mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-05-16 22:03:05 +08:00
74 lines
2.4 KiB
JavaScript
74 lines
2.4 KiB
JavaScript
#!/usr/bin/env node
|
|
/**
|
|
* Validate the scheduled supply-chain watch workflow contract.
|
|
*/
|
|
|
|
const assert = require('assert');
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
|
|
const WORKFLOW_PATH = path.join(
|
|
__dirname,
|
|
'..',
|
|
'..',
|
|
'.github',
|
|
'workflows',
|
|
'supply-chain-watch.yml',
|
|
);
|
|
|
|
function test(name, fn) {
|
|
try {
|
|
fn();
|
|
console.log(` ✓ ${name}`);
|
|
return true;
|
|
} catch (error) {
|
|
console.log(` ✗ ${name}`);
|
|
console.log(` Error: ${error.message}`);
|
|
return false;
|
|
}
|
|
}
|
|
|
|
function run() {
|
|
console.log('\n=== Testing supply-chain watch workflow ===\n');
|
|
|
|
const source = fs.readFileSync(WORKFLOW_PATH, 'utf8');
|
|
let passed = 0;
|
|
let failed = 0;
|
|
|
|
if (test('runs on schedule and manual dispatch', () => {
|
|
assert.match(source, /schedule:\r?\n\s+- cron: '17 \*\/6 \* \* \*'/);
|
|
assert.match(source, /workflow_dispatch:/);
|
|
})) passed++; else failed++;
|
|
|
|
if (test('uses read-only permissions and non-persisting checkout credentials', () => {
|
|
assert.match(source, /permissions:\r?\n\s+contents: read/);
|
|
assert.doesNotMatch(source, /^\s+[A-Za-z-]+:\s*write\b/m);
|
|
assert.match(source, /uses: actions\/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd/);
|
|
assert.match(source, /persist-credentials: false/);
|
|
assert.doesNotMatch(source, /id-token:\s*write/);
|
|
assert.doesNotMatch(source, /actions\/cache@/);
|
|
})) passed++; else failed++;
|
|
|
|
if (test('installs without lifecycle scripts and verifies registry signatures', () => {
|
|
assert.match(source, /npm ci --ignore-scripts/);
|
|
assert.match(source, /npm audit signatures/);
|
|
assert.match(source, /npm audit --audit-level=high/);
|
|
})) passed++; else failed++;
|
|
|
|
if (test('runs IOC fixtures, emits JSON report, and uploads the artifact', () => {
|
|
assert.match(source, /node tests\/ci\/scan-supply-chain-iocs\.test\.js/);
|
|
assert.match(source, /node scripts\/ci\/scan-supply-chain-iocs\.js --json > artifacts\/supply-chain-ioc-report\.json/);
|
|
assert.match(source, /node scripts\/ci\/validate-workflow-security\.js/);
|
|
assert.match(source, /uses: actions\/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a/);
|
|
assert.match(source, /name: supply-chain-ioc-report/);
|
|
assert.match(source, /retention-days: 14/);
|
|
})) passed++; else failed++;
|
|
|
|
console.log(`\nPassed: ${passed}`);
|
|
console.log(`Failed: ${failed}`);
|
|
|
|
process.exit(failed > 0 ? 1 : 0);
|
|
}
|
|
|
|
run();
|