up

2025-12-14 18:33:02 +02:00
parent d233fa3529
commit 2e70c9fdb6
51 changed files with 5958 additions and 75 deletions
--- a/ops/deployment/advisory-ai/README.md
+++ b/ops/deployment/advisory-ai/README.md
@@ -63,7 +63,29 @@ docker compose --env-file prod.env \
   - Check queue directories under `advisory-ai-*` volumes remain writable
   - Confirm inference path logs when GPU is detected (log key `advisory.ai.inference.gpu=true`).

+## Advisory Feed Packaging (DEVOPS-AIAI-31-002)
+
+Package advisory feeds (SBOM pointers + provenance) for release/offline kit:
+
+```bash
+# Production (CI with COSIGN_PRIVATE_KEY_B64 secret)
+./ops/deployment/advisory-ai/package-advisory-feeds.sh
+
+# Development (uses tools/cosign/cosign.dev.key)
+COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
+  ./ops/deployment/advisory-ai/package-advisory-feeds.sh
+```
+
+Outputs:
+- `out/advisory-ai/feeds/advisory-feeds.tar.gz` - Feed bundle
+- `out/advisory-ai/feeds/advisory-feeds.manifest.json` - Manifest with SBOM pointers
+- `out/advisory-ai/feeds/advisory-feeds.manifest.dsse.json` - DSSE signed manifest
+- `out/advisory-ai/feeds/provenance.json` - Build provenance
+
+CI workflow: `.gitea/workflows/advisory-ai-release.yml`
+
 ## Evidence to attach (sprint)
 - Helm release output (rendered templates for advisory AI)
 - `docker-compose config` with/without GPU overlay
 - Offline kit metadata listing advisory AI images + SBOMs
+- Advisory feed package manifest with SBOM pointers