@kungfu-tech/buildchain 2.2.1-alpha.0 → 2.2.1-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +147 -243
- package/dist/site/agent-index.json +13 -0
- package/dist/site/artifact-schemas.json +26 -0
- package/dist/site/buildchain-site.json +150 -0
- package/dist/site/cli-registry.json +58 -0
- package/dist/site/product-mechanism.json +20 -0
- package/dist/site/release-model.json +24 -0
- package/dist/site/release-provenance.json +34 -0
- package/dist/site/site-manifest.json +123 -0
- package/dist/site/workflow-registry.json +47 -0
- package/docs/MAP.md +16 -3
- package/docs/binary-distribution.md +70 -0
- package/docs/install.md +78 -0
- package/docs/product-mechanism.md +56 -0
- package/docs/release-passport.md +33 -5
- package/docs/site-bundle-contract.md +70 -0
- package/docs/toolkit-observability.md +70 -0
- package/package.json +20 -3
- package/scripts/check-inventory.mjs +30 -1
- package/scripts/create-release-bundle.mjs +163 -0
- package/scripts/generate-site-bundle.mjs +274 -0
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schemaVersion": 1,
|
|
3
|
+
"contract": "kungfu-buildchain-cli-registry",
|
|
4
|
+
"binary": "buildchain",
|
|
5
|
+
"npmPackage": "@kungfu-tech/buildchain",
|
|
6
|
+
"commands": [
|
|
7
|
+
{
|
|
8
|
+
"id": "version",
|
|
9
|
+
"usage": "buildchain version",
|
|
10
|
+
"purpose": "Print the package or embedded binary version."
|
|
11
|
+
},
|
|
12
|
+
{
|
|
13
|
+
"id": "init",
|
|
14
|
+
"usage": "buildchain init [--type package|native|web-surface|anchored-package]",
|
|
15
|
+
"purpose": "Bootstrap a repository with Buildchain configuration and caller workflow files."
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": "validate",
|
|
19
|
+
"usage": "buildchain validate [--require-version-state]",
|
|
20
|
+
"purpose": "Validate buildchain.toml and declared lifecycle surfaces."
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"id": "doctor",
|
|
24
|
+
"usage": "buildchain doctor [--json]",
|
|
25
|
+
"purpose": "Report local integration readiness."
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
"id": "lifecycle",
|
|
29
|
+
"usage": "buildchain lifecycle run <stage>",
|
|
30
|
+
"purpose": "Run configured lifecycle commands and write deterministic artifact manifests."
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"id": "release-dry-run",
|
|
34
|
+
"usage": "buildchain release --dry-run --target-ref <ref>",
|
|
35
|
+
"purpose": "Explain what a channel merge would publish before the PR is merged."
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"id": "collect-github-release",
|
|
39
|
+
"usage": "buildchain collect github-release --tag <tag>",
|
|
40
|
+
"purpose": "Collect release assets into a release passport."
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
"id": "verify-release-passport",
|
|
44
|
+
"usage": "buildchain verify release-passport <file-or-url>",
|
|
45
|
+
"purpose": "Fail closed unless a release passport and its evidence are complete."
|
|
46
|
+
},
|
|
47
|
+
{
|
|
48
|
+
"id": "logging",
|
|
49
|
+
"usage": "buildchain log|mark|span|verify observability-log",
|
|
50
|
+
"purpose": "Emit timestamped build events, summarize logs, and enforce required phases."
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"id": "npm-dry-run",
|
|
54
|
+
"usage": "buildchain npm dry-run --json",
|
|
55
|
+
"purpose": "Verify npm publish shape before a release transaction."
|
|
56
|
+
}
|
|
57
|
+
]
|
|
58
|
+
}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schemaVersion": 1,
|
|
3
|
+
"contract": "kungfu-buildchain-product-mechanism",
|
|
4
|
+
"name": "Buildchain",
|
|
5
|
+
"formalName": "Buildchain by Kungfu",
|
|
6
|
+
"category": "Buildchain Release Passport",
|
|
7
|
+
"purpose": "A mature product release record for artifacts that users or agents depend on.",
|
|
8
|
+
"executionSubstrate": "GitHub Actions, protected refs, exact tags, GitHub Releases, npm Trusted Publishing, and machine-readable evidence.",
|
|
9
|
+
"notA": [
|
|
10
|
+
"a replacement CI/CD platform",
|
|
11
|
+
"a binary-only release tool",
|
|
12
|
+
"a workflow file collection as the product boundary"
|
|
13
|
+
],
|
|
14
|
+
"proofCases": [
|
|
15
|
+
"multi-platform CLI archives",
|
|
16
|
+
"npm package publication",
|
|
17
|
+
"native and multi-artifact release passports",
|
|
18
|
+
"site facts consumed by buildchain.libkungfu.dev"
|
|
19
|
+
]
|
|
20
|
+
}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schemaVersion": 1,
|
|
3
|
+
"contract": "kungfu-buildchain-release-model",
|
|
4
|
+
"exactTags": "v-prefixed exact tags are immutable release records.",
|
|
5
|
+
"floatingTags": "vX, vX.Y, and vX.Y-alpha are channel pointers updated by Buildchain transactions.",
|
|
6
|
+
"channelBranches": [
|
|
7
|
+
"dev/vX/vX.Y",
|
|
8
|
+
"alpha/vX/vX.Y",
|
|
9
|
+
"release/vX/vX.Y",
|
|
10
|
+
"publish-gate/major"
|
|
11
|
+
],
|
|
12
|
+
"releasePassport": {
|
|
13
|
+
"entrypoint": "buildchain.release.json",
|
|
14
|
+
"bundle": "buildchain-release-bundle.tar.gz",
|
|
15
|
+
"contract": "kungfu-buildchain-release-passport"
|
|
16
|
+
},
|
|
17
|
+
"npm": {
|
|
18
|
+
"package": "@kungfu-tech/buildchain",
|
|
19
|
+
"command": "./bin/buildchain.mjs",
|
|
20
|
+
"versionSource": "package.json#version",
|
|
21
|
+
"alphaDistTag": "alpha",
|
|
22
|
+
"stableDistTag": "latest"
|
|
23
|
+
}
|
|
24
|
+
}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schemaVersion": 1,
|
|
3
|
+
"contract": "kungfu-buildchain-release-provenance",
|
|
4
|
+
"package": {
|
|
5
|
+
"name": "@kungfu-tech/buildchain",
|
|
6
|
+
"versionSource": "package.json#version",
|
|
7
|
+
"bin": {
|
|
8
|
+
"buildchain": "./bin/buildchain.mjs"
|
|
9
|
+
},
|
|
10
|
+
"exports": {
|
|
11
|
+
".": "./packages/core/index.js",
|
|
12
|
+
"./core": "./packages/core/index.js",
|
|
13
|
+
"./logging": "./packages/core/logging.js",
|
|
14
|
+
"./release-passport": "./packages/core/release-passport.js",
|
|
15
|
+
"./site/buildchain-site.json": "./dist/site/buildchain-site.json",
|
|
16
|
+
"./site/site-manifest.json": "./dist/site/site-manifest.json",
|
|
17
|
+
"./site/cli-registry.json": "./dist/site/cli-registry.json",
|
|
18
|
+
"./site/workflow-registry.json": "./dist/site/workflow-registry.json",
|
|
19
|
+
"./site/release-model.json": "./dist/site/release-model.json",
|
|
20
|
+
"./site/artifact-schemas.json": "./dist/site/artifact-schemas.json",
|
|
21
|
+
"./site/product-mechanism.json": "./dist/site/product-mechanism.json",
|
|
22
|
+
"./site/release-provenance.json": "./dist/site/release-provenance.json",
|
|
23
|
+
"./site/agent-index.json": "./dist/site/agent-index.json",
|
|
24
|
+
"./package.json": "./package.json"
|
|
25
|
+
}
|
|
26
|
+
},
|
|
27
|
+
"repository": "https://github.com/kungfu-systems/buildchain",
|
|
28
|
+
"packageManager": "pnpm@11.7.0",
|
|
29
|
+
"inventoryRelease": "buildchain-v2",
|
|
30
|
+
"stableRefs": {
|
|
31
|
+
"actions": "kungfu-systems/buildchain/actions/<name>@v2",
|
|
32
|
+
"workflows": "kungfu-systems/buildchain/.github/workflows/<workflow>.yml@v2"
|
|
33
|
+
}
|
|
34
|
+
}
|
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schemaVersion": 1,
|
|
3
|
+
"contract": "kungfu-buildchain-site-manifest",
|
|
4
|
+
"product": {
|
|
5
|
+
"name": "Buildchain",
|
|
6
|
+
"formalName": "Buildchain by Kungfu",
|
|
7
|
+
"category": "Buildchain Release Passport"
|
|
8
|
+
},
|
|
9
|
+
"package": {
|
|
10
|
+
"name": "@kungfu-tech/buildchain",
|
|
11
|
+
"versionSource": "package.json#version"
|
|
12
|
+
},
|
|
13
|
+
"entrypoint": "buildchain-site.json",
|
|
14
|
+
"docs": [
|
|
15
|
+
{
|
|
16
|
+
"id": "install",
|
|
17
|
+
"title": "Install and verify Buildchain",
|
|
18
|
+
"path": "docs/install.md",
|
|
19
|
+
"plane": "use",
|
|
20
|
+
"exists": true
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"id": "release-passport",
|
|
24
|
+
"title": "Release Passport protocol",
|
|
25
|
+
"path": "docs/release-passport.md",
|
|
26
|
+
"plane": "verify",
|
|
27
|
+
"exists": true
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
"id": "binary-distribution",
|
|
31
|
+
"title": "Binary distribution contract",
|
|
32
|
+
"path": "docs/binary-distribution.md",
|
|
33
|
+
"plane": "verify",
|
|
34
|
+
"exists": true
|
|
35
|
+
},
|
|
36
|
+
{
|
|
37
|
+
"id": "toolkit-observability",
|
|
38
|
+
"title": "Toolkit observability",
|
|
39
|
+
"path": "docs/toolkit-observability.md",
|
|
40
|
+
"plane": "use",
|
|
41
|
+
"exists": true
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
"id": "site-bundle-contract",
|
|
45
|
+
"title": "Site bundle contract",
|
|
46
|
+
"path": "docs/site-bundle-contract.md",
|
|
47
|
+
"plane": "use",
|
|
48
|
+
"exists": true
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
"id": "product-mechanism",
|
|
52
|
+
"title": "Product mechanism",
|
|
53
|
+
"path": "docs/product-mechanism.md",
|
|
54
|
+
"plane": "why",
|
|
55
|
+
"exists": true
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
"id": "cli",
|
|
59
|
+
"title": "CLI and npm package",
|
|
60
|
+
"path": "docs/cli.md",
|
|
61
|
+
"plane": "use",
|
|
62
|
+
"exists": true
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
"id": "lifecycle-protocol",
|
|
66
|
+
"title": "Lifecycle protocol",
|
|
67
|
+
"path": "docs/lifecycle-protocol.md",
|
|
68
|
+
"plane": "use",
|
|
69
|
+
"exists": true
|
|
70
|
+
},
|
|
71
|
+
{
|
|
72
|
+
"id": "reusable-build-surface",
|
|
73
|
+
"title": "Reusable build surface",
|
|
74
|
+
"path": "docs/reusable-build-surface.md",
|
|
75
|
+
"plane": "use",
|
|
76
|
+
"exists": true
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"id": "publish-transaction",
|
|
80
|
+
"title": "Publish transaction",
|
|
81
|
+
"path": "docs/publish-transaction.md",
|
|
82
|
+
"plane": "verify",
|
|
83
|
+
"exists": true
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
"id": "release-governance",
|
|
87
|
+
"title": "Release governance",
|
|
88
|
+
"path": "docs/release-governance.md",
|
|
89
|
+
"plane": "why",
|
|
90
|
+
"exists": true
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
"id": "release-flow",
|
|
94
|
+
"title": "Release flow",
|
|
95
|
+
"path": "docs/release-flow.md",
|
|
96
|
+
"plane": "verify",
|
|
97
|
+
"exists": true
|
|
98
|
+
},
|
|
99
|
+
{
|
|
100
|
+
"id": "versioning",
|
|
101
|
+
"title": "Versioning",
|
|
102
|
+
"path": "docs/versioning.md",
|
|
103
|
+
"plane": "why",
|
|
104
|
+
"exists": true
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
"id": "web-surface-deployments",
|
|
108
|
+
"title": "Web surface deployments",
|
|
109
|
+
"path": "docs/web-surface-deployments.md",
|
|
110
|
+
"plane": "use",
|
|
111
|
+
"exists": true
|
|
112
|
+
}
|
|
113
|
+
],
|
|
114
|
+
"facts": [
|
|
115
|
+
"cli-registry.json",
|
|
116
|
+
"workflow-registry.json",
|
|
117
|
+
"release-model.json",
|
|
118
|
+
"artifact-schemas.json",
|
|
119
|
+
"product-mechanism.json",
|
|
120
|
+
"release-provenance.json",
|
|
121
|
+
"agent-index.json"
|
|
122
|
+
]
|
|
123
|
+
}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schemaVersion": 1,
|
|
3
|
+
"contract": "kungfu-buildchain-workflow-registry",
|
|
4
|
+
"workflows": [
|
|
5
|
+
{
|
|
6
|
+
"id": "build",
|
|
7
|
+
"path": ".github/workflows/.build.yml",
|
|
8
|
+
"surface": "reusable-build",
|
|
9
|
+
"status": "active"
|
|
10
|
+
},
|
|
11
|
+
{
|
|
12
|
+
"id": "web-surface",
|
|
13
|
+
"path": ".github/workflows/.web-surface.yml",
|
|
14
|
+
"surface": "site-app-deployment",
|
|
15
|
+
"status": "active"
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": "buildchain-ref-promotion",
|
|
19
|
+
"path": ".github/workflows/buildchain-ref-promotion.yml",
|
|
20
|
+
"surface": "release-governance",
|
|
21
|
+
"status": "active"
|
|
22
|
+
},
|
|
23
|
+
{
|
|
24
|
+
"id": "binary-distribution",
|
|
25
|
+
"path": ".github/workflows/binary-distribution.yml",
|
|
26
|
+
"surface": "release-passport",
|
|
27
|
+
"status": "active"
|
|
28
|
+
}
|
|
29
|
+
],
|
|
30
|
+
"actions": [
|
|
31
|
+
{
|
|
32
|
+
"id": "validate-config",
|
|
33
|
+
"path": "actions/validate-config",
|
|
34
|
+
"status": "active"
|
|
35
|
+
},
|
|
36
|
+
{
|
|
37
|
+
"id": "run-lifecycle",
|
|
38
|
+
"path": "actions/run-lifecycle",
|
|
39
|
+
"status": "active"
|
|
40
|
+
},
|
|
41
|
+
{
|
|
42
|
+
"id": "promote-buildchain-ref",
|
|
43
|
+
"path": "actions/promote-buildchain-ref",
|
|
44
|
+
"status": "active"
|
|
45
|
+
}
|
|
46
|
+
]
|
|
47
|
+
}
|
package/docs/MAP.md
CHANGED
|
@@ -17,8 +17,10 @@ running artifact), *use* (consume / extend) - and a **status**:
|
|
|
17
17
|
| Your question | Document | Plane | Status |
|
|
18
18
|
| --- | --- | --- | --- |
|
|
19
19
|
| What is Buildchain, in one idea? | [`../README.md`](../README.md) | - | stable |
|
|
20
|
+
| Why is Buildchain a Release Passport mechanism rather than a generic workflow collection? | [`product-mechanism.md`](product-mechanism.md) | why | stable |
|
|
20
21
|
| How do agents and contributors enter this repo? | [`../AGENTS.md`](../AGENTS.md) + [`../CONTRIBUTING.md`](../CONTRIBUTING.md) | use | stable |
|
|
21
|
-
| How do I install
|
|
22
|
+
| How do I install a standalone binary or npm package? | [`install.md`](install.md) | use | stable |
|
|
23
|
+
| How do I run the `buildchain` CLI? | [`cli.md`](cli.md) | use | stable |
|
|
22
24
|
| How do I initialize a new repository? | [`cli.md`](cli.md) + [`lifecycle-protocol.md`](lifecycle-protocol.md) | use | stable |
|
|
23
25
|
| Why does Buildchain use branch-driven release governance? | [`release-governance.md`](release-governance.md) | why | stable |
|
|
24
26
|
| How does Buildchain decide patch, minor, and major release lines? | [`versioning.md`](versioning.md) | why | stable |
|
|
@@ -27,7 +29,10 @@ running artifact), *use* (consume / extend) - and a **status**:
|
|
|
27
29
|
| What is the active action and workflow source of truth? | [`ownership.md`](ownership.md) | verify | stable |
|
|
28
30
|
| How do I declare version files and custom lifecycle commands? | [`lifecycle-protocol.md`](lifecycle-protocol.md) | use | stable |
|
|
29
31
|
| How does publish evidence, recovery, and finalization work? | [`publish-transaction.md`](publish-transaction.md) | verify | stable |
|
|
30
|
-
| How do I publish or verify
|
|
32
|
+
| How do I publish or verify release passport artifacts? | [`release-passport.md`](release-passport.md) | use | stable |
|
|
33
|
+
| Why are binary release assets archived by platform, and where is the single bundle? | [`binary-distribution.md`](binary-distribution.md) | verify | stable |
|
|
34
|
+
| How do I add timestamped logs inside build scripts? | [`toolkit-observability.md`](toolkit-observability.md) | use | stable |
|
|
35
|
+
| What package-owned facts should buildchain.libkungfu.dev render? | [`site-bundle-contract.md`](site-bundle-contract.md) | use | stable |
|
|
31
36
|
| How do I call the reusable build workflow? | [`reusable-build-surface.md`](reusable-build-surface.md) | use | stable |
|
|
32
37
|
| How do I deploy a site/app preview, staging, or production surface? | [`web-surface-deployments.md`](web-surface-deployments.md) | use | stable |
|
|
33
38
|
| How do I use the active actions directly? | [`../actions/validate-config/README.md`](../actions/validate-config/README.md), [`../actions/run-lifecycle/README.md`](../actions/run-lifecycle/README.md), [`../actions/promote-buildchain-ref/README.md`](../actions/promote-buildchain-ref/README.md) | use | stable |
|
|
@@ -53,10 +58,18 @@ running artifact), *use* (consume / extend) - and a **status**:
|
|
|
53
58
|
- **libnode / native artifacts / self-hosted runner matrix** ->
|
|
54
59
|
[`reusable-build-surface.md`](reusable-build-surface.md) and
|
|
55
60
|
[`../fixtures/libnode-shaped/README.md`](../fixtures/libnode-shaped/README.md).
|
|
61
|
+
- **standalone binary install / platform archives / GitHub Release bundle** ->
|
|
62
|
+
[`install.md`](install.md), [`binary-distribution.md`](binary-distribution.md),
|
|
63
|
+
and [`release-passport.md`](release-passport.md).
|
|
56
64
|
- **Trusted Publishing / npm / publish evidence / recovery** ->
|
|
57
65
|
[`cli.md`](cli.md) and [`publish-transaction.md`](publish-transaction.md).
|
|
58
66
|
- **GitHub Release passport / binary assets / artifact evidence / agent release checks** ->
|
|
59
|
-
[`release-passport.md`](release-passport.md)
|
|
67
|
+
[`release-passport.md`](release-passport.md),
|
|
68
|
+
[`binary-distribution.md`](binary-distribution.md), and [`cli.md`](cli.md).
|
|
69
|
+
- **Buildchain logging / timestamps / consumer build phase timing** ->
|
|
70
|
+
[`toolkit-observability.md`](toolkit-observability.md) and [`cli.md`](cli.md).
|
|
71
|
+
- **buildchain.libkungfu.dev / package-owned site facts** ->
|
|
72
|
+
[`site-bundle-contract.md`](site-bundle-contract.md).
|
|
60
73
|
- **sites / web previews / staging / production gates** ->
|
|
61
74
|
[`web-surface-deployments.md`](web-surface-deployments.md).
|
|
62
75
|
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
# Binary Distribution
|
|
2
|
+
|
|
3
|
+
Buildchain's binary distribution is the first high-pressure proof case for the
|
|
4
|
+
Release Passport protocol. It is not the boundary of the product.
|
|
5
|
+
|
|
6
|
+
## Asset Rules
|
|
7
|
+
|
|
8
|
+
GitHub Release assets use platform-specific archives:
|
|
9
|
+
|
|
10
|
+
- `buildchain-x86_64-unknown-linux-gnu.tar.gz`
|
|
11
|
+
- `buildchain-aarch64-apple-darwin.tar.gz`
|
|
12
|
+
- `buildchain-x86_64-pc-windows-msvc.zip`
|
|
13
|
+
|
|
14
|
+
The release lane does not upload loose top-level `buildchain` or
|
|
15
|
+
`buildchain.exe` assets. Linux and macOS both name the executable `buildchain`
|
|
16
|
+
inside their archives, so top-level loose assets would collide when matrix
|
|
17
|
+
artifacts are merged.
|
|
18
|
+
|
|
19
|
+
Each archive is accompanied by:
|
|
20
|
+
|
|
21
|
+
- a platform manifest from the standalone binary builder;
|
|
22
|
+
- platform observability event logs and summaries;
|
|
23
|
+
- `checksums.txt`;
|
|
24
|
+
- Release Passport evidence files;
|
|
25
|
+
- `buildchain-release-bundle.tar.gz`;
|
|
26
|
+
- `buildchain-release-bundle.json`.
|
|
27
|
+
|
|
28
|
+
## Runner Policy
|
|
29
|
+
|
|
30
|
+
Production binary builds use GitHub-hosted runners:
|
|
31
|
+
|
|
32
|
+
- `ubuntu-24.04`
|
|
33
|
+
- `macos-latest`
|
|
34
|
+
- `windows-2022`
|
|
35
|
+
|
|
36
|
+
Self-hosted runners are compatibility fixtures. They can prove that consumers
|
|
37
|
+
with private runner fleets can still use the protocol, but Buildchain's public
|
|
38
|
+
binary distribution should stay reproducible on GitHub-hosted runners.
|
|
39
|
+
|
|
40
|
+
## Evidence Bundle
|
|
41
|
+
|
|
42
|
+
`buildchain-release-bundle.tar.gz` groups release assets and passport evidence
|
|
43
|
+
under one archive:
|
|
44
|
+
|
|
45
|
+
```text
|
|
46
|
+
buildchain-release-bundle/
|
|
47
|
+
release-assets/
|
|
48
|
+
release-passport/
|
|
49
|
+
buildchain-release-bundle.index.json
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
`buildchain-release-bundle.json` records the bundle digest and every included
|
|
53
|
+
file digest. Consumers can download the bundle when they want one artifact for
|
|
54
|
+
offline review, mirroring, or site ingestion.
|
|
55
|
+
|
|
56
|
+
## Local Smoke
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
node scripts/build-standalone-binary.mjs --version v0.0.0-local --output-dir dist/binary
|
|
60
|
+
node bin/buildchain.mjs collect github-release \
|
|
61
|
+
--tag v0.0.0-local \
|
|
62
|
+
--assets-dir dist/binary \
|
|
63
|
+
--output-dir .buildchain/release-passport
|
|
64
|
+
node scripts/create-release-bundle.mjs \
|
|
65
|
+
--assets-dir dist/binary \
|
|
66
|
+
--passport-dir .buildchain/release-passport \
|
|
67
|
+
--output-dir .buildchain/release-passport \
|
|
68
|
+
--tag v0.0.0-local
|
|
69
|
+
```
|
|
70
|
+
|
package/docs/install.md
ADDED
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
# Install and Verify Buildchain
|
|
2
|
+
|
|
3
|
+
Buildchain can be consumed as a standalone binary, an npm package, or a
|
|
4
|
+
repository workflow surface. In every case, verify the release record before
|
|
5
|
+
adopting a new version.
|
|
6
|
+
|
|
7
|
+
## Standalone Binary
|
|
8
|
+
|
|
9
|
+
Use the archive that matches the platform:
|
|
10
|
+
|
|
11
|
+
| Platform | Asset |
|
|
12
|
+
| --- | --- |
|
|
13
|
+
| Linux x64 | `buildchain-x86_64-unknown-linux-gnu.tar.gz` |
|
|
14
|
+
| macOS arm64 | `buildchain-aarch64-apple-darwin.tar.gz` |
|
|
15
|
+
| Windows x64 | `buildchain-x86_64-pc-windows-msvc.zip` |
|
|
16
|
+
|
|
17
|
+
Linux example:
|
|
18
|
+
|
|
19
|
+
```bash
|
|
20
|
+
tag=v2.2.1
|
|
21
|
+
base="https://github.com/kungfu-systems/buildchain/releases/download/${tag}"
|
|
22
|
+
curl -LO "${base}/buildchain-x86_64-unknown-linux-gnu.tar.gz"
|
|
23
|
+
curl -LO "${base}/buildchain.release.json"
|
|
24
|
+
curl -LO "${base}/artifact-evidence.json"
|
|
25
|
+
npx @kungfu-tech/buildchain verify release-passport buildchain.release.json
|
|
26
|
+
tar -xzf buildchain-x86_64-unknown-linux-gnu.tar.gz
|
|
27
|
+
./buildchain version
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
Windows example:
|
|
31
|
+
|
|
32
|
+
```powershell
|
|
33
|
+
$tag = "v2.2.1"
|
|
34
|
+
$base = "https://github.com/kungfu-systems/buildchain/releases/download/$tag"
|
|
35
|
+
Invoke-WebRequest "$base/buildchain-x86_64-pc-windows-msvc.zip" -OutFile buildchain.zip
|
|
36
|
+
Invoke-WebRequest "$base/buildchain.release.json" -OutFile buildchain.release.json
|
|
37
|
+
Invoke-WebRequest "$base/artifact-evidence.json" -OutFile artifact-evidence.json
|
|
38
|
+
npx @kungfu-tech/buildchain verify release-passport buildchain.release.json
|
|
39
|
+
Expand-Archive buildchain.zip -DestinationPath .
|
|
40
|
+
.\buildchain.exe version
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
The GitHub Release page does not publish loose top-level `buildchain` or
|
|
44
|
+
`buildchain.exe` files. The executable is inside each platform archive.
|
|
45
|
+
|
|
46
|
+
## npm Package
|
|
47
|
+
|
|
48
|
+
```bash
|
|
49
|
+
npm install -D @kungfu-tech/buildchain
|
|
50
|
+
npx buildchain version
|
|
51
|
+
npx buildchain doctor --json
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
Alpha releases publish to the `alpha` npm dist-tag. Stable releases publish to
|
|
55
|
+
`latest`. Both are created by the protected Buildchain promotion transaction.
|
|
56
|
+
|
|
57
|
+
## Repository Integration
|
|
58
|
+
|
|
59
|
+
```bash
|
|
60
|
+
npx @kungfu-tech/buildchain init --type package --package-manager pnpm
|
|
61
|
+
npx @kungfu-tech/buildchain validate --require-version-state
|
|
62
|
+
npx @kungfu-tech/buildchain release --dry-run --target-ref alpha/v2/v2.2
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Use `buildchain.toml` to declare lifecycle commands. The commands may use Node
|
|
66
|
+
package managers or non-Node tools such as pip, Conan, CMake, Make, or project
|
|
67
|
+
scripts.
|
|
68
|
+
|
|
69
|
+
## Verify a Release Passport
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
buildchain verify release-passport buildchain.release.json
|
|
73
|
+
buildchain explain release --passport buildchain.release.json --for agent --json
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
The verifier fails closed when the passport or its sibling evidence files are
|
|
77
|
+
missing required fields or mismatching artifact digests.
|
|
78
|
+
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
# Product Mechanism
|
|
2
|
+
|
|
3
|
+
Buildchain's product boundary is the Release Passport: a mature product release
|
|
4
|
+
record for artifacts that users or agents depend on.
|
|
5
|
+
|
|
6
|
+
## Design Pressure
|
|
7
|
+
|
|
8
|
+
Many repositories can already compile, test, and upload artifacts. The hard
|
|
9
|
+
problem is proving what a release means after it has been promoted:
|
|
10
|
+
|
|
11
|
+
- which reviewed source state was released;
|
|
12
|
+
- which exact version-state commit and tag represent that release;
|
|
13
|
+
- which artifacts were created;
|
|
14
|
+
- which checks and publish steps were allowed to run;
|
|
15
|
+
- which floating channel refs now point at that release;
|
|
16
|
+
- how another human or agent can verify, explain, mirror, or roll back the
|
|
17
|
+
release without asking the maintainer to reconstruct the story.
|
|
18
|
+
|
|
19
|
+
Buildchain uses GitHub as the substrate for this proof. It does not require a
|
|
20
|
+
project to abandon its existing build system.
|
|
21
|
+
|
|
22
|
+
## What the Passport Solves
|
|
23
|
+
|
|
24
|
+
The passport turns a release into a durable record:
|
|
25
|
+
|
|
26
|
+
- exact tags are immutable release identities;
|
|
27
|
+
- floating refs are explicitly machine-updated channel pointers;
|
|
28
|
+
- version files are changed by version-state commits, not by unpublished local
|
|
29
|
+
edits;
|
|
30
|
+
- build and publish evidence is machine-readable;
|
|
31
|
+
- release checks fail closed when evidence is incomplete;
|
|
32
|
+
- site and documentation facts can be generated from the package instead of
|
|
33
|
+
being copied by hand.
|
|
34
|
+
|
|
35
|
+
## Why Binary Distribution Matters
|
|
36
|
+
|
|
37
|
+
Binary artifacts are a strong proof case because users and agents may execute
|
|
38
|
+
them directly. That makes checksums, runner facts, package evidence, and
|
|
39
|
+
rollback instructions more urgent.
|
|
40
|
+
|
|
41
|
+
The protocol is not binary-bound. The same release passport model applies to
|
|
42
|
+
npm packages, Python wheels, OCI images, native SDK archives, web-surface
|
|
43
|
+
deployments, and multi-artifact product releases.
|
|
44
|
+
|
|
45
|
+
## Naming
|
|
46
|
+
|
|
47
|
+
Use these names consistently:
|
|
48
|
+
|
|
49
|
+
- Product name: `Buildchain`
|
|
50
|
+
- Formal first mention: `Buildchain by Kungfu`
|
|
51
|
+
- Category anchor: `Buildchain Release Passport`
|
|
52
|
+
- Core release record: `buildchain.release.json`
|
|
53
|
+
|
|
54
|
+
Avoid defining Buildchain as only a workflow collection, a binary distributor,
|
|
55
|
+
or a replacement CI/CD platform.
|
|
56
|
+
|
package/docs/release-passport.md
CHANGED
|
@@ -1,8 +1,12 @@
|
|
|
1
|
-
# Release Passport
|
|
1
|
+
# Release Passport
|
|
2
2
|
|
|
3
|
-
Buildchain
|
|
4
|
-
|
|
5
|
-
|
|
3
|
+
Buildchain Release Passport is the core product mechanism: a mature product
|
|
4
|
+
release record for artifacts that users or agents depend on.
|
|
5
|
+
|
|
6
|
+
The protocol is GitHub-native because it uses protected refs, reviewed
|
|
7
|
+
promotion PRs, exact tags, GitHub Releases, npm Trusted Publishing, and
|
|
8
|
+
machine-readable evidence. A project can keep its existing build system and use
|
|
9
|
+
Buildchain to make the release record auditable.
|
|
6
10
|
|
|
7
11
|
## Contract
|
|
8
12
|
|
|
@@ -16,7 +20,10 @@ P0 protocol artifacts:
|
|
|
16
20
|
- `artifact-evidence.json`
|
|
17
21
|
- `impact.json`
|
|
18
22
|
- `agent-index.json`
|
|
23
|
+
- `check-report.json`
|
|
19
24
|
- `llms.txt`
|
|
25
|
+
- `buildchain-release-bundle.json`
|
|
26
|
+
- `buildchain-release-bundle.tar.gz`
|
|
20
27
|
|
|
21
28
|
`buildchain.release.json` is the first file an agent should read. It points to
|
|
22
29
|
artifact evidence, impact, recovery, product mechanism, and agent index facts.
|
|
@@ -28,6 +35,11 @@ the Buildchain logging API and CLI:
|
|
|
28
35
|
- `buildchain-log-events-passport.jsonl`
|
|
29
36
|
- `buildchain-log-summary-passport.json`
|
|
30
37
|
|
|
38
|
+
`buildchain-release-bundle.tar.gz` is the single evidence bundle for consumers
|
|
39
|
+
that want one file for offline inspection, mirroring, or site ingestion.
|
|
40
|
+
`buildchain-release-bundle.json` records its digest and the digest of every
|
|
41
|
+
included file.
|
|
42
|
+
|
|
31
43
|
## Runner Policy
|
|
32
44
|
|
|
33
45
|
Production binary distribution should use GitHub-hosted runners by default:
|
|
@@ -81,7 +93,20 @@ Initial binary distribution stays lightweight:
|
|
|
81
93
|
- GitHub Release assets.
|
|
82
94
|
- `checksums.txt`.
|
|
83
95
|
- release passport artifacts.
|
|
84
|
-
-
|
|
96
|
+
- a single release evidence bundle.
|
|
97
|
+
- install scripts and Homebrew tap fixtures after the passport path is reliable.
|
|
98
|
+
|
|
99
|
+
Buildchain publishes platform-specific archives, not loose top-level
|
|
100
|
+
executables:
|
|
101
|
+
|
|
102
|
+
- `buildchain-x86_64-unknown-linux-gnu.tar.gz`
|
|
103
|
+
- `buildchain-aarch64-apple-darwin.tar.gz`
|
|
104
|
+
- `buildchain-x86_64-pc-windows-msvc.zip`
|
|
105
|
+
|
|
106
|
+
The executable name inside each archive stays natural for the platform
|
|
107
|
+
(`buildchain` or `buildchain.exe`). Top-level loose executable assets are not
|
|
108
|
+
uploaded, because Linux and macOS would otherwise collide when GitHub Actions
|
|
109
|
+
matrix artifacts are merged.
|
|
85
110
|
|
|
86
111
|
Heavy package manager channels such as apt, yum, winget, choco, Scoop, mise, or
|
|
87
112
|
asdf are out of the P0/P1 scope until there is real external demand.
|
|
@@ -97,3 +122,6 @@ steps with `buildchain mark`, `buildchain span`,
|
|
|
97
122
|
a hard release gate: missing events, error events, or missing required phases
|
|
98
123
|
fail the job before assets are uploaded. The verified logs are release assets
|
|
99
124
|
and are covered by the release passport digest checks.
|
|
125
|
+
|
|
126
|
+
See also [`binary-distribution.md`](binary-distribution.md) for asset naming and
|
|
127
|
+
bundle details, and [`install.md`](install.md) for consumer commands.
|