daa875fc56
Update cookbook fetch.rs for protected recipe handling and atomic patch application. Update config.mk, device services, and legacy base configs. Add patch-inclusion-gate script.
30 lines
1.0 KiB
Bash
Executable File
30 lines
1.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable.
|
|
#
|
|
# Public scripts that create harddrive images or live ISOs must call this before
|
|
# invoking `make all`, `make live`, or a direct image target. The cookbook still
|
|
# applies patches from recipe.toml; this gate verifies the durable patch store is
|
|
# classified and that active ledger entries are wired into recipes.
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
|
|
cd "$PROJECT_ROOT"
|
|
|
|
if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then
|
|
echo "WARNING: REDBEAR_SKIP_PATCH_INCLUSION_GATE=1; patch inclusion gate bypassed" >&2
|
|
exit 0
|
|
fi
|
|
|
|
ledger_gate="local/scripts/classify-patches-ledger.py"
|
|
if [ ! -x "$ledger_gate" ]; then
|
|
echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo ">>> Verifying Red Bear patch inclusion before image creation"
|
|
python3 local/scripts/ensure-patches-wired.py
|
|
python3 "$ledger_gate" --strict
|