forked from Dicklesworthstone/agentic_coding_flywheel_setup
-
Notifications
You must be signed in to change notification settings - Fork 0
381 lines (327 loc) · 11.8 KB
/
installer.yml
File metadata and controls
381 lines (327 loc) · 11.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
name: Installer CI
on:
push:
branches: [main]
paths:
- 'install.sh'
- 'scripts/**'
- 'acfs.manifest.yaml'
- 'checksums.yaml'
- 'packages/manifest/**'
- '.github/workflows/*.yml'
- '.shellcheckrc'
- 'tests/**/*.sh'
pull_request:
branches: [main]
paths:
- 'install.sh'
- 'scripts/**'
- 'acfs.manifest.yaml'
- 'checksums.yaml'
- 'packages/manifest/**'
- '.github/workflows/*.yml'
- '.shellcheckrc'
- 'tests/**/*.sh'
jobs:
yaml-lint:
name: Workflow YAML Lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install yamllint
run: pip install yamllint
- name: Lint workflow YAML files
run: |
# Create minimal config that catches critical YAML syntax errors
cat > /tmp/yamllint.yml << 'EOF'
extends: default
rules:
line-length:
max: 200
key-ordering: disable
comments:
min-spaces-from-content: 1
document-start: disable
document-end: disable
indentation:
spaces: 2
indent-sequences: whatever
truthy:
allowed-values: ['true', 'false', 'on', 'off']
EOF
echo "Validating YAML syntax for all workflow files..."
yamllint -c /tmp/yamllint.yml .github/workflows/*.yml
echo "✅ All workflow YAML files have valid syntax"
shellcheck:
name: ShellCheck
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install ShellCheck
run: |
sudo apt-get update
sudo apt-get install -y shellcheck
- name: Run ShellCheck
shell: bash
run: |
mapfile -t files < <(git ls-files '*.sh')
shellcheck "${files[@]}"
- name: Run declare scoping linter
run: bash scripts/tests/lint_declare_scoping.sh
- name: Run pipefail safety linter
run: bash scripts/tests/lint_pipefail_safety.sh
- name: Run TTY safety linter
run: bash scripts/tests/lint_tty_safety.sh
- name: Run library globals integration test
run: bash tests/unit/test_lib_globals.sh
- name: Run macOS bootstrap mock test
run: bash tests/vm/test_macos_bootstrap.sh
manifest-drift:
name: Manifest Drift Check
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
working-directory: packages/manifest
- name: Check manifest drift
run: bun run generate --diff
working-directory: packages/manifest
- name: Install ShellCheck
run: |
sudo apt-get update
sudo apt-get install -y shellcheck
- name: Validate generated scripts (syntax + shellcheck)
run: |
EXIT_CODE=0
echo "Checking generated scripts for syntax errors..."
for f in scripts/generated/*.sh; do
[ -f "$f" ] || continue
if ! bash -n "$f" 2>&1; then
echo "FAIL: $f has syntax errors"
EXIT_CODE=1
fi
done
echo "Running ShellCheck on generated scripts..."
for f in scripts/generated/*.sh; do
[ -f "$f" ] || continue
if ! shellcheck "$f"; then
echo "FAIL: $f has ShellCheck warnings"
EXIT_CODE=1
fi
done
if [ "$EXIT_CODE" -eq 0 ]; then
echo "All generated scripts pass syntax and ShellCheck validation"
fi
exit $EXIT_CODE
checksum-verification:
name: Verify Upstream Checksums
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Verify all checksums match upstream
id: verify
run: |
chmod +x ./scripts/lib/security.sh
echo "Verifying checksums against upstream installer scripts..."
# Run verification and capture result (stderr separate to avoid corrupting JSON)
if ./scripts/lib/security.sh --verify --json > result.json 2>verify-errors.log; then
echo "✅ All checksums match upstream"
echo "status=ok" >> $GITHUB_OUTPUT
else
echo "❌ Checksum mismatches detected!"
echo "status=mismatch" >> $GITHUB_OUTPUT
# Show what's wrong
echo ""
echo "=== Mismatched checksums ==="
jq -r '.mismatches[] | " \(.name): expected \(.expected), got \(.actual)"' result.json 2>/dev/null || true
echo ""
echo "=== To fix locally ==="
echo " ./scripts/lib/security.sh --update-checksums > checksums.yaml"
echo " git add checksums.yaml && git commit -m 'chore: update checksums'"
# Fail the job
exit 1
fi
- name: Upload verification result
if: always()
uses: actions/upload-artifact@v4
with:
name: checksum-verification
path: result.json
pinned-ref-smoke:
name: Pinned Ref Smoke (checksums from main)
runs-on: ubuntu-latest
timeout-minutes: 30
container:
image: ubuntu:24.04
env:
DEBIAN_FRONTEND: noninteractive
steps:
- name: Install container prerequisites
working-directory: /
run: |
apt-get update
apt-get install -y sudo curl git ca-certificates jq unzip tar xz-utils gnupg
- name: Checkout
uses: actions/checkout@v4
- name: Configure CI sudo
run: |
echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/90-ci-ubuntu
chmod 440 /etc/sudoers.d/90-ci-ubuntu
- name: Run pinned-ref install (checksums from main)
run: |
ACFS_REF="$(cat VERSION)" \
ACFS_CHECKSUMS_REF=main \
bash install.sh --yes --skip-preflight --skip-ubuntu-upgrade --mode safe --only lang.uv
selection-tests:
name: Selection & Contract Tests
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run selection tests
run: bash scripts/lib/test_selection.sh
- name: Run contract tests
run: bash scripts/lib/test_contract.sh
- name: Run security tests
run: bash scripts/lib/test_security.sh
- name: Run install helpers tests
run: bash scripts/lib/test_install_helpers.sh
- name: Run RU integration tests
run: |
bash scripts/tests/test_ru_update.sh
bash scripts/tests/test_ru_doctor.sh
test-installer:
name: Test installer (Ubuntu ${{ matrix.ubuntu }}, mode ${{ matrix.mode }})
runs-on: ubuntu-latest
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
include:
- ubuntu: '24.04'
mode: vibe
- ubuntu: '25.04'
mode: vibe
- ubuntu: '24.04'
mode: safe
container:
image: ubuntu:${{ matrix.ubuntu }}
env:
DEBIAN_FRONTEND: noninteractive
steps:
- name: Install container prerequisites
working-directory: /
run: |
apt-get update
apt-get install -y sudo curl git ca-certificates jq unzip tar xz-utils gnupg
- name: Checkout
uses: actions/checkout@v4
- name: Offline bootstrap simulation
run: |
bash tests/vm/bootstrap_offline_checks.sh
- name: Configure CI sudo
run: |
# CI needs passwordless sudo for upstream scripts that use sudo internally
# This is needed for safe mode since it doesn't configure NOPASSWD
# The ubuntu user is created by install.sh, so we pre-configure sudoers
echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/90-ci-ubuntu
chmod 440 /etc/sudoers.d/90-ci-ubuntu
- name: Run installer
run: |
# Skip preflight in CI - GitHub Actions containers have limited disk (17GB < 20GB required)
# Skip Ubuntu upgrade in CI - containers can't reboot during workflow
ACFS_CI=true bash install.sh --yes --skip-preflight --skip-ubuntu-upgrade --mode ${{ matrix.mode }}
- name: Run doctor
run: |
su - ubuntu -c "ACFS_DOCTOR_CI=true zsh -ic 'acfs doctor'"
- name: Verify key tools
run: |
su - ubuntu -c "zsh -ic 'test -f ~/.acfs/VERSION'"
su - ubuntu -c "zsh -ic 'gh --version'"
su - ubuntu -c "zsh -ic 'jq --version'"
su - ubuntu -c "zsh -ic 'sg --version'"
su - ubuntu -c "zsh -ic 'git-lfs version'"
su - ubuntu -c "zsh -ic 'rsync --version'"
su - ubuntu -c "zsh -ic 'strace --version'"
su - ubuntu -c "zsh -ic 'command -v lsof >/dev/null'"
su - ubuntu -c "zsh -ic 'command -v dig >/dev/null'"
su - ubuntu -c "zsh -ic 'command -v nc >/dev/null'"
su - ubuntu -c "zsh -ic 'ntm --help'"
su - ubuntu -c "zsh -ic 'ubs --help'"
su - ubuntu -c "zsh -ic 'bv --help'"
su - ubuntu -c "zsh -ic 'cass --help'"
su - ubuntu -c "zsh -ic 'cm --help'"
su - ubuntu -c "zsh -ic 'caam --help'"
su - ubuntu -c "zsh -ic 'slb --help'"
su - ubuntu -c "zsh -ic 'dcg --version'"
su - ubuntu -c "zsh -ic 'dcg doctor'"
su - ubuntu -c "zsh -ic 'ru --version'"
su - ubuntu -c "zsh -ic 'onboard --help'"
# beads_rust (required) - issue tracking
su - ubuntu -c "zsh -ic 'br --version'"
# New stack tools (bd-1ega)
su - ubuntu -c "zsh -ic 'ms --version'"
su - ubuntu -c "zsh -ic 'apr --help || true'"
su - ubuntu -c "zsh -ic 'jfp --version || true'"
su - ubuntu -c "zsh -ic 'pt --help || true'"
su - ubuntu -c "zsh -ic 'brenner --version || brenner --help || true'"
su - ubuntu -c "zsh -ic 'rch --version || rch --help || true'"
su - ubuntu -c "zsh -ic 'wa --version || wa --help || true'"
su - ubuntu -c "zsh -ic 'sysmoni --version || sysmoni --help || true'"
# Agents
su - ubuntu -c "zsh -ic 'claude --version'"
su - ubuntu -c "zsh -ic 'codex --version'"
su - ubuntu -c "zsh -ic 'gemini --version'"
e2e-curlbash-bootstrap:
name: E2E curl|bash Bootstrap
runs-on: ubuntu-latest
timeout-minutes: 15
container:
image: ubuntu:24.04
env:
DEBIAN_FRONTEND: noninteractive
steps:
- name: Install container prerequisites
working-directory: /
run: |
apt-get update
apt-get install -y sudo curl git ca-certificates jq python3 tar gzip bash
- name: Checkout
uses: actions/checkout@v4
- name: Configure CI sudo
run: |
echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/90-ci-ubuntu
chmod 440 /etc/sudoers.d/90-ci-ubuntu
- name: Run curl|bash bootstrap E2E test
run: bash tests/e2e/test_curlbash_bootstrap.sh
e2e-resume-after-failure:
name: E2E Resume After Failure
runs-on: ubuntu-latest
timeout-minutes: 30
container:
image: ubuntu:24.04
env:
DEBIAN_FRONTEND: noninteractive
steps:
- name: Install container prerequisites
working-directory: /
run: |
apt-get update
apt-get install -y sudo curl git ca-certificates jq unzip tar xz-utils gnupg
- name: Checkout
uses: actions/checkout@v4
- name: Configure CI sudo
run: |
echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/90-ci-ubuntu
chmod 440 /etc/sudoers.d/90-ci-ubuntu
- name: Run resume-after-failure E2E test
run: bash tests/e2e/test_resume_after_failure.sh