@kungfu-tech/buildchain 2.0.16-alpha.0 → 2.0.17-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +71 -0
- package/CONTRIBUTING.md +120 -0
- package/LICENSE +202 -0
- package/LICENSE-POLICY.md +52 -0
- package/README.md +10 -2
- package/SECURITY.md +43 -0
- package/actions/promote-buildchain-ref/README.md +202 -0
- package/actions/run-lifecycle/README.md +41 -0
- package/actions/validate-config/README.md +34 -0
- package/docs/MAP.md +64 -0
- package/docs/lifecycle-protocol.md +21 -1
- package/docs/migration-inventory.md +88 -0
- package/docs/ownership.md +52 -0
- package/docs/publish-transaction.md +40 -1
- package/docs/release-flow.md +259 -0
- package/docs/release-governance.md +313 -0
- package/fixtures/libnode-shaped/README.md +23 -0
- package/fixtures/publish-transaction-shaped/README.md +26 -0
- package/fixtures/web-surface-shaped/README.md +9 -0
- package/package.json +13 -2
- package/packages/core/buildchain-config.js +47 -0
- package/packages/core/index.js +1 -0
- package/packages/core/publish-transaction.js +5 -0
- package/scripts/check-inventory.mjs +9 -1
- package/scripts/npm-publish-transaction.mjs +1 -1
|
@@ -0,0 +1,202 @@
|
|
|
1
|
+
# promote-buildchain-ref
|
|
2
|
+
|
|
3
|
+
Internal buildchain action for promoting verified buildchain release-line and
|
|
4
|
+
compatibility refs from buildchain release channels:
|
|
5
|
+
|
|
6
|
+
- `alpha/v2/v2.0` creates or reuses the next exact prerelease tag such as
|
|
7
|
+
`v2.0.1-alpha.0`, writes that version into package version state, points the
|
|
8
|
+
alpha and dev channel branches at the version commit, then promotes
|
|
9
|
+
`v2.0-alpha`;
|
|
10
|
+
- `release/v2/v2.0` creates or reuses the next exact release tag such as
|
|
11
|
+
`v2.0.0`, writes that version into package version state, points the release
|
|
12
|
+
channel branch and release tags at the release commit, then prepares a second
|
|
13
|
+
source commit for the next exact prerelease tag such as `v2.0.1-alpha.0` and
|
|
14
|
+
points the alpha/dev channel branches plus `v2.0-alpha` at that prerelease
|
|
15
|
+
commit;
|
|
16
|
+
- `publish-gate/major` accepts a reviewed PR from a production release line such
|
|
17
|
+
as `release/v2/v2.0`, writes the next major production version such as
|
|
18
|
+
`v3.0.0`, points `publish-gate/major`, `release/v3/v3.0`, `v3.0`, and `v3`
|
|
19
|
+
at that release commit, then prepares `v3.0.1-alpha.0` for
|
|
20
|
+
`alpha/v3/v3.0`, `dev/v3/v3.0`, and `v3.0-alpha`. The older `major-gate`
|
|
21
|
+
branch name is a compatibility alias only.
|
|
22
|
+
|
|
23
|
+
The release branch name defines the minor line. For example,
|
|
24
|
+
`release/v2/v2.1` creates `v2.1.N`, promotes `v2.1`, and promotes `v2` only
|
|
25
|
+
when the next minor tag such as `v2.2` does not already exist.
|
|
26
|
+
|
|
27
|
+
The action updates version state in `lerna.json`, root `package.json`, and
|
|
28
|
+
workspace package manifests discovered from package manager metadata
|
|
29
|
+
(`package.json` workspaces, `lerna.json` packages, or `pnpm-workspace.yaml`).
|
|
30
|
+
Package manager detection is adaptive (`pnpm`, `npm`, or `yarn`) and is recorded
|
|
31
|
+
in logs.
|
|
32
|
+
|
|
33
|
+
Repositories can also provide `buildchain.toml` to declare version-state files
|
|
34
|
+
and `lifecycle.verify`. TOML-configured version files take precedence over
|
|
35
|
+
package-manager discovery and can target JSON, TOML, or regex-based files. The
|
|
36
|
+
version commit itself is written through the GitHub Git Data API so the ref
|
|
37
|
+
graph is the durable source of truth. Repositories without any supported version
|
|
38
|
+
state degrade to ref-only promotion only when strict version state is disabled.
|
|
39
|
+
|
|
40
|
+
## Dry Run
|
|
41
|
+
|
|
42
|
+
Use `dry-run: "true"` or the CLI `buildchain release --dry-run` before merging a
|
|
43
|
+
channel PR when you need to understand what Buildchain would do. This dry-run is
|
|
44
|
+
at the Buildchain release-line level. It explains:
|
|
45
|
+
|
|
46
|
+
- the legal source branch for the target channel;
|
|
47
|
+
- exact release or alpha tags that would be created or reused;
|
|
48
|
+
- floating tags and channel branches that would move;
|
|
49
|
+
- version-state files and verification lifecycle that would apply;
|
|
50
|
+
- branch protection, PR lineage, and release-from-alpha checks;
|
|
51
|
+
- publish transaction behavior when `lifecycle.publish` or
|
|
52
|
+
`publish-transaction` is enabled.
|
|
53
|
+
|
|
54
|
+
It does not move refs, move tags, write package files, run publish commands, or
|
|
55
|
+
publish npm packages. The GitHub action dry-run still calls GitHub APIs to
|
|
56
|
+
resolve the current target SHA and concrete pending ref updates, but every
|
|
57
|
+
write is reported as a dry-run update.
|
|
58
|
+
|
|
59
|
+
Repositories whose package version is anchored to an explicitly selected
|
|
60
|
+
upstream release can opt into manual next-anchor behavior:
|
|
61
|
+
|
|
62
|
+
```toml
|
|
63
|
+
[version]
|
|
64
|
+
required = true
|
|
65
|
+
strategy = "anchored"
|
|
66
|
+
next = "manual"
|
|
67
|
+
manifest = "libnode.release.json"
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
In this mode, the action validates the configured version files and anchor
|
|
71
|
+
manifest through the repository's verify lifecycle, but it does not rewrite the
|
|
72
|
+
package version to match the Buildchain release tag. After a production
|
|
73
|
+
release, it sets `next-anchor-required=true` and does not auto-create the next
|
|
74
|
+
alpha branch or tag. The repository must create the next upstream anchor line
|
|
75
|
+
explicitly, then run the normal channel promotion flow for that line.
|
|
76
|
+
|
|
77
|
+
When branch protection requires pull requests, generated version-state commits
|
|
78
|
+
are also routed through pull requests. The action creates an internal
|
|
79
|
+
`buildchain/version-state/...` branch and PR, then stops before moving tags. Once
|
|
80
|
+
that PR is reviewed, checked, and merged, the next promotion run verifies that
|
|
81
|
+
the merge only changed declared version-state files from the legal source
|
|
82
|
+
parent, then moves exact and floating refs.
|
|
83
|
+
|
|
84
|
+
## Publish Transactions
|
|
85
|
+
|
|
86
|
+
Promotion can also own external publish side effects. Enable this only from a
|
|
87
|
+
trusted channel workflow:
|
|
88
|
+
|
|
89
|
+
```yaml
|
|
90
|
+
- uses: kungfu-systems/buildchain/actions/promote-buildchain-ref@v2
|
|
91
|
+
with:
|
|
92
|
+
token: ${{ secrets.BUILDCHAIN_PROMOTION_TOKEN }}
|
|
93
|
+
sha: ${{ github.sha }}
|
|
94
|
+
target-ref: release/v2/v2.0
|
|
95
|
+
publish-transaction: "true"
|
|
96
|
+
publish-mode: publish-final-version
|
|
97
|
+
publish-auth: trusted-publishing
|
|
98
|
+
publish-required-artifacts-json: >-
|
|
99
|
+
[
|
|
100
|
+
{"kind":"npm","name":"@kungfu-tech/buildchain","ref":"2.0.0","digest":"sha256:..."}
|
|
101
|
+
]
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
When enabled, the action creates or resumes a release transaction keyed by
|
|
105
|
+
repository, version, source SHA, and target ref. It persists that transaction to
|
|
106
|
+
a machine-managed branch under `buildchain/release-state/<version>`, with
|
|
107
|
+
`state.json` and, once available, `evidence.json`. Fresh GitHub runners read
|
|
108
|
+
that durable ref before running publish, so reruns do not depend on a previous
|
|
109
|
+
runner's local `.buildchain` directory.
|
|
110
|
+
|
|
111
|
+
The action runs `lifecycle.publish` from `buildchain.toml` or the explicit
|
|
112
|
+
`publish-command` input, then validates publish evidence before exact tags and
|
|
113
|
+
floating refs move. If durable state persistence fails, the action fails closed
|
|
114
|
+
before publish or public ref finalization.
|
|
115
|
+
|
|
116
|
+
`publish-mode` defaults to `publish-final-version`, the token-free path for
|
|
117
|
+
normal npm Trusted Publishing. Same-version alpha-to-latest recovery must be
|
|
118
|
+
declared as `publish-mode: promote-existing-version` and
|
|
119
|
+
`publish-auth: npm-token`; Buildchain runs `npm whoami` before it creates
|
|
120
|
+
release-state or moves any `npm dist-tag`. The Trusted Publishing mode is not
|
|
121
|
+
allowed to perform `npm dist-tag add`.
|
|
122
|
+
|
|
123
|
+
Buildchain itself uses this path for npm. Its `lifecycle.publish` runs
|
|
124
|
+
`node scripts/npm-publish-transaction.mjs`, which publishes
|
|
125
|
+
`@kungfu-tech/buildchain` through npm Trusted Publishing and writes npm
|
|
126
|
+
artifact evidence into the transaction before release refs move. The separate
|
|
127
|
+
`.github/workflows/npm-publish.yml` workflow is dry-run only.
|
|
128
|
+
|
|
129
|
+
Publish lifecycle environment:
|
|
130
|
+
|
|
131
|
+
```text
|
|
132
|
+
BUILDCHAIN_VERSION
|
|
133
|
+
BUILDCHAIN_CHANNEL
|
|
134
|
+
BUILDCHAIN_SOURCE_SHA
|
|
135
|
+
BUILDCHAIN_TARGET_REF
|
|
136
|
+
BUILDCHAIN_RELEASE_STATE
|
|
137
|
+
BUILDCHAIN_EVIDENCE_DIR
|
|
138
|
+
BUILDCHAIN_RELEASE_SHA
|
|
139
|
+
BUILDCHAIN_RELEASE_MATERIAL_SHA
|
|
140
|
+
BUILDCHAIN_PUBLISH_TOOLING_SHA
|
|
141
|
+
BUILDCHAIN_PUBLISH_EVIDENCE
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
The action outputs `transaction-id`, `transaction-state`,
|
|
145
|
+
`transaction-exact-tag`, `transaction-release-sha`, `transaction-state-ref`,
|
|
146
|
+
`transaction-state-sha`, `transaction-state-path`, `publish-evidence-path`, and
|
|
147
|
+
`finalization-needed`. `transaction-state-ref` is the durable recovery location.
|
|
148
|
+
`finalization-needed=true` means publish evidence is valid, but protected branch
|
|
149
|
+
or ref finalization needs a later promotion run.
|
|
150
|
+
|
|
151
|
+
Finalization recovery is anchored to the durable transaction, not to a single
|
|
152
|
+
workflow run SHA. After a generated version-state PR is merged, the current
|
|
153
|
+
channel head can be a merge commit that contains or corresponds to the recorded
|
|
154
|
+
`release_material_sha`; it does not have to equal the original `source_sha` or
|
|
155
|
+
the transaction `release_sha`. Reruns accept exact tags that already point at
|
|
156
|
+
the transaction release/material SHA or the finalized channel head, and continue
|
|
157
|
+
moving any missing floating tags or dev/alpha refs before marking the
|
|
158
|
+
transaction `complete`.
|
|
159
|
+
|
|
160
|
+
Normal reruns accept already-published artifacts only when evidence matches.
|
|
161
|
+
Missing required artifacts can be published on the next run. Conflicting
|
|
162
|
+
artifacts put the transaction into `repair_required`; `abandoned` and
|
|
163
|
+
`failed_permanently` also fail closed unless `publish-transaction-override` is
|
|
164
|
+
set for a controlled repair.
|
|
165
|
+
|
|
166
|
+
In strict buildchain promotion, ref movement is also gated by the old ABV
|
|
167
|
+
governance semantics:
|
|
168
|
+
|
|
169
|
+
- the target channel branch protection details must be readable, must enforce
|
|
170
|
+
protection for administrators, and must require approving PR review plus the
|
|
171
|
+
strict `check` job from the `Verify` workflow;
|
|
172
|
+
- alpha promotion must come from a merged same-repository PR
|
|
173
|
+
`dev/vN/vN.M -> alpha/vN/vN.M`;
|
|
174
|
+
- release promotion must come from a merged same-repository PR
|
|
175
|
+
`alpha/vN/vN.M -> release/vN/vN.M`;
|
|
176
|
+
- major promotion must come from a merged same-repository PR
|
|
177
|
+
`release/vN/vN.M -> publish-gate/major`;
|
|
178
|
+
- release promotion must have an exact alpha tag for the same patch line, and
|
|
179
|
+
the release source tree must match that alpha tag tree, so release does not
|
|
180
|
+
introduce new code after alpha;
|
|
181
|
+
- generated release and next-alpha version-state trees can be verified locally
|
|
182
|
+
with either the `verification-command` input or `buildchain.toml`
|
|
183
|
+
`lifecycle.verify` before any tags or channel refs move.
|
|
184
|
+
|
|
185
|
+
The promotion workflow should use `BUILDCHAIN_PROMOTION_TOKEN` for non-dry-run
|
|
186
|
+
promotion. The token is the buildchain equivalent of the old ABV runner release
|
|
187
|
+
authority: protected branch review and check rules guard human channel merges,
|
|
188
|
+
while this action independently rechecks PR lineage, alpha/release tree
|
|
189
|
+
equivalence, and generated version-state verification before moving channel
|
|
190
|
+
refs and tags.
|
|
191
|
+
|
|
192
|
+
The tag names intentionally follow the old ABV release semantics:
|
|
193
|
+
exact release tags are `vX.Y.Z`, exact alpha tags are `vX.Y.Z-alpha.N`, floating
|
|
194
|
+
release tags are minor/major tags such as `v2.0` and `v2`, and floating alpha
|
|
195
|
+
tags are minor-line tags such as `v2.0-alpha`. Bare tags such as `1.0.0` are not
|
|
196
|
+
maintained as buildchain release entrypoints.
|
|
197
|
+
|
|
198
|
+
Repository rulesets should protect exact tags, not every `v*` tag. A ruleset
|
|
199
|
+
such as `refs/tags/v*` also protects floating channel tags like `v2.0-alpha`,
|
|
200
|
+
which Buildchain must update after exact tags and publish evidence are durable.
|
|
201
|
+
Use an exact-tag rule such as `refs/tags/v*.*.*` for immutable evidence tags and
|
|
202
|
+
leave floating channel tags mutable for the promotion token.
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# run-lifecycle
|
|
2
|
+
|
|
3
|
+
Run a Buildchain lifecycle stage or an explicit command and write a deterministic
|
|
4
|
+
artifact manifest.
|
|
5
|
+
|
|
6
|
+
```yaml
|
|
7
|
+
- uses: kungfu-systems/buildchain/actions/run-lifecycle@v2
|
|
8
|
+
with:
|
|
9
|
+
stage: build
|
|
10
|
+
required: "true"
|
|
11
|
+
artifact-name: my-product-linux-x64-${{ github.sha }}
|
|
12
|
+
artifact-paths: |
|
|
13
|
+
dist
|
|
14
|
+
build/stage
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
When `command` is provided, it overrides `buildchain.toml` for that invocation.
|
|
18
|
+
When `command` is empty, the action loads `buildchain.toml` and runs the named
|
|
19
|
+
stage.
|
|
20
|
+
|
|
21
|
+
The action writes both a full manifest and a compact summary. It also exposes
|
|
22
|
+
the summary as outputs for reusable workflow callers:
|
|
23
|
+
|
|
24
|
+
| Output | Meaning |
|
|
25
|
+
| --- | --- |
|
|
26
|
+
| `manifest-path` | Full manifest path |
|
|
27
|
+
| `summary-path` | Compact summary path |
|
|
28
|
+
| `artifact-name` | Resolved artifact name |
|
|
29
|
+
| `artifact-file-count` | Number of manifest files |
|
|
30
|
+
| `artifact-total-bytes` | Total manifest bytes |
|
|
31
|
+
| `artifact-summary-json` | One-line JSON summary |
|
|
32
|
+
| `expected-artifacts-ok` | `true` when expectations passed |
|
|
33
|
+
|
|
34
|
+
`expected-artifacts-json` can require exact paths, file count bounds, and a
|
|
35
|
+
minimum byte total:
|
|
36
|
+
|
|
37
|
+
```yaml
|
|
38
|
+
with:
|
|
39
|
+
expected-artifacts-json: >-
|
|
40
|
+
{"minFiles":2,"requiredPaths":["dist/app.tar.gz","dist/checksums.txt"]}
|
|
41
|
+
```
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# validate-config
|
|
2
|
+
|
|
3
|
+
Buildchain v2 action for validating `buildchain.toml` without running lifecycle
|
|
4
|
+
commands.
|
|
5
|
+
|
|
6
|
+
Use this action during repository migration when a heavyweight project needs to
|
|
7
|
+
prove that its Buildchain version state and lifecycle declaration are ready, but
|
|
8
|
+
the actual build should not run yet.
|
|
9
|
+
|
|
10
|
+
## Usage
|
|
11
|
+
|
|
12
|
+
```yaml
|
|
13
|
+
- uses: kungfu-systems/buildchain/actions/validate-config@v2
|
|
14
|
+
with:
|
|
15
|
+
require-version-state: "true"
|
|
16
|
+
require-lifecycle-stages: "install,build,verify"
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
The action checks:
|
|
20
|
+
|
|
21
|
+
- `buildchain.toml` exists and uses schema `1`;
|
|
22
|
+
- configured version-state files exist and expose a string version;
|
|
23
|
+
- anchored/manual version strategy declarations and JSON/TOML anchor manifests
|
|
24
|
+
are structurally valid when configured;
|
|
25
|
+
- web-surface project, channel, deploy adapter, retention, and staging security
|
|
26
|
+
declarations are structurally valid when configured;
|
|
27
|
+
- required lifecycle stages are declared and structurally valid.
|
|
28
|
+
|
|
29
|
+
It does not execute `lifecycle.install`, `lifecycle.build`, `lifecycle.verify`,
|
|
30
|
+
or any other lifecycle command.
|
|
31
|
+
|
|
32
|
+
Outputs include `project-type`, `project-name`, `project-site`, `channels`, and
|
|
33
|
+
`deploy-adapters-json`, so callers can route site workflows without reparsing
|
|
34
|
+
TOML in every repository.
|
package/docs/MAP.md
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Documentation Map
|
|
2
|
+
|
|
3
|
+
Start here. Find the question you have; follow it to the document that answers
|
|
4
|
+
it. This map is meant to be readable by both a person skimming for the right doc
|
|
5
|
+
and an agent grounding a specific claim.
|
|
6
|
+
|
|
7
|
+
Each row carries a **plane** - *why* (intent / rationale), *verify* (trust the
|
|
8
|
+
running artifact), *use* (consume / extend) - and a **status**:
|
|
9
|
+
|
|
10
|
+
- `stable` - current and holds.
|
|
11
|
+
- `draft` - exists, rough or incomplete.
|
|
12
|
+
- `to write` - planned; the material exists but is not yet a single doc.
|
|
13
|
+
- `retired` - intentionally not part of the active Buildchain v2 surface.
|
|
14
|
+
|
|
15
|
+
## Map
|
|
16
|
+
|
|
17
|
+
| Your question | Document | Plane | Status |
|
|
18
|
+
| --- | --- | --- | --- |
|
|
19
|
+
| What is Buildchain, in one idea? | [`../README.md`](../README.md) | - | stable |
|
|
20
|
+
| How do agents and contributors enter this repo? | [`../AGENTS.md`](../AGENTS.md) + [`../CONTRIBUTING.md`](../CONTRIBUTING.md) | use | stable |
|
|
21
|
+
| How do I install or run the `buildchain` CLI? | [`cli.md`](cli.md) | use | stable |
|
|
22
|
+
| How do I initialize a new repository? | [`cli.md`](cli.md) + [`lifecycle-protocol.md`](lifecycle-protocol.md) | use | stable |
|
|
23
|
+
| Why does Buildchain use branch-driven release governance? | [`release-governance.md`](release-governance.md) | why | stable |
|
|
24
|
+
| What exact branch/tag state machine runs on alpha, release, and major gate? | [`release-flow.md`](release-flow.md) | verify | stable |
|
|
25
|
+
| What did Buildchain migrate or retire from old action repositories? | [`migration-inventory.md`](migration-inventory.md) | verify | stable |
|
|
26
|
+
| What is the active action and workflow source of truth? | [`ownership.md`](ownership.md) | verify | stable |
|
|
27
|
+
| How do I declare version files and custom lifecycle commands? | [`lifecycle-protocol.md`](lifecycle-protocol.md) | use | stable |
|
|
28
|
+
| How does publish evidence, recovery, and finalization work? | [`publish-transaction.md`](publish-transaction.md) | verify | stable |
|
|
29
|
+
| How do I call the reusable build workflow? | [`reusable-build-surface.md`](reusable-build-surface.md) | use | stable |
|
|
30
|
+
| How do I deploy a site/app preview, staging, or production surface? | [`web-surface-deployments.md`](web-surface-deployments.md) | use | stable |
|
|
31
|
+
| How do I use the active actions directly? | [`../actions/validate-config/README.md`](../actions/validate-config/README.md), [`../actions/run-lifecycle/README.md`](../actions/run-lifecycle/README.md), [`../actions/promote-buildchain-ref/README.md`](../actions/promote-buildchain-ref/README.md) | use | stable |
|
|
32
|
+
| What do the fixture repositories demonstrate? | [`../fixtures/libnode-shaped/README.md`](../fixtures/libnode-shaped/README.md), [`../fixtures/publish-transaction-shaped/README.md`](../fixtures/publish-transaction-shaped/README.md), [`../fixtures/web-surface-shaped/README.md`](../fixtures/web-surface-shaped/README.md) | verify | stable |
|
|
33
|
+
| What license and contribution terms apply? | [`../LICENSE`](../LICENSE) + [`../LICENSE-POLICY.md`](../LICENSE-POLICY.md) | use | stable |
|
|
34
|
+
| How do I report a vulnerability? | [`../SECURITY.md`](../SECURITY.md) | use | stable |
|
|
35
|
+
|
|
36
|
+
## Also asking about
|
|
37
|
+
|
|
38
|
+
- **ABV / old workflows / old action repositories** -> [`release-governance.md`](release-governance.md)
|
|
39
|
+
and [`migration-inventory.md`](migration-inventory.md).
|
|
40
|
+
- **v2 / v2.0 / v2.0-alpha / exact tags / floating tags** ->
|
|
41
|
+
[`release-governance.md`](release-governance.md) and
|
|
42
|
+
[`release-flow.md`](release-flow.md).
|
|
43
|
+
- **dry-run / what would happen if this channel PR merges** -> [`cli.md`](cli.md)
|
|
44
|
+
and [`release-flow.md`](release-flow.md).
|
|
45
|
+
- **pnpm / npm / yarn / package-manager adapters** ->
|
|
46
|
+
[`lifecycle-protocol.md`](lifecycle-protocol.md).
|
|
47
|
+
- **pip / Conan / CMake / custom commands** -> [`lifecycle-protocol.md`](lifecycle-protocol.md)
|
|
48
|
+
and [`reusable-build-surface.md`](reusable-build-surface.md).
|
|
49
|
+
- **libnode / native artifacts / self-hosted runner matrix** ->
|
|
50
|
+
[`reusable-build-surface.md`](reusable-build-surface.md) and
|
|
51
|
+
[`../fixtures/libnode-shaped/README.md`](../fixtures/libnode-shaped/README.md).
|
|
52
|
+
- **Trusted Publishing / npm / publish evidence / recovery** ->
|
|
53
|
+
[`cli.md`](cli.md) and [`publish-transaction.md`](publish-transaction.md).
|
|
54
|
+
- **sites / web previews / staging / production gates** ->
|
|
55
|
+
[`web-surface-deployments.md`](web-surface-deployments.md).
|
|
56
|
+
|
|
57
|
+
## How this map is maintained
|
|
58
|
+
|
|
59
|
+
- A document becomes a row here when it is a stable entrypoint for a user,
|
|
60
|
+
contributor, or workflow consumer.
|
|
61
|
+
- A row's status must never claim more than the artifact delivers.
|
|
62
|
+
- `why` documents explain intent and design pressure; `verify` and `use`
|
|
63
|
+
documents should state what is guaranteed, where to verify it, and the current
|
|
64
|
+
maturity of that guarantee.
|
|
@@ -189,7 +189,8 @@ node scripts/write-publish-evidence.mjs
|
|
|
189
189
|
```
|
|
190
190
|
|
|
191
191
|
When `actions/promote-buildchain-ref` runs with `publish-transaction: "true"`,
|
|
192
|
-
the publish stage receives
|
|
192
|
+
the publish stage receives the transaction identity plus the resolved publish
|
|
193
|
+
contract:
|
|
193
194
|
|
|
194
195
|
```text
|
|
195
196
|
BUILDCHAIN_VERSION
|
|
@@ -202,6 +203,11 @@ BUILDCHAIN_RELEASE_SHA
|
|
|
202
203
|
BUILDCHAIN_RELEASE_MATERIAL_SHA
|
|
203
204
|
BUILDCHAIN_PUBLISH_TOOLING_SHA
|
|
204
205
|
BUILDCHAIN_PUBLISH_EVIDENCE
|
|
206
|
+
BUILDCHAIN_PUBLISH_MODE
|
|
207
|
+
BUILDCHAIN_PUBLISH_AUTH
|
|
208
|
+
BUILDCHAIN_NPM_DIST_TAG
|
|
209
|
+
BUILDCHAIN_PACKAGE_SET_ORDER
|
|
210
|
+
BUILDCHAIN_PACKAGE_SET_MAIN_PACKAGE
|
|
205
211
|
```
|
|
206
212
|
|
|
207
213
|
The stage must write publish evidence JSON. Buildchain validates that evidence
|
|
@@ -212,6 +218,20 @@ without local workspace residue. See
|
|
|
212
218
|
[`docs/publish-transaction.md`](publish-transaction.md) for the state machine,
|
|
213
219
|
evidence schema, and recovery commands.
|
|
214
220
|
|
|
221
|
+
For npm packages, prefer:
|
|
222
|
+
|
|
223
|
+
```toml
|
|
224
|
+
[publish]
|
|
225
|
+
mode = "publish-final-version"
|
|
226
|
+
auth = "trusted-publishing"
|
|
227
|
+
dist_tag = "latest"
|
|
228
|
+
```
|
|
229
|
+
|
|
230
|
+
Use `mode = "promote-existing-version"` only for explicit same-version
|
|
231
|
+
dist-tag recovery, and pair it with `auth = "npm-token"`. Trusted Publishing
|
|
232
|
+
does not authorize `npm dist-tag add`; Buildchain fails that combination before
|
|
233
|
+
any publish transaction side effect.
|
|
234
|
+
|
|
215
235
|
## Promotion Semantics
|
|
216
236
|
|
|
217
237
|
`actions/promote-buildchain-ref` consumes `version.files`, `lifecycle.verify`,
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
# Buildchain v2 Migration Inventory
|
|
2
|
+
|
|
3
|
+
This inventory records the buildchain v2 action surface. Buildchain v2 is the
|
|
4
|
+
monorepo source of truth for active Kungfu repository workflows, the active
|
|
5
|
+
reusable build workflow, and the three GitHub Actions that are still part of
|
|
6
|
+
Buildchain's reusable contract.
|
|
7
|
+
Standalone `workflows` and `action-*` repositories are historical rollback
|
|
8
|
+
anchors, not active Buildchain migration targets.
|
|
9
|
+
|
|
10
|
+
## Workflow Sources
|
|
11
|
+
|
|
12
|
+
| Source repository | Previous branch | Buildchain v2 disposition |
|
|
13
|
+
| --- | --- | --- |
|
|
14
|
+
| `workflows` | `dev/v2/v2.0` | root `.github/workflows` sources migrated; reusable workflows linted by actionlint |
|
|
15
|
+
|
|
16
|
+
## Reusable Workflow Boundaries
|
|
17
|
+
|
|
18
|
+
The active Buildchain-native reusable surface is:
|
|
19
|
+
|
|
20
|
+
| Workflow | Disposition |
|
|
21
|
+
| --- | --- |
|
|
22
|
+
| `.github/workflows/.build.yml` | active reusable build contract: runner presets, trusted event gate, publish source lock, lifecycle commands, deterministic artifacts, aggregate summary, and release manifest outputs |
|
|
23
|
+
|
|
24
|
+
Other hidden reusable workflow files from the old `workflows` repository may
|
|
25
|
+
still exist in `.github/workflows`. They are retained so the repository can lint
|
|
26
|
+
them, document migration boundaries, and make retired paths fail closed. They
|
|
27
|
+
are not new Buildchain v2 integration targets unless a dedicated document says
|
|
28
|
+
otherwise. In particular, the legacy `.release-new-version.yml` path is not the
|
|
29
|
+
modern publish surface; new publish integrations should use `.build.yml`,
|
|
30
|
+
`buildchain.toml`, `lifecycle.publish`, and publish transaction evidence.
|
|
31
|
+
|
|
32
|
+
## Migrated Actions
|
|
33
|
+
|
|
34
|
+
No standalone `action-*` repository is shipped as a Buildchain action anymore.
|
|
35
|
+
Old product, operations, PR-helper, page-generation, dependency-sync, and
|
|
36
|
+
version-bump actions have either been retired or absorbed into Buildchain's
|
|
37
|
+
native lifecycle, reusable workflow, and promotion scripts.
|
|
38
|
+
|
|
39
|
+
## Retired Actions Excluded From v2
|
|
40
|
+
|
|
41
|
+
These legacy action repositories are intentionally not shipped as buildchain v2
|
|
42
|
+
actions because the corresponding workflows now reject the retired mechanism or
|
|
43
|
+
because the action is part of that retired path.
|
|
44
|
+
|
|
45
|
+
| Previous repository | Reason |
|
|
46
|
+
| --- | --- |
|
|
47
|
+
| `action-approve` | retired GitHub issue/PR helper; use repository-native GitHub automation |
|
|
48
|
+
| `action-batch-pull-request` | retired PR orchestration helper; not part of the Buildchain reusable contract |
|
|
49
|
+
| `action-bump-version` | replaced by Buildchain release-line scripts and `actions/promote-buildchain-ref` |
|
|
50
|
+
| `action-check-format` | replaced by project-owned `lifecycle.verify` commands |
|
|
51
|
+
| `action-find-dependencies` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
|
|
52
|
+
| `action-generate-download-page` | retired product page generator; model as project-owned lifecycle/deploy work if needed |
|
|
53
|
+
| `action-generate-release-page` | retired product page generator; model as project-owned lifecycle/deploy work if needed |
|
|
54
|
+
| `action-merge-close-issue` | retired GitHub issue/PR helper; use repository-native GitHub automation |
|
|
55
|
+
| `action-package-dependency` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
|
|
56
|
+
| `action-publish-prebuilt` | retired S3 prebuilt publisher; use lifecycle publish plus publish transaction evidence |
|
|
57
|
+
| `action-purge-artifacts` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
|
|
58
|
+
| `action-qa-automated` | retired external QA trigger; model as project-owned lifecycle or workflow logic |
|
|
59
|
+
| `action-release-note` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
|
|
60
|
+
| `action-rollback-release` | replaced by Buildchain publish transaction recover/finalize/repair semantics |
|
|
61
|
+
| `action-set-collaborators` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
|
|
62
|
+
| `action-sync-airtable` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
|
|
63
|
+
| `action-sync-extensions-version` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
|
|
64
|
+
| `action-sync-pr` | retired PR synchronization helper; not part of the Buildchain reusable contract |
|
|
65
|
+
| `action-update-dependencies-version` | retired dependency-version helper; use package-manager adapters and lifecycle commands |
|
|
66
|
+
|
|
67
|
+
## Buildchain-Native Actions
|
|
68
|
+
|
|
69
|
+
These actions are new Buildchain v2 surfaces rather than migrations from an
|
|
70
|
+
older standalone action repository.
|
|
71
|
+
|
|
72
|
+
| Buildchain path | Purpose |
|
|
73
|
+
| --- | --- |
|
|
74
|
+
| `actions/promote-buildchain-ref` | governance-closed Buildchain release ref promotion |
|
|
75
|
+
| `actions/run-lifecycle` | lifecycle command execution and deterministic artifact manifest generation |
|
|
76
|
+
| `actions/validate-config` | `buildchain.toml` version-state and lifecycle preflight without executing lifecycle commands |
|
|
77
|
+
|
|
78
|
+
## Stable v2 Refs
|
|
79
|
+
|
|
80
|
+
- Actions: `kungfu-systems/buildchain/actions/<name>@v2`
|
|
81
|
+
- Reusable workflows: `kungfu-systems/buildchain/.github/workflows/<workflow>.yml@v2`
|
|
82
|
+
|
|
83
|
+
## Verification Gates
|
|
84
|
+
|
|
85
|
+
- `pnpm install --frozen-lockfile`
|
|
86
|
+
- `pnpm run check`
|
|
87
|
+
- GitHub-hosted `Verify` workflow
|
|
88
|
+
- Manual `Self-hosted Runner Smoke` workflow for trusted self-hosted runner validation
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
# Ownership And Migration Rules
|
|
2
|
+
|
|
3
|
+
## Source Of Truth
|
|
4
|
+
|
|
5
|
+
Buildchain v2 workflow and action design lands in this repository. Standalone
|
|
6
|
+
`workflows` and `action-*` repositories are historical rollback anchors.
|
|
7
|
+
Buildchain only ships the native action surface required for config validation,
|
|
8
|
+
lifecycle execution, and release ref promotion.
|
|
9
|
+
|
|
10
|
+
## Compatibility Rule
|
|
11
|
+
|
|
12
|
+
Do not break existing stable reusable workflow refs during migration:
|
|
13
|
+
|
|
14
|
+
- `kungfu-systems/workflows@v2`
|
|
15
|
+
|
|
16
|
+
Any consumer migration must record:
|
|
17
|
+
|
|
18
|
+
- old `uses:` refs;
|
|
19
|
+
- new `uses:` refs;
|
|
20
|
+
- workflow run ids;
|
|
21
|
+
- rollback command or revert path.
|
|
22
|
+
|
|
23
|
+
New stable references should use:
|
|
24
|
+
|
|
25
|
+
- `kungfu-systems/buildchain/actions/validate-config@v2`
|
|
26
|
+
- `kungfu-systems/buildchain/actions/run-lifecycle@v2`
|
|
27
|
+
- `kungfu-systems/buildchain/actions/promote-buildchain-ref@v2`
|
|
28
|
+
- `kungfu-systems/buildchain/.github/workflows/<workflow>.yml@v2`
|
|
29
|
+
|
|
30
|
+
## Publishing Rule
|
|
31
|
+
|
|
32
|
+
Publishing paths stay disabled in buildchain's own verification workflows unless
|
|
33
|
+
explicitly enabled by a production release workflow. Any consumer cutover that
|
|
34
|
+
publishes packages, S3 artifacts, release pages, or preview links must include
|
|
35
|
+
rollback notes. Reusable workflow consumers should gate publish jobs with
|
|
36
|
+
`needs.<build-job>.outputs.publish-allowed == 'true'` and record the requested
|
|
37
|
+
`publish-channel`, rather than duplicating channel branch logic in every
|
|
38
|
+
consumer workflow.
|
|
39
|
+
|
|
40
|
+
## Candidate Ref Rule
|
|
41
|
+
|
|
42
|
+
Candidate refs are expected to resolve under `kungfu-systems/*`. Broader
|
|
43
|
+
sources require an explicit trust decision before they can reach self-hosted
|
|
44
|
+
runners or secrets.
|
|
45
|
+
|
|
46
|
+
## Source-Locked Publish Rule
|
|
47
|
+
|
|
48
|
+
When a consumer uses `publish-gate/*` branches, publish jobs must use the
|
|
49
|
+
resolved `publish-source-sha` and `release-manifest-json` emitted by the reusable
|
|
50
|
+
build workflow. Before touching a package registry, S3 bucket, release page, or
|
|
51
|
+
floating alias, the publish job must verify that the gate branch still points at
|
|
52
|
+
the recorded SHA. A moved gate branch is a stale release decision, not a retry.
|
|
@@ -70,6 +70,13 @@ of reusing or overwriting that failed transaction slot.
|
|
|
70
70
|
Repositories declare publish work in `buildchain.toml`:
|
|
71
71
|
|
|
72
72
|
```toml
|
|
73
|
+
[publish]
|
|
74
|
+
mode = "publish-final-version"
|
|
75
|
+
auth = "trusted-publishing"
|
|
76
|
+
dist_tag = "latest"
|
|
77
|
+
package_set_order = "platforms-first-main-last"
|
|
78
|
+
main_package = "@kungfu-tech/libnode"
|
|
79
|
+
|
|
73
80
|
[lifecycle.publish]
|
|
74
81
|
commands = [
|
|
75
82
|
"python scripts/publish_wheels.py",
|
|
@@ -93,6 +100,11 @@ BUILDCHAIN_RELEASE_SHA
|
|
|
93
100
|
BUILDCHAIN_RELEASE_MATERIAL_SHA
|
|
94
101
|
BUILDCHAIN_PUBLISH_TOOLING_SHA
|
|
95
102
|
BUILDCHAIN_PUBLISH_EVIDENCE
|
|
103
|
+
BUILDCHAIN_PUBLISH_MODE
|
|
104
|
+
BUILDCHAIN_PUBLISH_AUTH
|
|
105
|
+
BUILDCHAIN_NPM_DIST_TAG
|
|
106
|
+
BUILDCHAIN_PACKAGE_SET_ORDER
|
|
107
|
+
BUILDCHAIN_PACKAGE_SET_MAIN_PACKAGE
|
|
96
108
|
```
|
|
97
109
|
|
|
98
110
|
Buildchain itself uses this contract for npm publishing:
|
|
@@ -103,7 +115,7 @@ command = "node scripts/npm-publish-transaction.mjs"
|
|
|
103
115
|
```
|
|
104
116
|
|
|
105
117
|
That script validates that `package.json` matches `BUILDCHAIN_VERSION`, runs
|
|
106
|
-
`npm publish --access public --tag <
|
|
118
|
+
`npm publish --access public --tag <BUILDCHAIN_NPM_DIST_TAG>` through npm Trusted
|
|
107
119
|
Publishing, and writes npm artifact evidence before the promotion action moves
|
|
108
120
|
public refs.
|
|
109
121
|
|
|
@@ -111,6 +123,33 @@ public refs.
|
|
|
111
123
|
match. `BUILDCHAIN_PUBLISH_TOOLING_SHA` identifies the publishing code. A repair
|
|
112
124
|
run may change tooling, but material drift fails closed.
|
|
113
125
|
|
|
126
|
+
## Release Modes And Auth
|
|
127
|
+
|
|
128
|
+
Buildchain distinguishes two npm release modes:
|
|
129
|
+
|
|
130
|
+
| Mode | Use | Auth | npm operation |
|
|
131
|
+
| --- | --- | --- | --- |
|
|
132
|
+
| `publish-final-version` | normal alpha or stable publication | `trusted-publishing` | `npm publish --tag <alpha|latest>` |
|
|
133
|
+
| `promote-existing-version` | same-version alpha-to-latest recovery | `npm-token` | `npm dist-tag add <pkg>@<version> latest` |
|
|
134
|
+
|
|
135
|
+
The normal libnode path is `publish-final-version`: publish an alpha package set
|
|
136
|
+
such as `22.22.3-kf.3-alpha.0` with the `alpha` dist-tag, then publish a
|
|
137
|
+
distinct final package set such as `22.22.3-kf.3` with the `latest` dist-tag.
|
|
138
|
+
GitHub-hosted npm Trusted Publishing can authorize those `npm publish` calls
|
|
139
|
+
when the workflow grants `id-token: write`.
|
|
140
|
+
|
|
141
|
+
`promote-existing-version` is deliberately separate. npm Trusted Publishing does
|
|
142
|
+
not authorize arbitrary registry-management operations such as `npm dist-tag
|
|
143
|
+
add`; it authorizes publish-time package provenance. Therefore same-version
|
|
144
|
+
promotion must declare `auth = "npm-token"`. Buildchain runs an npm token
|
|
145
|
+
preflight with `npm whoami` before it writes any release transaction state or
|
|
146
|
+
moves a dist-tag. Missing token auth fails early with a contract error instead
|
|
147
|
+
of a late `E401` after publish evidence has started to move.
|
|
148
|
+
|
|
149
|
+
For package sets, `package_set_order = "platforms-first-main-last"` makes the
|
|
150
|
+
main package the visibility gate. Platform package side effects are planned or
|
|
151
|
+
retried first, and the main package or main dist-tag move happens last.
|
|
152
|
+
|
|
114
153
|
## Evidence
|
|
115
154
|
|
|
116
155
|
The publish lifecycle must write JSON evidence. Buildchain validates common
|