@kungfu-tech/buildchain 2.3.1-alpha.0 → 2.3.1-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +11 -0
- package/CONTRIBUTING.md +12 -2
- package/README.md +21 -0
- package/actions/promote-buildchain-ref/README.md +39 -1
- package/actions/run-lifecycle/README.md +20 -0
- package/bin/buildchain.mjs +253 -8
- package/dist/site/cli-registry.json +5 -0
- package/dist/site/release-provenance.json +1 -0
- package/docs/MAP.md +4 -0
- package/docs/cli.md +125 -2
- package/docs/install.md +25 -1
- package/docs/publish-transaction.md +10 -0
- package/docs/release-passport.md +35 -0
- package/docs/reusable-build-surface.md +152 -3
- package/docs/toolkit-observability.md +235 -0
- package/docs/web-surface-deployments.md +35 -2
- package/fixtures/libnode-shaped/README.md +2 -1
- package/package.json +2 -1
- package/packages/core/README.md +22 -0
- package/packages/core/buildchain-config.js +42 -0
- package/packages/core/diagnostics.js +1392 -0
- package/packages/core/index.js +32 -0
- package/packages/core/logging.js +51 -0
- package/packages/core/release-passport.js +581 -13
- package/scripts/aggregate-build-summary.mjs +30 -0
- package/scripts/aggregate-diagnostics-summary.mjs +54 -0
- package/scripts/check-inventory.mjs +19 -0
- package/scripts/generate-site-bundle.mjs +1 -0
- package/scripts/init-repo.mjs +14 -0
- package/scripts/npm-publish-dry-run.mjs +6 -0
- package/scripts/run-lifecycle-core.mjs +391 -17
- package/scripts/run-lifecycle.mjs +16 -0
- package/scripts/runtime-ref-core.mjs +109 -0
- package/scripts/web-surface-core.mjs +8 -0
- package/scripts/web-surface.mjs +4 -0
package/docs/cli.md
CHANGED
|
@@ -27,6 +27,14 @@ pnpm add -D @kungfu-tech/buildchain
|
|
|
27
27
|
pnpm exec buildchain validate
|
|
28
28
|
```
|
|
29
29
|
|
|
30
|
+
Consumers should pin the exact Buildchain version that was validated in their
|
|
31
|
+
repository. When dogfooding a fresh Buildchain release immediately after it is
|
|
32
|
+
published, pnpm may block the install through a minimum release-age policy. In
|
|
33
|
+
that case, add a temporary package/version-specific `minimumReleaseAgeExclude`
|
|
34
|
+
entry, such as `@kungfu-tech/buildchain@2.2.5`, and remove it once the package
|
|
35
|
+
has aged past the normal policy window. Do not replace that with a broad
|
|
36
|
+
registry or scope-wide exclude.
|
|
37
|
+
|
|
30
38
|
Use the package API directly inside JavaScript build scripts:
|
|
31
39
|
|
|
32
40
|
```js
|
|
@@ -56,6 +64,10 @@ Supported presets:
|
|
|
56
64
|
- `--type anchored-package` for packages whose version is anchored to an
|
|
57
65
|
explicit upstream release manifest.
|
|
58
66
|
|
|
67
|
+
The native preset includes an opt-in `[diagnostics.native]` profile with common
|
|
68
|
+
tool/cache/artifact probes. Consumers can keep it enabled, adjust the tool and
|
|
69
|
+
directory lists, or disable it if a repository does not need native diagnostics.
|
|
70
|
+
|
|
59
71
|
`buildchain validate` parses `buildchain.toml`, checks configured version-state
|
|
60
72
|
files, and can require named lifecycle stages:
|
|
61
73
|
|
|
@@ -92,6 +104,8 @@ buildchain span --event native.build --phase build -- cmake --build build
|
|
|
92
104
|
buildchain log warn --event cache.miss --component conan --attribute token=hidden
|
|
93
105
|
buildchain log summary --json
|
|
94
106
|
buildchain verify observability-log .buildchain/logs/events.jsonl --min-events 4 --require-phase build
|
|
107
|
+
buildchain diagnostics summary .buildchain/artifacts/*/diagnostics.json --json
|
|
108
|
+
buildchain sample process-tree --label native-build --interval-ms 15000 -- make -j20
|
|
95
109
|
```
|
|
96
110
|
|
|
97
111
|
During `buildchain lifecycle run`, child processes receive
|
|
@@ -116,6 +130,61 @@ Secret-looking attribute keys such as `token`, `password`, `secret`,
|
|
|
116
130
|
Full command strings are not recorded by `span`; scripts should provide stable
|
|
117
131
|
event names and safe attributes instead.
|
|
118
132
|
|
|
133
|
+
`buildchain diagnostics summary` reads one or more small diagnostics artifacts
|
|
134
|
+
and emits the same cross-platform summary as the diagnostics SDK:
|
|
135
|
+
|
|
136
|
+
```bash
|
|
137
|
+
buildchain diagnostics summary \
|
|
138
|
+
.buildchain/artifacts/linux-x64/diagnostics.json \
|
|
139
|
+
.buildchain/artifacts/macos-arm64/diagnostics.json \
|
|
140
|
+
--output .buildchain/artifacts/diagnostics-summary.json \
|
|
141
|
+
--json
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
The JSON summary keeps per-platform lifecycle stage tables, adds lifecycle
|
|
145
|
+
total durations, carries top slow spans, aggregates warning/error counts, and
|
|
146
|
+
sorts the slowest platforms. Each platform row carries compact runner facts,
|
|
147
|
+
checked tool versions/missing tools, package manager/cache directory details,
|
|
148
|
+
compiler-cache availability, and a compact process sampler summary: requested
|
|
149
|
+
parallelism, observed max active processes, the ratio between them, sample
|
|
150
|
+
count, process categories, and the top sampled command basenames. This lets
|
|
151
|
+
maintainers inspect matrix timing, runner, tool, cache, and concurrency context
|
|
152
|
+
without downloading large platform binaries or process sidecars first.
|
|
153
|
+
When a sibling `diagnostics-manifest.json` is available, the summary also records
|
|
154
|
+
its file list and verifies the listed `diagnostics.json` byte count and sha256.
|
|
155
|
+
Missing, unreadable, or mismatched sidecar manifests are reported through
|
|
156
|
+
`diagnosticsManifestWarningCount` and the per-platform `diagnosticsManifest`
|
|
157
|
+
field without failing the timing rollup.
|
|
158
|
+
The summary also compares each `diagnostics.json` contract to
|
|
159
|
+
`BUILDCHAIN_DIAGNOSTICS_CONTRACT`; mismatches are reported through
|
|
160
|
+
`diagnosticsContractWarningCount` and the per-platform `diagnosticsContract`
|
|
161
|
+
field so reviewers can separate diagnostics schema drift from lifecycle
|
|
162
|
+
warnings or build failures.
|
|
163
|
+
|
|
164
|
+
Without `--json`, the command prints a compact lifecycle timing table with
|
|
165
|
+
install/build/verify/publish, artifact scan/upload, total, warning, and error
|
|
166
|
+
columns for each platform, plus `jobs` and `active` columns for requested and
|
|
167
|
+
observed process concurrency when sampler data is present.
|
|
168
|
+
|
|
169
|
+
`buildchain sample process-tree` wraps a long-running command and periodically
|
|
170
|
+
writes process-tree snapshots:
|
|
171
|
+
|
|
172
|
+
```bash
|
|
173
|
+
buildchain sample process-tree \
|
|
174
|
+
--label native-build \
|
|
175
|
+
--interval-ms 15000 \
|
|
176
|
+
--output .buildchain/diagnostics/process-samples.jsonl \
|
|
177
|
+
--summary-output .buildchain/diagnostics/process-summary.json \
|
|
178
|
+
-- \
|
|
179
|
+
make -j20
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
The command returns the wrapped command's exit status. The JSONL file contains
|
|
183
|
+
small timestamped samples; the summary JSON records requested parallelism,
|
|
184
|
+
observed concurrency, sampled CPU, command categories, and top command
|
|
185
|
+
basenames. Use it when a native build requests high parallelism but appears to
|
|
186
|
+
spend long stretches in low-concurrency compile, archive, link, or cache steps.
|
|
187
|
+
|
|
119
188
|
`buildchain doctor` checks repository readiness before remote side effects:
|
|
120
189
|
|
|
121
190
|
```bash
|
|
@@ -123,8 +192,27 @@ buildchain doctor --json
|
|
|
123
192
|
```
|
|
124
193
|
|
|
125
194
|
It validates `buildchain.toml`, package-manager detection, Git repository state,
|
|
126
|
-
and the reusable workflow caller.
|
|
127
|
-
`
|
|
195
|
+
and the reusable workflow caller. For `version.strategy = "anchored"` with
|
|
196
|
+
`version.next = "manual"`, it also embeds the anchored package release contract
|
|
197
|
+
check: anchor manifest readability, configured version files, trusted
|
|
198
|
+
publishing, package publish order, and required lifecycle stages. Add
|
|
199
|
+
`--require-publish-source-lock` inside a publish job when the doctor report
|
|
200
|
+
should also fail unless the job is running from a resolved `publish-gate/*`
|
|
201
|
+
source lock.
|
|
202
|
+
|
|
203
|
+
Anchored/manual package publish jobs can run the narrower source-lock gate
|
|
204
|
+
directly:
|
|
205
|
+
|
|
206
|
+
```bash
|
|
207
|
+
buildchain publish-source validate-anchored-release --json
|
|
208
|
+
```
|
|
209
|
+
|
|
210
|
+
The command requires `BUILDCHAIN_PUBLISH_SOURCE_REF`,
|
|
211
|
+
`BUILDCHAIN_PUBLISH_SOURCE_SHA`, and `BUILDCHAIN_PUBLISH_SOURCE_LOCKED` from the
|
|
212
|
+
reusable build workflow outputs. It fails closed for direct `alpha/*` or
|
|
213
|
+
`release/*` channel-branch publication, and checks the publish-gate consumer
|
|
214
|
+
version against configured version files and the anchor manifest. The JSON
|
|
215
|
+
result is shaped for future `buildchain.libkungfu.dev` fact ingestion.
|
|
128
216
|
|
|
129
217
|
`buildchain release`, `buildchain web-surface`, `buildchain publish-source`,
|
|
130
218
|
and `buildchain build-contract` route to the same scripts used by Buildchain's
|
|
@@ -148,6 +236,41 @@ and `llms.txt`. Production binary distribution defaults to GitHub-hosted
|
|
|
148
236
|
runners so other projects can reproduce the release lane; self-hosted runners
|
|
149
237
|
remain compatibility fixtures and are recorded as runner facts when used.
|
|
150
238
|
|
|
239
|
+
For publish-transaction releases, pass the additional evidence inputs so
|
|
240
|
+
`buildchain.release.json` becomes the unified passport instead of a binary-only
|
|
241
|
+
asset summary:
|
|
242
|
+
|
|
243
|
+
```bash
|
|
244
|
+
buildchain collect github-release \
|
|
245
|
+
--tag v2.3.2 \
|
|
246
|
+
--repository kungfu-systems/buildchain \
|
|
247
|
+
--assets-dir dist \
|
|
248
|
+
--publish-evidence-json .buildchain/release-evidence/v2.3.2/evidence.json \
|
|
249
|
+
--transaction-json .buildchain/release-state/v2.3.2/state.json \
|
|
250
|
+
--package-set-json package-set.json \
|
|
251
|
+
--trusted-publishing-json trusted-publishing.json \
|
|
252
|
+
--anchor-manifest-json libnode.release.json \
|
|
253
|
+
--build-summary-json .buildchain/artifacts/build-summary.json \
|
|
254
|
+
--platform-manifest-json .buildchain/artifacts/linux-x64/manifest.json \
|
|
255
|
+
--platform-manifest-json .buildchain/artifacts/darwin-arm64/manifest.json \
|
|
256
|
+
--platform-manifest-json .buildchain/artifacts/win32-x64/manifest.json \
|
|
257
|
+
--dist-tag-evidence-json .buildchain/release-evidence/v2.3.2/dist-tag-evidence.json \
|
|
258
|
+
--release-extra-json '{"channel":"release","targetRef":"release/v2/v2.3"}' \
|
|
259
|
+
--output-dir .buildchain/release-passport
|
|
260
|
+
```
|
|
261
|
+
|
|
262
|
+
The generated passport records the main and platform packages, npm dist-tags,
|
|
263
|
+
published versions, release source/ref state, anchor manifest digest, registry
|
|
264
|
+
artifact digests, trusted publishing evidence, and Buildchain transaction
|
|
265
|
+
result. It also records `buildSummary`, `platformArtifactManifests`, and
|
|
266
|
+
`distTagPromotion` when those JSON inputs are supplied. `packageSet` keeps the
|
|
267
|
+
ordered package set; `publish.packages[]` is the agent-readable npm publication
|
|
268
|
+
summary for each main/platform package. For Buildchain releases, verification
|
|
269
|
+
expects the supplied package set to include the main package plus the three
|
|
270
|
+
platform packages with version, dist-tag, and digest evidence. Verification
|
|
271
|
+
fails closed if supplied sections are internally incomplete or point to
|
|
272
|
+
artifacts without matching evidence.
|
|
273
|
+
|
|
151
274
|
Buildchain dogfoods its observability toolkit in this lane. The standalone
|
|
152
275
|
builder writes API-generated events, while the workflow uses `buildchain mark`,
|
|
153
276
|
`buildchain span`, `buildchain verify observability-log`, and `buildchain log
|
package/docs/install.md
CHANGED
|
@@ -54,6 +54,31 @@ npx buildchain doctor --json
|
|
|
54
54
|
Alpha releases publish to the `alpha` npm dist-tag. Stable releases publish to
|
|
55
55
|
`latest`. Both are created by the protected Buildchain promotion transaction.
|
|
56
56
|
|
|
57
|
+
Stable consumers should pin the exact Buildchain version they have validated,
|
|
58
|
+
for example:
|
|
59
|
+
|
|
60
|
+
```bash
|
|
61
|
+
pnpm add -D @kungfu-tech/buildchain@2.2.5
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
If a repository dogfoods a just-published Buildchain version and pnpm's release
|
|
65
|
+
age policy blocks the install, use a temporary package/version-specific
|
|
66
|
+
`minimumReleaseAgeExclude` entry instead of weakening the registry policy for
|
|
67
|
+
all packages:
|
|
68
|
+
|
|
69
|
+
```json
|
|
70
|
+
{
|
|
71
|
+
"pnpm": {
|
|
72
|
+
"minimumReleaseAgeExclude": [
|
|
73
|
+
"@kungfu-tech/buildchain@2.2.5"
|
|
74
|
+
]
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
Remove that entry after the package is old enough for the repository's normal
|
|
80
|
+
policy. Do not use a broad exclude such as `@kungfu-tech/*` for this case.
|
|
81
|
+
|
|
57
82
|
## Repository Integration
|
|
58
83
|
|
|
59
84
|
```bash
|
|
@@ -75,4 +100,3 @@ buildchain explain release --passport buildchain.release.json --for agent --json
|
|
|
75
100
|
|
|
76
101
|
The verifier fails closed when the passport or its sibling evidence files are
|
|
77
102
|
missing required fields or mismatching artifact digests.
|
|
78
|
-
|
|
@@ -150,6 +150,14 @@ For package sets, `package_set_order = "platforms-first-main-last"` makes the
|
|
|
150
150
|
main package the visibility gate. Platform package side effects are planned or
|
|
151
151
|
retried first, and the main package or main dist-tag move happens last.
|
|
152
152
|
|
|
153
|
+
When the transaction reaches `complete`, `actions/promote-buildchain-ref`
|
|
154
|
+
generates `.buildchain/release-passport/buildchain.release.json` and persists
|
|
155
|
+
the `release-passport/*` files into the durable `buildchain/release-state/...`
|
|
156
|
+
ref. The passport is the stable release artifact for agents and people: it
|
|
157
|
+
links the package set, npm publish evidence, dist-tag evidence, build summary,
|
|
158
|
+
platform artifact manifests, trusted publishing metadata, release-state ref,
|
|
159
|
+
and transaction result in one schema.
|
|
160
|
+
|
|
153
161
|
## Evidence
|
|
154
162
|
|
|
155
163
|
The publish lifecycle must write JSON evidence. Buildchain validates common
|
|
@@ -188,6 +196,8 @@ The generic contract is intentionally small:
|
|
|
188
196
|
|
|
189
197
|
- `version`, `channel`, `source_sha`, `release_sha`, and `target_ref` must match
|
|
190
198
|
the promotion run;
|
|
199
|
+
- dist-tag promotion evidence is written beside the publish evidence as
|
|
200
|
+
`dist-tag-evidence.json` and is referenced from the generated passport;
|
|
191
201
|
- required artifacts must appear in evidence;
|
|
192
202
|
- evidence used by a GitHub-hosted rerun must either be stored in the durable
|
|
193
203
|
state ref or be reconstructed by a machine-verifiable consumer command;
|
package/docs/release-passport.md
CHANGED
|
@@ -27,6 +27,25 @@ P0 protocol artifacts:
|
|
|
27
27
|
|
|
28
28
|
`buildchain.release.json` is the first file an agent should read. It points to
|
|
29
29
|
artifact evidence, impact, recovery, product mechanism, and agent index facts.
|
|
30
|
+
It is also the unified release responsibility summary: when publish
|
|
31
|
+
transactions are used, the same passport records the package set, npm dist-tags,
|
|
32
|
+
release source refs, release-state ref, anchor manifest, registry artifact
|
|
33
|
+
digests, trusted publishing evidence, and transaction result.
|
|
34
|
+
|
|
35
|
+
Additive passport sections:
|
|
36
|
+
|
|
37
|
+
- `release`: exact tag, line, channel, source SHA, target ref, release SHA,
|
|
38
|
+
release material SHA, publish tooling SHA, and durable release-state ref.
|
|
39
|
+
- `packageSet`: main package, platform packages, package-set order, registry,
|
|
40
|
+
versions, dist-tags, and package digests.
|
|
41
|
+
- `anchorManifest`: anchored/manual version manifest path, digest, and fields.
|
|
42
|
+
- `trustedPublishing`: provider, auth mode, workflow run evidence, and whether
|
|
43
|
+
trusted publishing was enabled.
|
|
44
|
+
- `transaction`: durable Buildchain release transaction id, state, exact tag,
|
|
45
|
+
release SHA, state ref, and state SHA.
|
|
46
|
+
- `artifacts`: release assets and registry artifacts in one list, each pointing
|
|
47
|
+
back to the evidence file that proves its digest.
|
|
48
|
+
|
|
30
49
|
Buildchain's own binary lane also publishes observability artifacts generated by
|
|
31
50
|
the Buildchain logging API and CLI:
|
|
32
51
|
|
|
@@ -65,9 +84,25 @@ buildchain collect github-release \
|
|
|
65
84
|
--tag v2.2.0 \
|
|
66
85
|
--repository kungfu-systems/buildchain \
|
|
67
86
|
--assets-dir dist \
|
|
87
|
+
--publish-evidence-json .buildchain/release-evidence/v2.2.0/evidence.json \
|
|
88
|
+
--transaction-json .buildchain/release-state/v2.2.0/state.json \
|
|
89
|
+
--package-set-json package-set.json \
|
|
90
|
+
--anchor-manifest-json libnode.release.json \
|
|
91
|
+
--build-summary-json .buildchain/artifacts/build-summary.json \
|
|
92
|
+
--platform-manifest-json .buildchain/artifacts/linux-x64/manifest.json \
|
|
93
|
+
--platform-manifest-json .buildchain/artifacts/darwin-arm64/manifest.json \
|
|
94
|
+
--platform-manifest-json .buildchain/artifacts/win32-x64/manifest.json \
|
|
95
|
+
--dist-tag-evidence-json .buildchain/release-evidence/v2.2.0/dist-tag-evidence.json \
|
|
68
96
|
--output-dir .buildchain/release-passport
|
|
69
97
|
```
|
|
70
98
|
|
|
99
|
+
`packageSet` records the ordered main-plus-platform package set.
|
|
100
|
+
`publish.packages[]` summarizes each published npm package with its version,
|
|
101
|
+
dist-tag, registry, role, platform, and digest, so agents do not need to stitch
|
|
102
|
+
npm facts back together from the lower-level evidence files.
|
|
103
|
+
`buildSummary`, `platformArtifactManifests`, and `distTagPromotion` preserve the
|
|
104
|
+
build and npm dist-tag evidence chain in the same passport.
|
|
105
|
+
|
|
71
106
|
Verify a release passport:
|
|
72
107
|
|
|
73
108
|
```bash
|
|
@@ -24,6 +24,7 @@ jobs:
|
|
|
24
24
|
build/stage
|
|
25
25
|
expected-artifacts-json: >-
|
|
26
26
|
{"minFiles":2,"requiredPaths":["dist/libnode.tar.gz","dist/checksums.txt"]}
|
|
27
|
+
process-summary-path: .buildchain/diagnostics/process-summary.json
|
|
27
28
|
publish-channel: release
|
|
28
29
|
publish-source-ref: publish-gate/release/v22/v22.22/22.22.3-kf.0
|
|
29
30
|
```
|
|
@@ -108,6 +109,74 @@ Do not use `kungfu-verify` for stages that need CMake, Ninja, ccache, Conan, or
|
|
|
108
109
|
Docker image publishing. Those should use a heavier native-build image or remain
|
|
109
110
|
on a host runner until their image contract is explicit.
|
|
110
111
|
|
|
112
|
+
## Buildchain Runtime Override
|
|
113
|
+
|
|
114
|
+
Stable consumers should keep the reusable workflow pinned to stable refs such as
|
|
115
|
+
`@v2`. The optional `buildchain-ref` input is empty by default; empty means
|
|
116
|
+
Buildchain resolves and executes the stable runtime selected by the workflow
|
|
117
|
+
shell. The full train validation protocol is documented in
|
|
118
|
+
[`runtime-train-validation.md`](runtime-train-validation.md).
|
|
119
|
+
|
|
120
|
+
For one-off manual validation, a trusted maintainer can run the caller workflow
|
|
121
|
+
with a temporary runtime override:
|
|
122
|
+
|
|
123
|
+
```yaml
|
|
124
|
+
on:
|
|
125
|
+
workflow_dispatch:
|
|
126
|
+
inputs:
|
|
127
|
+
buildchain-ref:
|
|
128
|
+
description: "Temporary Buildchain runtime ref for trusted manual validation"
|
|
129
|
+
required: false
|
|
130
|
+
default: ""
|
|
131
|
+
|
|
132
|
+
jobs:
|
|
133
|
+
build:
|
|
134
|
+
uses: kungfu-systems/buildchain/.github/workflows/.build.yml@v2
|
|
135
|
+
with:
|
|
136
|
+
buildchain-ref: ${{ inputs.buildchain-ref || '' }}
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
Allowed override refs are deliberately narrow:
|
|
140
|
+
|
|
141
|
+
| Ref form | Meaning |
|
|
142
|
+
| --- | --- |
|
|
143
|
+
| `train/v2/v2.3/<capability>` | Temporary capability train under the active minor line |
|
|
144
|
+
| `refs/heads/train/v2/v2.3/<capability>` | Explicit branch ref for the same train |
|
|
145
|
+
| `<40-character SHA>` | Exact immutable Buildchain runtime commit |
|
|
146
|
+
|
|
147
|
+
Override requests fail closed unless the event is `workflow_dispatch` and the
|
|
148
|
+
actor has write, maintain, or admin permission on the caller repository.
|
|
149
|
+
Pull requests, including same-repository pull requests and fork-originated pull
|
|
150
|
+
requests, cannot use `buildchain-ref` override. This keeps automated PR builds on
|
|
151
|
+
the stable runtime surface.
|
|
152
|
+
|
|
153
|
+
Every run resolves the runtime ref to an immutable SHA before checkout. The job
|
|
154
|
+
summary and aggregate build summary record the workflow shell ref, requested
|
|
155
|
+
runtime ref, resolved runtime ref, runtime SHA, stability class, trust decision,
|
|
156
|
+
and rollback ref. Train refs are development validation refs: they do not move
|
|
157
|
+
`v2`, `vX.Y`, `vX.Y-alpha`, npm dist-tags, or production release refs, and they
|
|
158
|
+
must not be pinned as long-term production dependencies.
|
|
159
|
+
|
|
160
|
+
Runtime override validates Buildchain runtime scripts, CLI code, local actions,
|
|
161
|
+
config parsing, and lifecycle behavior. It cannot validate changes that require
|
|
162
|
+
the outer reusable workflow YAML itself to change, such as new jobs,
|
|
163
|
+
permissions, workflow outputs, or matrix topology. Those changes need a canary
|
|
164
|
+
workflow path or a temporary explicit workflow ref.
|
|
165
|
+
|
|
166
|
+
When a Buildchain maintainer asks for downstream validation, the expected
|
|
167
|
+
request is:
|
|
168
|
+
|
|
169
|
+
```text
|
|
170
|
+
Buildchain train ready: buildchain-ref=train/v2/v2.3/<capability>.
|
|
171
|
+
Keep uses: ...@v2; run workflow_dispatch with that buildchain-ref and report the runtime evidence summary.
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
After validation succeeds, the Buildchain change should continue through the
|
|
175
|
+
normal mainline and release path. Do not treat the train as a pending merge
|
|
176
|
+
item; it is only a temporary fast-use, diagnostic, and rollback channel. It may
|
|
177
|
+
remain for a retention window after release, with old trains handled by a
|
|
178
|
+
separate periodic cleanup task.
|
|
179
|
+
|
|
111
180
|
## Workflow Outputs
|
|
112
181
|
|
|
113
182
|
The reusable workflow exposes the resolved contract:
|
|
@@ -120,8 +189,15 @@ The reusable workflow exposes the resolved contract:
|
|
|
120
189
|
| `linux-container-enabled` | `true` when Linux platforms are routed through a job container |
|
|
121
190
|
| `linux-container-image` | Resolved digest-pinned Linux job container image |
|
|
122
191
|
| `build-summary-artifact` | Uploaded aggregate summary artifact name |
|
|
192
|
+
| `build-diagnostics-summary-artifact` | Uploaded aggregate diagnostics summary artifact name |
|
|
123
193
|
| `build-summary-json` | Compact aggregate JSON with platform count, file count, and byte total |
|
|
194
|
+
| `build-diagnostics-summary-json` | Compact aggregate diagnostics JSON with platform, lifecycle warning/error, diagnostics contract warning, and sidecar manifest warning totals |
|
|
124
195
|
| `trusted-event` | `true` when the event is trusted enough to reach build runners |
|
|
196
|
+
| `buildchain-runtime-ref` | Runtime ref selected after applying the empty-default or override policy |
|
|
197
|
+
| `buildchain-runtime-sha` | Immutable Buildchain runtime commit used by all runtime checkouts |
|
|
198
|
+
| `buildchain-runtime-class` | `stable`, `alpha`, `train`, `exact-sha`, or `development` |
|
|
199
|
+
| `buildchain-runtime-override` | `true` when a non-empty `buildchain-ref` override was accepted |
|
|
200
|
+
| `buildchain-runtime-trust-decision` | Runtime override trust decision |
|
|
125
201
|
| `publish-channel` | Resolved publish channel requested by the caller |
|
|
126
202
|
| `publish-allowed` | `true` only when this event/ref may publish after verification |
|
|
127
203
|
| `publish-reason` | Human-readable reason for the publish gate decision |
|
|
@@ -133,10 +209,29 @@ The reusable workflow exposes the resolved contract:
|
|
|
133
209
|
| `publish-source-consumer-version` | Consumer package version parsed from source refs |
|
|
134
210
|
| `release-manifest-json` | Resolved release manifest including source lock, version state, and anchor data |
|
|
135
211
|
|
|
136
|
-
The aggregate
|
|
212
|
+
The aggregate summaries are intentionally artifacts as well as outputs. GitHub
|
|
137
213
|
Actions matrix outputs are not a reliable place to carry every platform's full
|
|
138
214
|
manifest, so Buildchain uploads each platform manifest and then emits one
|
|
139
|
-
aggregate summary artifact after the matrix completes.
|
|
215
|
+
aggregate build summary artifact after the matrix completes. Buildchain uploads
|
|
216
|
+
`diagnostics-summary.json` as a separate aggregate diagnostics summary artifact,
|
|
217
|
+
a compact rollup of each platform's small diagnostics upload. The rollup keeps
|
|
218
|
+
per-platform runner facts, checked tool versions/missing tools, package
|
|
219
|
+
manager/cache directory details, compiler-cache availability, lifecycle timing,
|
|
220
|
+
process sampler context, and links back to the exact platform artifacts. Each
|
|
221
|
+
platform diagnostics upload includes `diagnostics.json`,
|
|
222
|
+
`diagnostics-manifest.json`, the lifecycle `events.jsonl`, and process sampler
|
|
223
|
+
sidecars when enabled, so slow-build diagnosis does not require downloading the
|
|
224
|
+
binary platform artifact or the aggregate build summary. The sidecar manifest
|
|
225
|
+
records the uploaded diagnostics files with bytes and sha256 hashes. Each
|
|
226
|
+
`diagnostics.json` also records the related binary artifact name, manifest
|
|
227
|
+
artifact name, diagnostics artifact name, diagnostics sidecar manifest path, and
|
|
228
|
+
platform id in `links`, so a reviewer can navigate from the small diagnostics
|
|
229
|
+
artifact back to the exact platform outputs when deeper inspection is needed.
|
|
230
|
+
The workflow output `build-diagnostics-summary-json` includes
|
|
231
|
+
`diagnosticsContractWarningCount` and `diagnosticsManifestWarningCount` so
|
|
232
|
+
release jobs can detect drifting diagnostics JSON contracts and missing or
|
|
233
|
+
drifting diagnostics sidecar manifests without downloading the per-platform
|
|
234
|
+
diagnostics artifacts first.
|
|
140
235
|
|
|
141
236
|
## Publish Gate
|
|
142
237
|
|
|
@@ -240,6 +335,38 @@ If the branch tip no longer matches the manifest SHA, the publish job must fail
|
|
|
240
335
|
closed. Moving a gate branch creates a new publish decision and should produce a
|
|
241
336
|
new build run.
|
|
242
337
|
|
|
338
|
+
Anchored/manual package release jobs should also make the Buildchain promotion
|
|
339
|
+
action validate that publication is entering through the same
|
|
340
|
+
`publish-gate/{alpha,release,major}` source-lock contract before any package
|
|
341
|
+
publish side effect:
|
|
342
|
+
|
|
343
|
+
```yaml
|
|
344
|
+
- name: Promote release ref and publish npm package set
|
|
345
|
+
uses: kungfu-systems/buildchain/actions/promote-buildchain-ref@v2
|
|
346
|
+
with:
|
|
347
|
+
sha: ${{ needs.build.outputs.publish-source-sha }}
|
|
348
|
+
target-ref: release/v22/v22.22
|
|
349
|
+
require-publish-source-lock: 'true'
|
|
350
|
+
publish-source-ref: ${{ needs.build.outputs.publish-source-ref }}
|
|
351
|
+
publish-source-sha: ${{ needs.build.outputs.publish-source-sha }}
|
|
352
|
+
publish-source-locked: ${{ needs.build.outputs.publish-source-locked }}
|
|
353
|
+
```
|
|
354
|
+
|
|
355
|
+
`target-ref` stays the Buildchain channel promotion target, such as
|
|
356
|
+
`alpha/v22/v22.22`, `release/v22/v22.22`, or `publish-gate/major`.
|
|
357
|
+
`publish-source-ref` is the reviewed source-lock branch that authorized this
|
|
358
|
+
specific package publication. For alpha and release package publications, the
|
|
359
|
+
source-lock branch must point at the exact channel-line commit that promotion is
|
|
360
|
+
validating; it is not a replacement for `target-ref`.
|
|
361
|
+
|
|
362
|
+
This keeps the version bump commit, publish authorization, and auditable publish
|
|
363
|
+
entrypoint on the Buildchain source-lock protocol. The CLI form
|
|
364
|
+
`buildchain publish-source validate-anchored-release --json` is still useful for
|
|
365
|
+
custom publish scripts, but the preferred GitHub Actions gate is the promotion
|
|
366
|
+
action input above. A publish job that still runs directly from `alpha/*` or
|
|
367
|
+
`release/*` channel branches fails this check because those refs are channel
|
|
368
|
+
state, not publish-gate decisions.
|
|
369
|
+
|
|
243
370
|
## Package-Set Publish Plan
|
|
244
371
|
|
|
245
372
|
Projects that publish multiple packages should treat package publication as a
|
|
@@ -281,6 +408,28 @@ with:
|
|
|
281
408
|
verify-command: ctest --test-dir build --output-on-failure
|
|
282
409
|
```
|
|
283
410
|
|
|
411
|
+
The reusable build workflow samples the build lifecycle by default and carries
|
|
412
|
+
the generated summary into the final verify diagnostics. Callers can override
|
|
413
|
+
the sidecar path or disable sampling:
|
|
414
|
+
|
|
415
|
+
```yaml
|
|
416
|
+
with:
|
|
417
|
+
sample-process-tree: true
|
|
418
|
+
process-summary-path: .buildchain/diagnostics/process-summary.json
|
|
419
|
+
process-sample-interval-ms: 15000
|
|
420
|
+
requested-parallelism: 20
|
|
421
|
+
```
|
|
422
|
+
|
|
423
|
+
When `sample-process-tree` is true, Buildchain wraps either `build-command` or
|
|
424
|
+
the configured `lifecycle.build` stage with `buildchain sample process-tree`.
|
|
425
|
+
The path is relative to the checked-out workspace and is read again during the
|
|
426
|
+
final verify lifecycle. Custom workflows can still write their own sampler
|
|
427
|
+
summary and pass `process-summary-path`; Buildchain reads the file after the
|
|
428
|
+
lifecycle command finishes, so it may be produced during the same invocation.
|
|
429
|
+
When the build stage is optional, the reusable workflow treats the default
|
|
430
|
+
sampler path as optional during verify; an explicitly supplied
|
|
431
|
+
`process-summary-path` remains required.
|
|
432
|
+
|
|
284
433
|
For custom workflows, use the action directly:
|
|
285
434
|
|
|
286
435
|
```yaml
|
|
@@ -400,7 +549,7 @@ the publish gate: pull requests remain non-publishing events.
|
|
|
400
549
|
`fixtures/libnode-shaped` is the contract fixture. It has:
|
|
401
550
|
|
|
402
551
|
- `package.json` version state;
|
|
403
|
-
- `buildchain.toml` with `install`, `build`, and `
|
|
552
|
+
- `buildchain.toml` with `install`, `build`, `verify`, and `publish`;
|
|
404
553
|
- cross-platform Node scripts that create small `dist/` outputs;
|
|
405
554
|
- `Build Surface Fixture` workflow coverage.
|
|
406
555
|
|