-
Notifications
You must be signed in to change notification settings - Fork 1
135 lines (119 loc) · 4.94 KB
/
Copy pathe2e-install.yml
File metadata and controls
135 lines (119 loc) · 4.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: E2E Install Verification
on:
push:
branches: [main, booting]
pull_request:
branches: [main]
jobs:
test-install:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Run installer
run: |
mkdir test-project
cd test-project
# We point to the local install.sh but it will still try to download a tarball.
# To test the logic of the script using the CURRENT branch changes,
# we override REPO_TAR_URL to point to this repository's current commit.
export REPO_TAR_URL="https://github.com/${{ github.repository }}/tarball/${{ github.sha }}"
bash ../install.sh
env:
BOOTSTRAP_DEV: 1
- name: Verify files
run: |
cd test-project
echo "Verifying critical files exist..."
test -d .devcontainer
test -f .gitignore
test -f Makefile
test -f README.md
test -f AGENTS.md
test -d scripts
test -f scripts/setup-env.sh
test -f scripts/doctor.sh
test -f docs/VISION.md
test -f docs/ARCHITECTURE.md
test -f docs/MEMORY.md
echo "Verifying execute permissions..."
test -x scripts/setup-env.sh
test -x scripts/start-container.sh
test -x scripts/doctor.sh
echo "Verifying version stamp..."
test -f .bootstrap-version
grep -q '^commit=..*' .bootstrap-version
echo "Verifying no root-only files leaked..."
if [ -f "install.sh" ]; then
echo "Error: install.sh should not be in the project root."
exit 1
fi
echo "✅ E2E Verification Passed!"
- name: Verify installer refuses a non-empty directory
run: |
cd test-project
if bash ../install.sh; then
echo "Error: installer should abort when .devcontainer already exists."
exit 1
fi
echo "✅ Installer guard refused to overwrite an existing project."
- name: Verify installer refuses to overwrite conflicting files
run: |
mkdir collision-project
cd collision-project
echo "precious" > Makefile
export REPO_TAR_URL="https://github.com/${{ github.repository }}/tarball/${{ github.sha }}"
if bash ../install.sh; then
echo "Error: installer should abort when payload files already exist."
exit 1
fi
test "$(cat Makefile)" = "precious"
echo "✅ Installer refused to overwrite an existing Makefile."
- name: Verify git hooks enforce the guardrails
run: |
cd test-project
git init -q
git config user.name "E2E Bot"
git config user.email "e2e@example.com"
git config core.hooksPath .githooks
test -x .githooks/commit-msg
test -x .githooks/pre-commit
git add -A
# The shipped VS Code config must survive the first commit — guards
# against a '.vscode/' ignore pattern whose negations git can't honor.
git ls-files --cached --others --exclude-standard | grep -qx '.vscode/extensions.json' || {
echo "Error: .vscode/extensions.json was not staged (gitignore is eating it)."
exit 1
}
if git commit -q -m "not a conventional message"; then
echo "Error: commit-msg hook should reject non-conventional messages."
exit 1
fi
echo "✅ Non-conventional commit message rejected."
git commit -q -m "chore: initial scaffold from bootstrap"
echo "✅ Conventional commit accepted."
- name: Verify pre-commit blocks a staged secret
run: |
# Same pinned version the devcontainers install; without gitleaks on
# the runner the hook skips the scan and this guardrail goes untested.
GITLEAKS_VERSION=8.30.1
curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| sudo tar -xz -C /usr/local/bin gitleaks
cd test-project
# Fake GitHub PAT — matches gitleaks' default rules (the canonical
# AWS example key is allowlisted upstream, so it can't be used here).
printf 'github_token = "ghp_abcd1234efgh5678ijkl9012mnop3456qrst"\n' > leaky.conf
git add leaky.conf
if git commit -q -m "feat: add config"; then
echo "Error: pre-commit should reject a staged secret."
exit 1
fi
echo "✅ Staged secret rejected by gitleaks."
git rm -q --cached leaky.conf
rm leaky.conf
- name: Verify make targets work in the scaffold
run: |
cd test-project
make help | grep -q "setup"
make doctor
echo "✅ make help and make doctor run in a fresh scaffold."