mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:21:30 +00:00
shankar0123
1caedd5fd3
Bundle: ci-pipeline-cleanup, Phase 1. Pure relocation — no behavior change. Each guard's bash logic is byte-identical to the prior inline version; the only changes are: (a) the guard becomes a sibling script under scripts/ci-guards/<id>.sh, (b) ci.yml's per-guard step is replaced by a single loop step that iterates all scripts. 20 scripts extracted (alphabetized): B-1-orphan-crud.sh, D-1-D-2-statusbadge-phantom.sh, G-1-jwt-auth-literal.sh, G-2-api-key-hash-json.sh, G-3-env-docs-drift.sh, H-001-bare-from.sh, H-009-readme-jwt.sh, L-001-insecure-skip-verify.sh, L-1-bulk-action-loop.sh, M-012-no-root-user.sh, P-1-documented-orphan-fns.sh, S-1-hardcoded-source-counts.sh, S-2-strings-contains-err.sh, T-1-frontend-page-coverage.sh, U-2-plaintext-healthcheck.sh, U-3-migration-mount.sh, bundle-8-L-015-target-blank-rel-noopener.sh, bundle-8-L-019-dangerously-set-inner-html.sh, bundle-8-M-009-bare-usemutation.sh, test-naming-convention.sh Plus scripts/ci-guards/README.md documenting the contract: - Each script must exit 0 on clean repo, non-zero with ::error:: prefix on regression - Runnable from repo root via 'bash scripts/ci-guards/<id>.sh' - Adding a new guard: drop a new <id>.sh; CI auto-picks it up ci.yml dropped 1488 → 557 lines (-931, -63%). Single CI loop step now collects ALL guard failures before failing the build instead of fail-fast — UX win for regressions that hit two guards at once. Two guards (QA-doc Part-count + seed-count, ci.yml lines 868-917) deliberately NOT extracted — they move to 'make verify-docs' in Phase 11 because they protect docs-the-operator-reads, not the product itself. Verification (sandbox): - All 20 scripts pass against HEAD (chmod +x; for g in scripts/ci-guards/*.sh; do bash $g; done) - New ci.yml YAML-parses cleanly - Job boundaries preserved: go-build-and-test, frontend-build, helm-lint, deploy-vendor-e2e, deploy-vendor-e2e-windows - Loop step appears twice (once at end of go-build-and-test, once at end of frontend-build) so both jobs continue running their set of guards
60 lines
2.5 KiB
Bash
Executable File
60 lines
2.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# scripts/ci-guards/U-3-migration-mount.sh
|
|
#
|
|
# U-3 closed cat-u-seed_initdb_schema_drift (GitHub #10) by
|
|
# eliminating the dual-source-of-truth between
|
|
# `migrations/*.up.sql` mounted into postgres
|
|
# `/docker-entrypoint-initdb.d/` and the same files re-applied at
|
|
# runtime by `RunMigrations`. Pre-U-3 every new migration that
|
|
# the seed depended on (000013 added `policy_rules.severity`,
|
|
# 000017 renames `retry_interval_seconds`, etc.) had to be added
|
|
# by hand to the compose mount list; missing the update crashed
|
|
# initdb on first boot, postgres flagged unhealthy, and the
|
|
# whole stack failed to start from a fresh clone. Post-U-3 the
|
|
# server is the single source of truth — `RunMigrations` +
|
|
# `RunSeed` apply everything at boot.
|
|
#
|
|
# This script grep-fails the build if any compose file under
|
|
# `deploy/` re-introduces a `migrations/.*\.sql` mount into
|
|
# `/docker-entrypoint-initdb.d`. Comments are exempt so the
|
|
# post-fix rationale block in the compose files (which
|
|
# documents WHY the mounts were removed) doesn't trip the guard.
|
|
# The demo overlay's `seed_demo.sql` is the explicit exception:
|
|
# it is tolerated only when it lives behind the
|
|
# CERTCTL_DEMO_SEED env var (post-U-3 demo path) — bare initdb
|
|
# mounts are NOT tolerated. The grep matches all compose
|
|
# mount-list shapes (`-` indented, `volumes:` indented, both),
|
|
# so any future drift surfaces here before the operator hits it
|
|
# on a fresh clone.
|
|
#
|
|
# See coverage-gap-audit-2026-04-24-v5/unified-audit.md
|
|
# cat-u-seed_initdb_schema_drift for the closure rationale, or
|
|
# internal/repository/postgres/db.go::RunSeed for the runtime
|
|
# contract.
|
|
|
|
set -e
|
|
|
|
BAD=$(grep -rnEH \
|
|
-e 'migrations/.*\.sql:.*docker-entrypoint-initdb' \
|
|
-e 'seed.*\.sql:.*docker-entrypoint-initdb' \
|
|
deploy/docker-compose.yml \
|
|
deploy/docker-compose.test.yml \
|
|
deploy/docker-compose.demo.yml \
|
|
2>/dev/null \
|
|
| grep -vE '^\s*[^:]+:[0-9]+:\s*#' \
|
|
|| true)
|
|
if [ -n "$BAD" ]; then
|
|
echo "::error::U-3 regression: migration/seed mount into postgres initdb reappeared:"
|
|
echo "$BAD"
|
|
echo ""
|
|
echo "The post-U-3 contract is: postgres comes up with an empty"
|
|
echo "schema and the server applies migrations + seed at boot via"
|
|
echo "internal/repository/postgres.RunMigrations + RunSeed. Demo"
|
|
echo "data lives behind CERTCTL_DEMO_SEED=true (RunDemoSeed),"
|
|
echo "not an initdb mount. See"
|
|
echo "coverage-gap-audit-2026-04-24-v5/unified-audit.md"
|
|
echo "cat-u-seed_initdb_schema_drift for the closure rationale."
|
|
exit 1
|
|
fi
|
|
echo "U-3 migration-mount: clean."
|