stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
LNM Migration CI / build-runner (push) Has been cancelled
Details
Ledger OpenAPI CI / deprecation-check (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Ledger Packs CI / build-pack (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Ledger OpenAPI CI / validate-oas (push) Has been cancelled
Details
Ledger OpenAPI CI / check-wellknown (push) Has been cancelled
Details
Ledger Packs CI / verify-pack (push) Has been cancelled
Details
LNM Migration CI / validate-metrics (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 18:33:02 +02:00
parent d233fa3529
commit 2e70c9fdb6
51 changed files with 5958 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
ops/devops/aoc/backfill-release-plan.md Normal file
View File

@@ -0,0 +1,73 @@
# AOC Backfill Release Plan (DEVOPS-STORE-AOC-19-005-REL)
Scope: Release/offline-kit packaging for Concelier AOC backfill operations.
## Prerequisites
- Dataset hash from dev rehearsal (AOC-19-005 dev outputs)
- AOC guard tests passing (DEVOPS-AOC-19-001/002/003 - DONE)
- Supersedes rollout plan reviewed (ops/devops/aoc/supersedes-rollout.md)
## Artefacts
- Backfill runner bundle:
- `aoc-backfill-runner.tar.gz` - CLI tool + scripts
- `aoc-backfill-runner.sbom.json` - SPDX SBOM
- `aoc-backfill-runner.dsse.json` - Cosign attestation
- Dataset bundle:
- `aoc-dataset-{hash}.tar.gz` - Seeded dataset
- `aoc-dataset-{hash}.manifest.json` - Manifest with checksums
- `aoc-dataset-{hash}.provenance.json` - SLSA provenance
- Offline kit slice:
- All above + SHA256SUMS + verification scripts
## Packaging Script
```bash
# Production (CI with secrets)
./ops/devops/aoc/package-backfill-release.sh
# Development (dev key)
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
DATASET_HASH=dev-rehearsal-placeholder \
./ops/devops/aoc/package-backfill-release.sh
```
## Pipeline Outline
1) Build backfill runner from `src/Aoc/StellaOps.Aoc.Cli/`
2) Generate SBOM with syft
3) Sign with cosign (dev key fallback)
4) Package dataset (when hash available)
5) Create offline bundle with checksums
6) Verification:
- `stella aoc verify --dry-run`
- `cosign verify-blob` for all bundles
- `sha256sum --check`
7) Publish to release bucket + offline kit
## Runbook
1) Validate AOC guard tests pass in CI
2) Run dev rehearsal with test dataset
3) Capture dataset hash from rehearsal
4) Execute packaging script with production key
5) Verify all signatures and checksums
6) Upload to release bucket
7) Include in offline kit manifest
## CI Workflow
`.gitea/workflows/aoc-backfill-release.yml`
## Verification
```bash
# Verify bundle signatures
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle out/aoc/aoc-backfill-runner.dsse.json \
out/aoc/aoc-backfill-runner.tar.gz
# Verify checksums
cd out/aoc && sha256sum -c SHA256SUMS
```
## Owners
- DevOps Guild (pipeline + packaging)
- Concelier Storage Guild (dataset + backfill logic)
- Platform Security (signing policy)