feat: sync lijiaoqiao implementation and staging validation artifacts

2026-03-31 13:40:00 +08:00
parent 0e5ecd930e
commit e9338dec28
686 changed files with 29213 additions and 168 deletions
--- a/scripts/ci/dependency-audit-check.sh
+++ b/scripts/ci/dependency-audit-check.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+PROJECT_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+DATE_TAG="${1:-$(date +%F)}"
+REPORT_DIR="$PROJECT_ROOT/reports/dependency"
+
+SBOM_FILE="$REPORT_DIR/sbom_${DATE_TAG}.spdx.json"
+LOCK_DIFF_FILE="$REPORT_DIR/lockfile_diff_${DATE_TAG}.md"
+COMPAT_FILE="$REPORT_DIR/compat_matrix_${DATE_TAG}.md"
+RISK_FILE="$REPORT_DIR/risk_register_${DATE_TAG}.md"
+OUT_FILE="$REPORT_DIR/dependency_audit_result_${DATE_TAG}.md"
+
+missing=0
+for f in "$SBOM_FILE" "$LOCK_DIFF_FILE" "$COMPAT_FILE" "$RISK_FILE"; do
+  if [[ ! -s "$f" ]]; then
+    echo "[FAIL] missing or empty: $f"
+    missing=1
+  else
+    echo "[OK] found: $f"
+  fi
+done
+
+if [[ $missing -ne 0 ]]; then
+  exit 1
+fi
+
+if ! grep -q '"spdxVersion"' "$SBOM_FILE"; then
+  echo "[FAIL] sbom missing spdxVersion"
+  exit 1
+fi
+
+if ! grep -q '"packages"' "$SBOM_FILE"; then
+  echo "[FAIL] sbom missing packages"
+  exit 1
+fi
+
+for f in "$LOCK_DIFF_FILE" "$COMPAT_FILE" "$RISK_FILE"; do
+  if ! grep -q '^- Audit-Status: PASS' "$f"; then
+    echo "[FAIL] audit status not PASS in: $f"
+    exit 1
+  fi
+done
+
+cat > "$OUT_FILE" <<REPORT
+# Dependency Audit Check Result (${DATE_TAG})
+
+- Result: PASS
+- M-017 (\`dependency_compat_audit_pass_pct\`): 100%
+- Checked files:
+  1. ${SBOM_FILE##$PROJECT_ROOT/}
+  2. ${LOCK_DIFF_FILE##$PROJECT_ROOT/}
+  3. ${COMPAT_FILE##$PROJECT_ROOT/}
+  4. ${RISK_FILE##$PROJECT_ROOT/}
+
+REPORT
+
+echo "[PASS] dependency audit check complete"
+echo "result report: $OUT_FILE"