78 lines
2.3 KiB
Bash
Executable File
78 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# DP release guardrail checks
|
|
|
|
FORBIDDEN_PATH_REGEX='(pmta|powermta|multiInstall\.js|adxapp\.jar|/\.ssh/|sshd_config)'
|
|
FORBIDDEN_TERMS_REGEX='(McKinsey|OpenAI|Anthropic|Abbott|AbbVie|J&J|89\.167\.40\.150|88\.198\.4\.195)'
|
|
|
|
echo "== DP Release Gate =="
|
|
|
|
fail() {
|
|
echo "FAIL: $*" >&2
|
|
exit 1
|
|
}
|
|
|
|
warn() {
|
|
echo "WARN: $*" >&2
|
|
}
|
|
|
|
echo "[1/5] Check forbidden path modifications"
|
|
CHANGED_FILES="$( (git diff --name-only; git diff --cached --name-only) | sort -u )"
|
|
if [[ -n "${CHANGED_FILES}" ]] && echo "${CHANGED_FILES}" | rg -n -i "${FORBIDDEN_PATH_REGEX}" >/dev/null; then
|
|
echo "${CHANGED_FILES}" | rg -n -i "${FORBIDDEN_PATH_REGEX}" || true
|
|
fail "Forbidden component touched (PMTA/SSH/JAR/multiInstall.js)"
|
|
fi
|
|
|
|
echo "[2/5] Check confidential terms in repo content"
|
|
if rg -n -i "${FORBIDDEN_TERMS_REGEX}" /workspace \
|
|
--glob '!reports/**' \
|
|
--glob '!*vendor/**' \
|
|
--glob '!*.bak*' \
|
|
--glob '!*.md' \
|
|
--glob '!README.md' \
|
|
--glob '!nonreg-framework.sh' \
|
|
--glob '!execute_all_p0_p1_p2.sh' \
|
|
--glob '!dp-release-gate.sh' >/dev/null; then
|
|
rg -n -i "${FORBIDDEN_TERMS_REGEX}" /workspace \
|
|
--glob '!reports/**' \
|
|
--glob '!*vendor/**' \
|
|
--glob '!*.bak*' \
|
|
--glob '!*.md' \
|
|
--glob '!README.md' \
|
|
--glob '!nonreg-framework.sh' \
|
|
--glob '!execute_all_p0_p1_p2.sh' \
|
|
--glob '!dp-release-gate.sh' | sed -n '1,40p'
|
|
fail "Confidential terms detected in repository content"
|
|
fi
|
|
|
|
echo "[3/5] PHP syntax checks for changed PHP files"
|
|
PHP_CHANGED="$(echo "${CHANGED_FILES}" | rg -n '\.php$' || true)"
|
|
PHP_CHANGED="$(echo "${PHP_CHANGED}" | sed 's/^[0-9]*://')"
|
|
if [[ -n "${PHP_CHANGED}" ]]; then
|
|
while IFS= read -r f; do
|
|
[[ -z "$f" ]] && continue
|
|
[[ -f "$f" ]] || continue
|
|
php -l "$f" >/dev/null || fail "PHP syntax invalid: $f"
|
|
done <<< "${PHP_CHANGED}"
|
|
else
|
|
warn "No changed PHP files to lint"
|
|
fi
|
|
|
|
echo "[4/5] Run anti-regression smoke"
|
|
if [[ "${RUN_NONREG:-1}" == "1" ]]; then
|
|
/workspace/nonreg-framework.sh >/tmp/dp_nonreg_gate.out 2>&1 || warn "nonreg returned failures (see /tmp/dp_nonreg_gate.out)"
|
|
else
|
|
warn "RUN_NONREG=0, skip nonreg run"
|
|
fi
|
|
|
|
echo "[5/5] Check git cleanliness"
|
|
if [[ "${ALLOW_DIRTY:-0}" != "1" ]]; then
|
|
if [[ -n "$(git status --short)" ]]; then
|
|
git status --short
|
|
fail "Working tree not clean (0 dirty rule)"
|
|
fi
|
|
fi
|
|
|
|
echo "PASS: DP Release Gate checks completed."
|