@kungfu-tech/buildchain 2.4.10-alpha.1 → 2.4.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/docs/cli.md +8 -4
- package/docs/release-governance.md +7 -4
- package/package.json +1 -1
- package/scripts/check-inventory.mjs +12 -2
package/docs/cli.md
CHANGED
|
@@ -365,10 +365,14 @@ transaction that promotes release refs:
|
|
|
365
365
|
workflow and do not publish.
|
|
366
366
|
|
|
367
367
|
The promotion workflow uses npm Trusted Publishing through GitHub Actions OIDC.
|
|
368
|
-
It runs on a GitHub-hosted runner with `id-token: write`,
|
|
369
|
-
|
|
370
|
-
|
|
371
|
-
|
|
368
|
+
It runs on a GitHub-hosted runner with `id-token: write`, but it does not
|
|
369
|
+
manually run the release-candidate resolver or promote action. Buildchain's own
|
|
370
|
+
dogfood path calls the declarative `release-candidate-promote.yml` wrapper with
|
|
371
|
+
channel, target ref/SHA, PR-stage workflow, artifact, status-check, and passport
|
|
372
|
+
inputs. The wrapper generates the version-state commit, runs
|
|
373
|
+
`lifecycle.verify`, runs `lifecycle.publish`, writes Buildchain publish
|
|
374
|
+
evidence, validates that evidence, and only then moves exact tags and floating
|
|
375
|
+
refs.
|
|
372
376
|
|
|
373
377
|
```bash
|
|
374
378
|
node scripts/npm-publish-transaction.mjs
|
|
@@ -59,7 +59,9 @@ Buildchain implements the same governance loop with:
|
|
|
59
59
|
|
|
60
60
|
- `.github/workflows/release-verify.yml` for PR verification;
|
|
61
61
|
- `.github/workflows/buildchain-ref-promotion.yml` for post-verify ref
|
|
62
|
-
promotion;
|
|
62
|
+
promotion; this workflow dogfoods the declarative
|
|
63
|
+
`release-candidate-promote.yml` wrapper and does not hand-wire resolver,
|
|
64
|
+
artifact download, publish-gate, or promote action steps;
|
|
63
65
|
- `actions/promote-buildchain-ref` for branch, tag, version-state, and
|
|
64
66
|
governance checks;
|
|
65
67
|
- package-manager adapters that can update version state for pnpm, npm, and
|
|
@@ -305,9 +307,10 @@ When debugging or extending release behavior, read in this order:
|
|
|
305
307
|
1. `docs/release-flow.md`
|
|
306
308
|
2. `.github/workflows/release-verify.yml`
|
|
307
309
|
3. `.github/workflows/buildchain-ref-promotion.yml`
|
|
308
|
-
4.
|
|
309
|
-
5. `actions/promote-buildchain-ref/
|
|
310
|
-
6. `
|
|
310
|
+
4. `.github/workflows/release-candidate-promote.yml`
|
|
311
|
+
5. `actions/promote-buildchain-ref/README.md`
|
|
312
|
+
6. `actions/promote-buildchain-ref/src/`
|
|
313
|
+
7. `docs/migration-inventory.md`
|
|
311
314
|
|
|
312
315
|
That path gives the policy first, the workflow trigger second, and the action
|
|
313
316
|
implementation last.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kungfu-tech/buildchain",
|
|
3
|
-
"version": "2.4.10
|
|
3
|
+
"version": "2.4.10",
|
|
4
4
|
"private": false,
|
|
5
5
|
"description": "Buildchain Release Passport, release governance, CLI toolkit, and site facts.",
|
|
6
6
|
"repository": "https://github.com/kungfu-systems/buildchain",
|
|
@@ -200,13 +200,23 @@ for (const forbiddenSnippet of [
|
|
|
200
200
|
}
|
|
201
201
|
for (const requiredSnippet of [
|
|
202
202
|
"id-token: write",
|
|
203
|
-
"
|
|
204
|
-
"
|
|
203
|
+
"actions: read",
|
|
204
|
+
"uses: ./.github/workflows/release-candidate-promote.yml",
|
|
205
|
+
"target-sha: ${{ github.event.workflow_run.head_sha || inputs.sha || github.sha }}",
|
|
206
|
+
"publish-required-artifacts-json: \"[]\"",
|
|
205
207
|
]) {
|
|
206
208
|
if (!buildchainRefPromotionWorkflow.includes(requiredSnippet)) {
|
|
207
209
|
throw new Error(`buildchain ref promotion workflow missing npm transaction snippet: ${requiredSnippet}`);
|
|
208
210
|
}
|
|
209
211
|
}
|
|
212
|
+
for (const forbiddenSnippet of [
|
|
213
|
+
"run: node scripts/release-candidate-resolver.mjs",
|
|
214
|
+
"uses: ./actions/promote-buildchain-ref",
|
|
215
|
+
]) {
|
|
216
|
+
if (buildchainRefPromotionWorkflow.includes(forbiddenSnippet)) {
|
|
217
|
+
throw new Error(`buildchain ref promotion workflow must use the declarative wrapper, found manual snippet: ${forbiddenSnippet}`);
|
|
218
|
+
}
|
|
219
|
+
}
|
|
210
220
|
for (const requiredSnippet of [
|
|
211
221
|
"distTag || (pkg.version.includes(\"-\") ? \"alpha\" : \"latest\")",
|
|
212
222
|
"\"publish\", \"--dry-run\", \"--access\", \"public\"",
|