stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Merge all changes

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-08 08:54:27 +02:00
parent 589de352c2
commit 110591d6bf
381 changed files with 2237 additions and 1939 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitea/workflows/advisory-ai-release.yml
View File

@@ -15,7 +15,7 @@ on:
jobs:
package-feeds:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -68,3 +68,4 @@ jobs:
out/advisory-ai/feeds/provenance.json
if-no-files-found: warn
retention-days: 30

3
.gitea/workflows/airgap-sealed-ci.yml
View File

@@ -14,7 +14,7 @@ on:
jobs:
sealed-smoke:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: read
steps:
@@ -26,3 +26,4 @@ jobs:
run: pip install dnslib
- name: Run sealed-mode smoke
run: sudo devops/airgap/sealed-ci-smoke.sh

3
.gitea/workflows/aoc-backfill-release.yml
View File

@@ -14,7 +14,7 @@ on:
jobs:
package-backfill:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -81,3 +81,4 @@ jobs:
out/aoc/SHA256SUMS
if-no-files-found: warn
retention-days: 30

5
.gitea/workflows/aoc-guard.yml
View File

@@ -22,7 +22,7 @@ on:
jobs:
aoc-guard:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_VERSION: '10.0.100'
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -100,7 +100,7 @@ jobs:
aoc-verify:
needs: aoc-guard
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
if: github.event_name != 'schedule'
env:
DOTNET_VERSION: '10.0.100'
@@ -168,3 +168,4 @@ jobs:
with:
name: aoc-verify-artifacts
path: ${{ env.ARTIFACT_DIR }}

3
.gitea/workflows/authority-key-rotation.yml
View File

@@ -50,7 +50,7 @@ on:
jobs:
rotate:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
environment: ${{ inputs.environment }}
steps:
- name: Checkout repository
@@ -164,3 +164,4 @@ jobs:
echo "Key Path: ${{ inputs.key_path }}"
echo "Source: ${{ inputs.source }}"
echo "Algorithm: ${{ inputs.algorithm }}"

25
.gitea/workflows/build-test-deploy.yml
View File

@@ -55,7 +55,7 @@ env:
jobs:
profile-validation:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
@@ -82,7 +82,7 @@ jobs:
run: ./devops/tools/validate-profiles.sh
build-test:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
environment: ${{ github.event_name == 'pull_request' && 'preview' || 'staging' }}
env:
PUBLISH_DIR: ${{ github.workspace }}/artifacts/publish/webservice
@@ -590,7 +590,7 @@ PY
# Quality Gates Foundation (Sprint 0350)
# ============================================================================
quality-gates:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-test
permissions:
contents: read
@@ -674,7 +674,7 @@ PY
retention-days: 14
security-testing:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-test
if: github.event_name == 'pull_request' || github.event_name == 'schedule'
permissions:
@@ -717,7 +717,7 @@ PY
retention-days: 30
mutation-testing:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-test
if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
permissions:
@@ -790,7 +790,7 @@ PY
fi
sealed-mode-ci:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-test
permissions:
contents: read
@@ -828,7 +828,7 @@ PY
retention-days: 14
authority-container:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-test
steps:
- name: Checkout repository
@@ -843,7 +843,7 @@ PY
excititor-batch-validation:
needs: build-test
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.excititor_batch == 'true')
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
BATCH_RESULTS_DIR: ${{ github.workspace }}/artifacts/test-results/excititor-batch
steps:
@@ -876,7 +876,7 @@ PY
path: ${{ env.BATCH_RESULTS_DIR }}
docs:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOCS_OUTPUT_DIR: ${{ github.workspace }}/artifacts/docs-site
steps:
@@ -906,7 +906,7 @@ PY
retention-days: 7
scanner-perf:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-test
env:
BENCH_DIR: src/Bench/StellaOps.Bench/Scanner.Analyzers
@@ -987,7 +987,7 @@ PY
retention-days: 7
deploy:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [build-test, docs, scanner-perf]
if: >-
needs.build-test.result == 'success' &&
@@ -1160,7 +1160,7 @@ PY
echo " Ref: ${{ github.ref }}"
notify-smoke:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: deploy
if: needs.deploy.result == 'success'
env:
@@ -1202,3 +1202,4 @@ PY
- name: Run Notify smoke validation
run: dotnet run --project tools/NotifySmokeCheck/NotifySmokeCheck.csproj --configuration Release

3
.gitea/workflows/concelier-store-aoc-19-005.yml
View File

@@ -5,7 +5,7 @@ on:
jobs:
build-dataset:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
ARTIFACT_DIR: ${{ github.workspace }}/out/linksets
steps:
@@ -30,3 +30,4 @@ jobs:
path: |
${ARTIFACT_DIR}/linksets-stage-backfill.tar.zst
${ARTIFACT_DIR}/linksets-stage-backfill.tar.zst.sha256

5
.gitea/workflows/connector-fixture-drift.yml
View File

@@ -32,7 +32,7 @@ env:
jobs:
detect-drift:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: write
pull-requests: write
@@ -124,7 +124,7 @@ jobs:
create-pr:
needs: detect-drift
if: needs.detect-drift.outputs.has_drift == 'true' && (github.event.inputs.create_pr == 'true' || github.event_name == 'schedule')
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: write
pull-requests: write
@@ -245,3 +245,4 @@ This commit was auto-generated by the connector-fixture-drift workflow.
issue_number: pr.number,
labels: ['automated', 'fixtures', 'schema-drift']
});

3
.gitea/workflows/crypto-compliance.yml
View File

@@ -17,7 +17,7 @@ on:
jobs:
crypto-audit:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -42,3 +42,4 @@ jobs:
path: |
scripts/audit-crypto-usage.ps1
retention-days: 30

5
.gitea/workflows/dead-path-detection.yml
View File

@@ -49,7 +49,7 @@ jobs:
detect:
name: Detect Dead Paths
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
has-new-dead-paths: ${{ steps.check.outputs.has_new_dead_paths }}
new-dead-path-count: ${{ steps.check.outputs.new_count }}
@@ -354,7 +354,7 @@ jobs:
name: Post Report
needs: detect
if: github.event_name == 'pull_request' && always()
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
pull-requests: write
steps:
@@ -436,3 +436,4 @@ jobs:
body: body
});
}

11
.gitea/workflows/deploy-keyless-verify.yml
View File

@@ -38,7 +38,7 @@ env:
jobs:
pre-flight:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
identity-pattern: ${{ steps.config.outputs.identity-pattern }}
@@ -61,7 +61,7 @@ jobs:
verify-attestations:
needs: pre-flight
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: read
@@ -123,7 +123,7 @@ jobs:
verify-provenance:
needs: pre-flight
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: read
@@ -160,7 +160,7 @@ jobs:
create-audit-entry:
needs: [verify-attestations, verify-provenance]
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Install StellaOps CLI
@@ -183,7 +183,7 @@ jobs:
approve-deployment:
needs: [verify-attestations, verify-provenance, create-audit-entry]
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
environment: ${{ github.event.inputs.environment }}
steps:
@@ -202,3 +202,4 @@ jobs:
Deployment can now proceed.
EOF

9
.gitea/workflows/determinism-gate.yml
View File

@@ -48,7 +48,7 @@ jobs:
# ===========================================================================
schema-validation:
name: Schema Validation
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
if: github.event.inputs.skip_schema_validation != 'true'
timeout-minutes: 10
@@ -128,7 +128,7 @@ jobs:
needs: [schema-validation]
if: always() && (needs.schema-validation.result == 'success' || needs.schema-validation.result == 'skipped')
name: Determinism Validation
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
outputs:
@@ -243,7 +243,7 @@ jobs:
# ===========================================================================
update-baselines:
name: Update Baselines
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [schema-validation, determinism-gate]
if: github.event_name == 'workflow_dispatch' && github.event.inputs.update_baselines == 'true'
@@ -293,7 +293,7 @@ jobs:
# ===========================================================================
drift-check:
name: Drift Detection Gate
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [schema-validation, determinism-gate]
if: always()
@@ -328,3 +328,4 @@ jobs:
echo "" >> $GITHUB_STEP_SUMMARY
echo "Schema Validation: ${{ needs.schema-validation.result || 'skipped' }}" >> $GITHUB_STEP_SUMMARY
echo "Determinism Status: ${{ needs.determinism-gate.outputs.status || 'pass' }}" >> $GITHUB_STEP_SUMMARY

3
.gitea/workflows/docs.yml
View File

@@ -22,7 +22,7 @@ env:
jobs:
lint-and-preview:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOCS_OUTPUT_DIR: ${{ github.workspace }}/artifacts/docs-preview
steps:
@@ -99,3 +99,4 @@ jobs:
name: feedser-docs-preview
path: ${{ env.DOCS_OUTPUT_DIR }}
retention-days: 7

3
.gitea/workflows/epss-ingest-perf.yml
View File

@@ -40,7 +40,7 @@ on:
jobs:
perf:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -96,3 +96,4 @@ jobs:
path: |
bench/results/epss-ingest-perf-${{ github.sha }}.json
retention-days: 90

3
.gitea/workflows/export-ci.yml
View File

@@ -18,7 +18,7 @@ on:
jobs:
export-ci:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_VERSION: '10.0.100'
MINIO_ACCESS_KEY: exportci
@@ -83,3 +83,4 @@ jobs:
- name: Teardown MinIO
if: always()
run: docker compose -f devops/export/minio-compose.yml down -v

7
.gitea/workflows/findings-ledger-ci.yml
View File

@@ -26,7 +26,7 @@ env:
jobs:
build-test:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
TEST_RESULTS_DIR: ${{ github.workspace }}/artifacts/test-results
steps:
@@ -68,7 +68,7 @@ jobs:
path: ${{ env.TEST_RESULTS_DIR }}
migration-validation:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
services:
postgres:
image: postgres:16-alpine
@@ -228,7 +228,7 @@ jobs:
echo "✓ Migration is idempotent"
generate-manifest:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [build-test, migration-validation]
steps:
- name: Checkout repository
@@ -323,3 +323,4 @@ jobs:
name: findings-ledger-migrations
path: out/findings-ledger/
if-no-files-found: error

3
.gitea/workflows/icscisa-kisa-refresh.yml
View File

@@ -18,7 +18,7 @@ on:
jobs:
refresh:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: read
env:
@@ -66,3 +66,4 @@ jobs:
path: out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}
if-no-files-found: error
retention-days: 21

5
.gitea/workflows/interop-e2e.yml
View File

@@ -15,7 +15,7 @@ env:
jobs:
interop-tests:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
strategy:
fail-fast: false
matrix:
@@ -96,7 +96,7 @@ jobs:
fi
summary:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: interop-tests
if: always()
@@ -126,3 +126,4 @@ jobs:
fi
echo "| ${format} | ${STATUS} |" >> $GITHUB_STEP_SUMMARY
done

7
.gitea/workflows/ledger-oas-ci.yml
View File

@@ -13,7 +13,7 @@ on:
jobs:
validate-oas:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -44,7 +44,7 @@ jobs:
if-no-files-found: warn
check-wellknown:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: validate-oas
steps:
- name: Checkout
@@ -64,7 +64,7 @@ jobs:
fi
deprecation-check:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: validate-oas
steps:
- name: Checkout
@@ -79,3 +79,4 @@ jobs:
else
echo "[info] No deprecation policy yet (OK for initial setup)"
fi

5
.gitea/workflows/ledger-packs-ci.yml
View File

@@ -18,7 +18,7 @@ on:
jobs:
build-pack:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
steps:
@@ -71,7 +71,7 @@ jobs:
retention-days: 30
verify-pack:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-pack
steps:
- name: Checkout
@@ -99,3 +99,4 @@ jobs:
fi
fi
done

9
.gitea/workflows/license-audit.yml
View File

@@ -35,7 +35,7 @@ on:
jobs:
nuget-license-audit:
name: NuGet License Audit
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -94,7 +94,7 @@ jobs:
npm-license-audit:
name: npm License Audit
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -142,7 +142,7 @@ jobs:
vendored-license-check:
name: Vendored Components Check
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -207,7 +207,7 @@ jobs:
license-compatibility-check:
name: License Compatibility Check
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [nuget-license-audit, npm-license-audit]
steps:
- name: Checkout
@@ -297,3 +297,4 @@ jobs:
name: license-audit-summary
path: out/combined
retention-days: 90

5
.gitea/workflows/lighthouse-ci.yml
View File

@@ -26,7 +26,7 @@ env:
jobs:
lighthouse:
name: Lighthouse Audit
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
defaults:
run:
working-directory: src/Web/StellaOps.Web
@@ -145,7 +145,7 @@ jobs:
axe-accessibility:
name: Axe Accessibility Audit
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
defaults:
run:
working-directory: src/Web/StellaOps.Web
@@ -186,3 +186,4 @@ jobs:
name: axe-accessibility-results
path: src/Web/StellaOps.Web/test-results/
retention-days: 30

3
.gitea/workflows/lnm-backfill.yml
View File

@@ -19,7 +19,7 @@ on:
jobs:
lnm-backfill:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_VERSION: '10.0.100'
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -62,3 +62,4 @@ jobs:
with:
name: lnm-backfill-artifacts
path: ${{ env.ARTIFACT_DIR }}

5
.gitea/workflows/lnm-migration-ci.yml
View File

@@ -15,7 +15,7 @@ on:
jobs:
build-runner:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -60,7 +60,7 @@ jobs:
if-no-files-found: warn
validate-metrics:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: build-runner
steps:
- name: Checkout
@@ -81,3 +81,4 @@ jobs:
fi
echo "Monitoring config validation complete"

3
.gitea/workflows/lnm-vex-backfill.yml
View File

@@ -23,7 +23,7 @@ on:
jobs:
vex-backfill:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_VERSION: '10.0.100'
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -61,3 +61,4 @@ jobs:
with:
name: lnm-vex-backfill-artifacts
path: ${{ env.ARTIFACT_DIR }}

11
.gitea/workflows/migration-test.yml
View File

@@ -69,7 +69,7 @@ jobs:
discover:
name: Discover Migrations
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
modules: ${{ steps.find.outputs.modules }}
module_count: ${{ steps.find.outputs.count }}
@@ -119,7 +119,7 @@ jobs:
forward-migrations:
name: Forward Migration
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
needs: discover
if: needs.discover.outputs.module_count != '0'
@@ -246,7 +246,7 @@ jobs:
rollback-migrations:
name: Rollback Migration
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
needs: [discover, forward-migrations]
if: |
@@ -371,7 +371,7 @@ jobs:
idempotency:
name: Idempotency Test
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 20
needs: [discover, forward-migrations]
if: |
@@ -490,7 +490,7 @@ jobs:
summary:
name: Migration Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [discover, forward-migrations, rollback-migrations, idempotency]
if: always()
steps:
@@ -510,3 +510,4 @@ jobs:
- name: Check for failures
if: contains(needs.*.result, 'failure')
run: exit 1

3
.gitea/workflows/mirror-sign.yml
View File

@@ -7,7 +7,7 @@ on:
jobs:
mirror-sign:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
REQUIRE_PROD_SIGNING: 1
@@ -72,3 +72,4 @@ jobs:
out/mirror/thin/export-center/schedule-response.json
if-no-files-found: error
retention-days: 14

13
.gitea/workflows/module-publish.yml
View File

@@ -59,7 +59,7 @@ jobs:
parse-tag:
name: Parse Tag
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
if: github.event_name == 'push'
outputs:
module: ${{ steps.parse.outputs.module }}
@@ -90,7 +90,7 @@ jobs:
validate:
name: Validate Inputs
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [parse-tag]
if: always() && (needs.parse-tag.result == 'success' || needs.parse-tag.result == 'skipped')
outputs:
@@ -139,7 +139,7 @@ jobs:
publish-nuget:
name: Publish NuGet
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate]
if: needs.validate.outputs.publish_nuget == 'true'
steps:
@@ -251,7 +251,7 @@ jobs:
publish-container:
name: Publish Container
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate]
if: needs.validate.outputs.publish_container == 'true' && needs.validate.outputs.module != 'CLI'
steps:
@@ -310,7 +310,7 @@ jobs:
publish-cli:
name: Publish CLI (${{ matrix.runtime }})
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate]
if: needs.validate.outputs.module == 'CLI'
strategy:
@@ -378,7 +378,7 @@ jobs:
summary:
name: Publish Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, publish-nuget, publish-container, publish-cli]
if: always()
steps:
@@ -403,3 +403,4 @@ jobs:
run: |
echo "::error::One or more publish jobs failed"
exit 1

17
.gitea/workflows/nightly-regression.yml
View File

@@ -47,7 +47,7 @@ jobs:
prepare:
name: Prepare Nightly Run
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
run_id: ${{ steps.metadata.outputs.run_id }}
run_date: ${{ steps.metadata.outputs.run_date }}
@@ -88,7 +88,7 @@ jobs:
build:
name: Full Build
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
needs: prepare
steps:
@@ -126,7 +126,7 @@ jobs:
test-pr-gating:
name: PR-Gating Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 45
needs: build
services:
@@ -184,7 +184,7 @@ jobs:
test-extended:
name: Extended Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 60
needs: build
if: github.event.inputs.skip_performance != 'true'
@@ -227,7 +227,7 @@ jobs:
determinism:
name: Determinism Verification
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 45
needs: build
if: github.event.inputs.skip_determinism != 'true'
@@ -289,7 +289,7 @@ jobs:
cross-module:
name: Cross-Module Validation
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
needs: build
steps:
@@ -341,7 +341,7 @@ jobs:
coverage:
name: Code Coverage
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 45
needs: build
services:
@@ -415,7 +415,7 @@ jobs:
summary:
name: Nightly Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs:
- prepare
- build
@@ -483,3 +483,4 @@ jobs:
- name: Exit with appropriate code
if: steps.status.outputs.status == 'failure'
run: exit 1

5
.gitea/workflows/offline-e2e.yml
View File

@@ -16,7 +16,7 @@ env:
jobs:
offline-e2e:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Checkout
@@ -82,7 +82,7 @@ jobs:
path: ./results/
verify-isolation:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: offline-e2e
if: always()
@@ -119,3 +119,4 @@ jobs:
else
echo "⚠️ No test results found" >> $GITHUB_STEP_SUMMARY
fi

3
.gitea/workflows/policy-lint.yml
View File

@@ -17,7 +17,7 @@ on:
jobs:
policy-lint:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -68,3 +68,4 @@ jobs:
name: policy-lint
path: out/policy-lint
retention-days: 7

3
.gitea/workflows/policy-simulate.yml
View File

@@ -17,7 +17,7 @@ on:
jobs:
policy-simulate:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -87,3 +87,4 @@ jobs:
name: policy-signing
path: out/policy-sign
retention-days: 7

3
.gitea/workflows/promote.yml
View File

@@ -19,7 +19,7 @@ on:
jobs:
promote:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
environment: production
steps:
- name: Checkout repository
@@ -207,3 +207,4 @@ jobs:
else
echo " Docs: skipped"
fi

7
.gitea/workflows/reachability-bench.yaml
View File

@@ -34,7 +34,7 @@ on:
jobs:
benchmark:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -242,7 +242,7 @@ jobs:
update-baseline:
needs: benchmark
if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.benchmark.outputs.regression != 'true'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -263,7 +263,7 @@ jobs:
notify-pr:
needs: benchmark
if: github.event_name == 'pull_request'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
pull-requests: write
steps:
@@ -304,3 +304,4 @@ jobs:
repo: context.repo.repo,
body: body
});

7
.gitea/workflows/reachability-corpus-ci.yml
View File

@@ -20,7 +20,7 @@ on:
jobs:
validate-corpus:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -136,7 +136,7 @@ jobs:
retention-days: 14
validate-ground-truths:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
TZ: UTC
steps:
@@ -205,7 +205,7 @@ jobs:
EOF
determinism-check:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
TZ: UTC
needs: validate-corpus
@@ -265,3 +265,4 @@ jobs:
print(f"Checked {len(json_files)} JSON files")
EOF

7
.gitea/workflows/release-keyless-sign.yml
View File

@@ -37,7 +37,7 @@ env:
jobs:
sign-images:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
id-token: write
contents: read
@@ -170,7 +170,7 @@ jobs:
--registry "stellaops/gateway"
sign-binaries:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
id-token: write
contents: read
@@ -329,7 +329,7 @@ jobs:
verify-signatures:
needs: [sign-images, sign-binaries]
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: read
packages: read
@@ -397,3 +397,4 @@ jobs:
--certificate-oidc-issuer "https://git.stella-ops.org"
\`\`\`
EOF

29
.gitea/workflows/release-suite.yml
View File

@@ -50,7 +50,7 @@ jobs:
parse-tag:
name: Parse Tag
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
if: github.event_name == 'push'
outputs:
version: ${{ steps.parse.outputs.version }}
@@ -89,7 +89,7 @@ jobs:
validate:
name: Validate Release
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [parse-tag]
if: always() && (needs.parse-tag.result == 'success' || needs.parse-tag.result == 'skipped')
outputs:
@@ -150,7 +150,7 @@ jobs:
test-gate:
name: Test Gate
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate]
if: github.event.inputs.skip_tests != 'true'
steps:
@@ -192,7 +192,7 @@ jobs:
build-modules:
name: Build ${{ matrix.module }}
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, test-gate]
if: always() && needs.validate.result == 'success' && (needs.test-gate.result == 'success' || needs.test-gate.result == 'skipped')
strategy:
@@ -293,7 +293,7 @@ jobs:
build-containers:
name: Container ${{ matrix.module }}
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-modules]
if: needs.validate.outputs.dry_run != 'true'
strategy:
@@ -351,7 +351,7 @@ jobs:
build-cli:
name: CLI (${{ matrix.runtime }})
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, test-gate]
if: always() && needs.validate.result == 'success' && (needs.test-gate.result == 'success' || needs.test-gate.result == 'skipped')
strategy:
@@ -421,7 +421,7 @@ jobs:
build-helm:
name: Helm Chart
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate]
steps:
- name: Checkout
@@ -459,7 +459,7 @@ jobs:
release-manifest:
name: Release Manifest
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-modules, build-cli, build-helm]
if: always() && needs.validate.result == 'success'
steps:
@@ -538,7 +538,7 @@ jobs:
generate-changelog:
name: Generate Changelog
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-modules]
if: always() && needs.validate.result == 'success'
steps:
@@ -595,7 +595,7 @@ jobs:
generate-suite-docs:
name: Generate Suite Docs
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, generate-changelog, release-manifest]
if: always() && needs.validate.result == 'success'
steps:
@@ -658,7 +658,7 @@ jobs:
generate-compose:
name: Generate Docker Compose
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, release-manifest]
if: always() && needs.validate.result == 'success'
steps:
@@ -704,7 +704,7 @@ jobs:
commit-docs:
name: Commit Documentation
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, generate-suite-docs, generate-compose, create-release]
if: needs.validate.outputs.dry_run != 'true' && needs.create-release.result == 'success'
steps:
@@ -765,7 +765,7 @@ jobs:
create-release:
name: Create Gitea Release
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-modules, build-containers, build-cli, build-helm, release-manifest]
if: needs.validate.outputs.dry_run != 'true'
steps:
@@ -877,7 +877,7 @@ jobs:
summary:
name: Release Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-modules, build-containers, build-cli, build-helm, release-manifest, generate-changelog, generate-suite-docs, generate-compose, create-release, commit-docs]
if: always()
steps:
@@ -912,3 +912,4 @@ jobs:
run: |
echo "::error::One or more release jobs failed"
exit 1

3
.gitea/workflows/release.yml
View File

@@ -34,7 +34,7 @@ on:
jobs:
build-release:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_VERSION: '10.0.100'
REGISTRY: registry.stella-ops.org
@@ -249,3 +249,4 @@ jobs:
name: stellaops-debug-${{ steps.meta.outputs.version }}
path: out/release/debug
if-no-files-found: error

5
.gitea/workflows/replay-verification.yml
View File

@@ -1,4 +1,4 @@
name: Replay Verification
name: Replay Verification
on:
pull_request:
@@ -11,7 +11,7 @@ on:
jobs:
replay-verification:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- uses: actions/checkout@v4
@@ -37,3 +37,4 @@ jobs:
with:
name: replay-diff-report
path: results/diff-report.json

7
.gitea/workflows/risk-bundle-ci.yml
View File

@@ -30,7 +30,7 @@ on:
jobs:
risk-bundle-build:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_VERSION: '10.0.100'
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -101,7 +101,7 @@ jobs:
path: ${{ env.ARTIFACT_DIR }}/*.trx
risk-bundle-offline-kit:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: risk-bundle-build
env:
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -156,7 +156,7 @@ jobs:
path: ${{ env.OFFLINE_KIT_DIR }}
publish-checksums:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: risk-bundle-build
if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event.inputs.publish_checksums == 'true')
env:
@@ -196,3 +196,4 @@ jobs:
with:
name: risk-bundle-published-checksums
path: out/checksums/risk-bundle/

7
.gitea/workflows/rollback-lag.yml
View File

@@ -60,7 +60,7 @@ jobs:
preflight:
name: Pre-Flight Checks
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
environment: ${{ inputs.environment || 'staging' }}
outputs:
current-version: ${{ steps.current.outputs.version }}
@@ -173,7 +173,7 @@ jobs:
name: Measure Rollback Lag
needs: preflight
if: needs.preflight.outputs.can-rollback == 'true'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
environment: ${{ inputs.environment || 'staging' }}
outputs:
rollback-time: ${{ steps.timing.outputs.rollback_time }}
@@ -328,7 +328,7 @@ jobs:
name: Generate Report
needs: [preflight, measure]
if: always() && needs.preflight.result == 'success'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Generate Report
run: |
@@ -401,3 +401,4 @@ jobs:
SLO_SECONDS="${{ inputs.rollback_slo_seconds || 300 }}"
echo "::error::Rollback took ${TOTAL_LAG}s, exceeds SLO of ${SLO_SECONDS}s"
exit 1

9
.gitea/workflows/router-chaos.yml
View File

@@ -33,7 +33,7 @@ env:
jobs:
load-tests:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
services:
@@ -139,7 +139,7 @@ jobs:
fi
chaos-unit-tests:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 20
needs: load-tests
if: always()
@@ -198,7 +198,7 @@ jobs:
retention-days: 30
valkey-failure-tests:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 20
needs: load-tests
if: ${{ github.event.inputs.run_valkey_tests != 'false' }}
@@ -235,7 +235,7 @@ jobs:
path: results/
analyze-results:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [load-tests, chaos-unit-tests]
if: always()
@@ -304,3 +304,4 @@ jobs:
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Thresholds" >> $GITHUB_STEP_SUMMARY
echo "- Status: ${{ steps.analysis.outputs.thresholds_passed == 'true' && 'PASSED' || 'FAILED' }}" >> $GITHUB_STEP_SUMMARY

11
.gitea/workflows/sast-scan.yml
View File

@@ -74,7 +74,7 @@ jobs:
sast-scan:
name: SAST Analysis
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
permissions:
security-events: write
@@ -197,7 +197,7 @@ jobs:
dotnet-security:
name: .NET Security Analysis
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 20
steps:
- name: Checkout
@@ -257,7 +257,7 @@ jobs:
dependency-check:
name: Dependency Vulnerabilities
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 15
steps:
- name: Checkout
@@ -308,7 +308,7 @@ jobs:
dockerfile-lint:
name: Dockerfile Security
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 10
steps:
- name: Checkout
@@ -362,7 +362,7 @@ jobs:
summary:
name: SAST Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [sast-scan, dotnet-security, dependency-check, dockerfile-lint]
if: always()
steps:
@@ -384,3 +384,4 @@ jobs:
needs.dotnet-security.result == 'failure' ||
needs.dependency-check.result == 'failure')
run: exit 1

9
.gitea/workflows/schema-evolution.yml
View File

@@ -53,7 +53,7 @@ jobs:
discover:
name: Discover Changed Modules
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
modules: ${{ steps.detect.outputs.modules }}
has-schema-changes: ${{ steps.detect.outputs.has_changes }}
@@ -126,7 +126,7 @@ jobs:
name: Test ${{ matrix.module }} (Schema ${{ matrix.schema-version }})
needs: discover
if: needs.discover.outputs.has-schema-changes == 'true' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
strategy:
fail-fast: false
matrix:
@@ -275,7 +275,7 @@ jobs:
name: Generate Compatibility Report
needs: [discover, test]
if: always() && needs.discover.outputs.has-schema-changes == 'true'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Download All Results
uses: actions/download-artifact@v4
@@ -337,7 +337,7 @@ jobs:
name: Post Report to PR
needs: [discover, test, report]
if: github.event_name == 'pull_request' && always()
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
pull-requests: write
steps:
@@ -416,3 +416,4 @@ jobs:
body: body
});
}

3
.gitea/workflows/sdk-publish.yml
View File

@@ -17,7 +17,7 @@ on:
jobs:
sdk-publish:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -89,3 +89,4 @@ jobs:
.nuget/packages/*.nupkg
if-no-files-found: warn
retention-days: 7

13
.gitea/workflows/secrets-bundle-release.yml
View File

@@ -47,7 +47,7 @@ jobs:
validate:
name: Validate Inputs
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
version: ${{ steps.resolve.outputs.version }}
sign_bundle: ${{ steps.resolve.outputs.sign_bundle }}
@@ -95,7 +95,7 @@ jobs:
build-bundle:
name: Build Secrets Bundle
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate]
steps:
- name: Checkout
@@ -201,7 +201,7 @@ jobs:
sign-bundle:
name: Sign Secrets Bundle
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-bundle]
if: needs.validate.outputs.sign_bundle == 'true'
steps:
@@ -305,7 +305,7 @@ jobs:
package-offline-kit:
name: Package for Offline Kit
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-bundle, sign-bundle]
if: always() && needs.build-bundle.result == 'success' && needs.validate.outputs.include_in_kit == 'true'
steps:
@@ -357,7 +357,7 @@ jobs:
publish:
name: Publish Bundle
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, sign-bundle, package-offline-kit]
if: needs.validate.outputs.dry_run != 'true' && needs.sign-bundle.result == 'success'
steps:
@@ -478,7 +478,7 @@ jobs:
summary:
name: Build Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-bundle, sign-bundle, package-offline-kit, publish]
if: always()
steps:
@@ -501,3 +501,4 @@ jobs:
echo "| Sign Bundle | ${{ needs.sign-bundle.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Package Offline Kit | ${{ needs.package-offline-kit.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Publish | ${{ needs.publish.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY

3
.gitea/workflows/signals-ci.yml
View File

@@ -19,7 +19,7 @@ on:
jobs:
signals-ci:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -73,3 +73,4 @@ jobs:
out/signals
out/signals/signals-image.tar
retention-days: 7

5
.gitea/workflows/signals-dsse-sign.yml
View File

@@ -22,7 +22,7 @@ on:
jobs:
sign-signals-artifacts:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -120,7 +120,7 @@ jobs:
echo "Artifacts available as workflow artifact for manual ingestion"
verify-signatures:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: sign-signals-artifacts
steps:
- name: Checkout
@@ -181,3 +181,4 @@ jobs:
done
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "Run ID: ${{ github.run_number }}" >> "$GITHUB_STEP_SUMMARY"

5
.gitea/workflows/signals-reachability.yml
View File

@@ -21,7 +21,7 @@ on:
jobs:
reachability-smoke:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -54,7 +54,7 @@ jobs:
scripts/signals/reachability-smoke.sh
sign-and-upload:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: reachability-smoke
env:
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
@@ -125,3 +125,4 @@ jobs:
if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
run: |
echo "::notice::Evidence Locker upload skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"

3
.gitea/workflows/symbols-ci.yml
View File

@@ -17,7 +17,7 @@ on:
jobs:
symbols-smoke:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
ARTIFACT_DIR: ${{ github.workspace }}/artifacts/symbols-ci
steps:
@@ -45,3 +45,4 @@ jobs:
name: symbols-ci
path: ${{ env.ARTIFACT_DIR }}
retention-days: 7

3
.gitea/workflows/symbols-release.yml
View File

@@ -8,7 +8,7 @@ on:
jobs:
symbols-release-smoke:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
ARTIFACT_DIR: ${{ github.workspace }}/artifacts/symbols-release
steps:
@@ -39,3 +39,4 @@ jobs:
name: symbols-release
path: ${{ env.ARTIFACT_DIR }}
retention-days: 14

5
.gitea/workflows/test-blast-radius.yml
View File

@@ -39,7 +39,7 @@ jobs:
validate:
name: Validate Annotations
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
has-violations: ${{ steps.validate.outputs.has_violations }}
violation-count: ${{ steps.validate.outputs.violation_count }}
@@ -205,7 +205,7 @@ jobs:
name: Post Report
needs: validate
if: github.event_name == 'pull_request' && needs.validate.outputs.has-violations == 'true'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
pull-requests: write
steps:
@@ -253,3 +253,4 @@ jobs:
issue_number: context.issue.number,
body: body
});

15
.gitea/workflows/test-infrastructure.yml
View File

@@ -45,7 +45,7 @@ jobs:
detect-changes:
name: Detect Changes
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
has-test-changes: ${{ steps.changes.outputs.tests }}
has-schema-changes: ${{ steps.changes.outputs.schema }}
@@ -109,7 +109,7 @@ jobs:
name: Blast-Radius Validation
needs: detect-changes
if: needs.detect-changes.outputs.has-test-changes == 'true' || inputs.run_all == true || github.event_name == 'schedule'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
status: ${{ steps.validate.outputs.status }}
violations: ${{ steps.validate.outputs.violation_count }}
@@ -156,7 +156,7 @@ jobs:
name: Dead-Path Detection
needs: detect-changes
if: needs.detect-changes.outputs.has-code-changes == 'true' || inputs.run_all == true || github.event_name == 'schedule'
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
status: ${{ steps.detect.outputs.status }}
new-paths: ${{ steps.detect.outputs.new_paths }}
@@ -213,7 +213,7 @@ jobs:
name: Schema Evolution Check
needs: detect-changes
if: needs.detect-changes.outputs.has-schema-changes == 'true' || inputs.run_all == true
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
services:
postgres:
image: postgres:16-alpine
@@ -274,7 +274,7 @@ jobs:
name: Config-Diff Check
needs: detect-changes
if: needs.detect-changes.outputs.has-config-changes == 'true' || inputs.run_all == true
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
status: ${{ steps.test.outputs.status }}
tested-configs: ${{ steps.test.outputs.tested }}
@@ -319,7 +319,7 @@ jobs:
name: Generate Report
needs: [detect-changes, blast-radius, dead-paths, schema-evolution, config-diff]
if: always()
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
steps:
- name: Generate Infrastructure Report
run: |
@@ -417,7 +417,7 @@ jobs:
name: Post PR Comment
needs: [report, blast-radius, dead-paths, schema-evolution, config-diff]
if: github.event_name == 'pull_request' && always()
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
pull-requests: write
steps:
@@ -504,3 +504,4 @@ jobs:
body: body
});
}

17
.gitea/workflows/test-lanes.yml
View File

@@ -38,7 +38,7 @@ jobs:
# ===========================================================================
unit-tests:
name: Unit Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 15
steps:
- name: Checkout repository
@@ -79,7 +79,7 @@ jobs:
# ===========================================================================
architecture-tests:
name: Architecture Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 10
steps:
- name: Checkout repository
@@ -121,7 +121,7 @@ jobs:
# ===========================================================================
contract-tests:
name: Contract Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 10
steps:
- name: Checkout repository
@@ -162,7 +162,7 @@ jobs:
# ===========================================================================
integration-tests:
name: Integration Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 30
steps:
- name: Checkout repository
@@ -205,7 +205,7 @@ jobs:
# ===========================================================================
security-tests:
name: Security Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 20
steps:
- name: Checkout repository
@@ -246,7 +246,7 @@ jobs:
# ===========================================================================
performance-tests:
name: Performance Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true')
timeout-minutes: 30
steps:
@@ -288,7 +288,7 @@ jobs:
# ===========================================================================
live-tests:
name: Live Tests (External Dependencies)
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_live == 'true'
timeout-minutes: 20
steps:
@@ -331,7 +331,7 @@ jobs:
# ===========================================================================
test-summary:
name: Test Results Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [unit-tests, architecture-tests, contract-tests, integration-tests, security-tests]
if: always()
steps:
@@ -356,3 +356,4 @@ jobs:
echo "" >> $GITHUB_STEP_SUMMARY
echo "See individual job logs for detailed test output." >> $GITHUB_STEP_SUMMARY

11
.gitea/workflows/test-matrix.yml
View File

@@ -73,7 +73,7 @@ jobs:
discover:
name: Discover Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
test-projects: ${{ steps.find.outputs.projects }}
test-count: ${{ steps.find.outputs.count }}
@@ -120,7 +120,7 @@ jobs:
pr-gating-tests:
name: ${{ matrix.category }} Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: ${{ matrix.timeout }}
needs: discover
strategy:
@@ -178,7 +178,7 @@ jobs:
integration:
name: Integration Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: 45
needs: discover
services:
@@ -229,7 +229,7 @@ jobs:
extended-tests:
name: ${{ matrix.category }} Tests
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
timeout-minutes: ${{ matrix.timeout }}
needs: discover
if: >-
@@ -321,7 +321,7 @@ jobs:
summary:
name: Test Summary
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [discover, pr-gating-tests, integration]
if: always()
steps:
@@ -372,3 +372,4 @@ jobs:
- name: Check for failures
if: contains(needs.*.result, 'failure')
run: exit 1

3
.gitea/workflows/unknowns-budget-gate.yml
View File

@@ -29,7 +29,7 @@ env:
jobs:
scan-and-check-budget:
runs-on: ubuntu-22.04
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
permissions:
contents: read
pull-requests: write
@@ -197,3 +197,4 @@ jobs:
if: steps.env.outputs.environment != 'prod' && steps.budget.outputs.exit_code == '2'
run: |
echo "::warning::Unknowns budget exceeded for ${{ steps.env.outputs.environment }}"