Manifest (push) Blocked by required conditions
Sirius CI/CD Pipeline / Build Infra (${{ matrix.service }}, ${{ matrix.platform }}) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-postgres) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-rabbitmq) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-valkey) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Integration Test (push) Blocked by required conditions
Sirius CI/CD Pipeline / Public Stack Contract (push) Blocked by required conditions
Sirius CI/CD Pipeline / Dispatch Demo Deployment (sirius-demo branch) (push) Blocked by required conditions
Sirius CI/CD Pipeline / Dispatch Demo Canary (main branch) (push) Blocked by required conditions
Check engine pin consistency / Dockerfile / CI pin consistency (push) Successful in 8s
Sirius CI/CD Pipeline / Detect Changes (push) Successful in 23s
Sirius CI/CD Pipeline / Guard Registry Namespace (push) Waiting to run
Validate Docker Configuration / Validate Docker Compose Configuration (push) Successful in 47s
chore: import upstream snapshot with attribution
2026-07-13 12:32:25 +08:00

58 lines
2.0 KiB
Bash
Executable File

#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "${SCRIPT_DIR}")"
IMAGE_TAG_VALUE="${1:-${IMAGE_TAG:-latest}}"
: "${KEEP_PUBLIC_STACK_RUNNING:=0}"
: "${SIRIUS_IMAGE_PULL_POLICY:=always}"
cleanup() {
if [ "${KEEP_PUBLIC_STACK_RUNNING}" = "1" ]; then
return
fi
docker compose down --volumes --remove-orphans >/dev/null 2>&1 || true
}
trap cleanup EXIT
cd "${PROJECT_ROOT}"
echo "Resetting public compose stack state..."
docker compose down --volumes --remove-orphans >/dev/null 2>&1 || true
echo "Generating runtime config with installer..."
# Run the installer container as the invoking host user so the resulting
# .env / secrets/ files are readable by subsequent steps (e.g. `docker
# compose config` reading .env). Without this, the installer writes
# .env as root:root mode 0600 and the next compose invocation fails with
# "open .env: permission denied" — silently producing zero image refs.
SIRIUS_INSTALLER_UID="$(id -u)" SIRIUS_INSTALLER_GID="$(id -g)" \
docker compose -f docker-compose.installer.yaml run --rm --build sirius-installer --non-interactive --no-print-secrets
# Defensive: even with the user override above, guarantee .env is readable
# by the current user. Harmless if already readable.
if [ -f "${PROJECT_ROOT}/.env" ] && [ ! -r "${PROJECT_ROOT}/.env" ]; then
echo "::warning::.env not readable by $(id -un); attempting chmod via sudo"
sudo chown "$(id -u):$(id -g)" "${PROJECT_ROOT}/.env" 2>/dev/null || true
fi
export IMAGE_TAG="${IMAGE_TAG_VALUE}"
export SIRIUS_IMAGE_PULL_POLICY
echo "Verifying anonymous GHCR access for IMAGE_TAG=${IMAGE_TAG}..."
bash scripts/verify-ghcr-public-access.sh "${IMAGE_TAG}"
echo "Pulling compose-rendered public images..."
docker compose pull
echo "Starting public compose stack..."
docker compose up -d
echo "Verifying runtime auth contract..."
bash scripts/verify-runtime-auth-contract.sh
echo "Public compose path validated for IMAGE_TAG=${IMAGE_TAG}."