up

2025-11-24 07:52:25 +02:00
parent 5970f0d9bd
commit 150b3730ef
215 changed files with 8119 additions and 740 deletions
--- a/scripts/cli/build-cli.sh
+++ b/scripts/cli/build-cli.sh
@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# DEVOPS-CLI-41-001: Build multi-platform CLI binaries with SBOM and checksums.
+
+RIDS="${RIDS:-linux-x64,win-x64,osx-arm64}"
+CONFIG="${CONFIG:-Release}"
+PROJECT="src/Cli/StellaOps.Cli/StellaOps.Cli.csproj"
+OUT_ROOT="out/cli"
+SBOM_TOOL="${SBOM_TOOL:-syft}" # syft|none
+SIGN="${SIGN:-false}"
+COSIGN_KEY="${COSIGN_KEY:-}"
+
+IFS=',' read -ra TARGETS <<< "$RIDS"
+
+mkdir -p "$OUT_ROOT"
+
+if ! command -v dotnet >/dev/null 2>&1; then
+  echo "[cli-build] dotnet CLI not found" >&2
+  exit 69
+fi
+
+generate_sbom() {
+  local dir="$1"
+  local sbom="$2"
+  if [[ "$SBOM_TOOL" == "syft" ]] && command -v syft >/dev/null 2>&1; then
+    syft "dir:${dir}" -o json > "$sbom"
+  fi
+}
+
+sign_file() {
+  local file="$1"
+  if [[ "$SIGN" == "true" && -n "$COSIGN_KEY" && -x "$(command -v cosign || true)" ]]; then
+    COSIGN_EXPERIMENTAL=1 cosign sign-blob --key "$COSIGN_KEY" --output-signature "${file}.sig" "$file"
+  fi
+}
+
+for rid in "${TARGETS[@]}"; do
+  echo "[cli-build] publishing for $rid"
+  out_dir="${OUT_ROOT}/${rid}"
+  publish_dir="${out_dir}/publish"
+  mkdir -p "$publish_dir"
+
+  dotnet publish "$PROJECT" -c "$CONFIG" -r "$rid" \
+    -o "$publish_dir" \
+    --self-contained true \
+    -p:PublishSingleFile=true \
+    -p:PublishTrimmed=false \
+    -p:DebugType=None \
+    >/dev/null
+
+  # Package
+  archive_ext="tar.gz"
+  archive_cmd=(tar -C "$publish_dir" -czf)
+  if [[ "$rid" == win-* ]]; then
+    archive_ext="zip"
+    archive_cmd=(zip -jr)
+  fi
+
+  archive_name="stella-cli-${rid}.${archive_ext}"
+  archive_path="${out_dir}/${archive_name}"
+  "${archive_cmd[@]}" "$archive_path" "$publish_dir"
+
+  sha256sum "$archive_path" > "${archive_path}.sha256"
+  sign_file "$archive_path"
+
+  # SBOM
+  generate_sbom "$publish_dir" "${archive_path}.sbom.json"
+done
+
+# Build manifest
+manifest="${OUT_ROOT}/manifest.json"
+cat > "$manifest" <<EOF
+{
+  "generated_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
+  "config": "$CONFIG",
+  "rids": [$(printf '"%s",' "${TARGETS[@]}" | sed 's/,$//')],
+  "artifacts_root": "$OUT_ROOT"
+}
+EOF
+
+echo "[cli-build] artifacts in $OUT_ROOT"