up

2025-12-07 23:38:50 +02:00
parent 68bc53a07b
commit 3d01bf9edc
49 changed files with 8269 additions and 1728 deletions
--- a/.gitea/workflows/risk-bundle-ci.yml
+++ b/.gitea/workflows/risk-bundle-ci.yml
@@ -0,0 +1,198 @@
+name: Risk Bundle CI
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**'
+      - 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**'
+      - 'ops/devops/risk-bundle/**'
+      - '.gitea/workflows/risk-bundle-ci.yml'
+      - 'docs/modules/export-center/operations/risk-bundle-*.md'
+  pull_request:
+    branches: [ main, develop ]
+    paths:
+      - 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**'
+      - 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**'
+      - 'ops/devops/risk-bundle/**'
+      - '.gitea/workflows/risk-bundle-ci.yml'
+      - 'docs/modules/export-center/operations/risk-bundle-*.md'
+  workflow_dispatch:
+    inputs:
+      include_osv:
+        description: 'Include OSV providers (larger bundle)'
+        type: boolean
+        default: false
+      publish_checksums:
+        description: 'Publish checksums to artifact store'
+        type: boolean
+        default: true
+
+jobs:
+  risk-bundle-build:
+    runs-on: ubuntu-22.04
+    env:
+      DOTNET_VERSION: '10.0.100'
+      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
+      BUNDLE_OUTPUT: ${{ github.workspace }}/.artifacts/risk-bundle
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Export OpenSSL 1.1 shim for Mongo2Go
+        run: scripts/enable-openssl11-shim.sh
+
+      - name: Set up .NET SDK
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+          include-prerelease: true
+
+      - name: Restore
+        run: dotnet restore src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj
+
+      - name: Build
+        run: dotnet build src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj -c Release /p:ContinuousIntegrationBuild=true
+
+      - name: Test RiskBundle unit tests
+        run: |
+          mkdir -p $ARTIFACT_DIR
+          dotnet test src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj \
+            -c Release \
+            --filter "FullyQualifiedName~RiskBundle" \
+            --logger "trx;LogFileName=risk-bundle-tests.trx" \
+            --results-directory $ARTIFACT_DIR
+
+      - name: Build risk bundle (fixtures)
+        run: |
+          mkdir -p $BUNDLE_OUTPUT
+          ops/devops/risk-bundle/build-bundle.sh --output "$BUNDLE_OUTPUT" --fixtures-only
+
+      - name: Verify bundle integrity
+        run: ops/devops/risk-bundle/verify-bundle.sh "$BUNDLE_OUTPUT/risk-bundle.tar.gz"
+
+      - name: Generate checksums
+        run: |
+          cd $BUNDLE_OUTPUT
+          sha256sum risk-bundle.tar.gz > risk-bundle.tar.gz.sha256
+          sha256sum manifest.json > manifest.json.sha256
+          cat risk-bundle.tar.gz.sha256 manifest.json.sha256 > checksums.txt
+          echo "Bundle checksums:"
+          cat checksums.txt
+
+      - name: Upload risk bundle artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: risk-bundle-artifacts
+          path: |
+            ${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz
+            ${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz.sig
+            ${{ env.BUNDLE_OUTPUT }}/manifest.json
+            ${{ env.BUNDLE_OUTPUT }}/checksums.txt
+            ${{ env.ARTIFACT_DIR }}/*.trx
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: risk-bundle-test-results
+          path: ${{ env.ARTIFACT_DIR }}/*.trx
+
+  risk-bundle-offline-kit:
+    runs-on: ubuntu-22.04
+    needs: risk-bundle-build
+    env:
+      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
+      OFFLINE_KIT_DIR: ${{ github.workspace }}/.artifacts/offline-kit
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download risk bundle artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: risk-bundle-artifacts
+          path: ${{ env.ARTIFACT_DIR }}
+
+      - name: Package for offline kit
+        run: |
+          mkdir -p $OFFLINE_KIT_DIR/risk-bundles
+          cp $ARTIFACT_DIR/risk-bundle.tar.gz $OFFLINE_KIT_DIR/risk-bundles/
+          cp $ARTIFACT_DIR/risk-bundle.tar.gz.sig $OFFLINE_KIT_DIR/risk-bundles/ 2>/dev/null || true
+          cp $ARTIFACT_DIR/manifest.json $OFFLINE_KIT_DIR/risk-bundles/
+          cp $ARTIFACT_DIR/checksums.txt $OFFLINE_KIT_DIR/risk-bundles/
+
+          # Create offline kit manifest entry
+          cat > $OFFLINE_KIT_DIR/risk-bundles/kit-manifest.json <<EOF
+          {
+            "component": "risk-bundle",
+            "version": "$(date -u +%Y%m%d-%H%M%S)",
+            "files": [
+              {"path": "risk-bundle.tar.gz", "checksum_file": "risk-bundle.tar.gz.sha256"},
+              {"path": "manifest.json", "checksum_file": "manifest.json.sha256"}
+            ],
+            "verification": {
+              "checksums": "checksums.txt",
+              "signature": "risk-bundle.tar.gz.sig"
+            }
+          }
+          EOF
+
+      - name: Verify offline kit structure
+        run: |
+          echo "Offline kit structure:"
+          find $OFFLINE_KIT_DIR -type f
+          echo ""
+          echo "Checksum verification:"
+          cd $OFFLINE_KIT_DIR/risk-bundles
+          sha256sum -c checksums.txt
+
+      - name: Upload offline kit
+        uses: actions/upload-artifact@v4
+        with:
+          name: risk-bundle-offline-kit
+          path: ${{ env.OFFLINE_KIT_DIR }}
+
+  publish-checksums:
+    runs-on: ubuntu-22.04
+    needs: risk-bundle-build
+    if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event.inputs.publish_checksums == 'true')
+    env:
+      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download risk bundle artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: risk-bundle-artifacts
+          path: ${{ env.ARTIFACT_DIR }}
+
+      - name: Publish checksums
+        run: |
+          echo "Publishing checksums for risk bundle..."
+          CHECKSUM_DIR=out/checksums/risk-bundle/$(date -u +%Y-%m-%d)
+          mkdir -p $CHECKSUM_DIR
+          cp $ARTIFACT_DIR/checksums.txt $CHECKSUM_DIR/
+          cp $ARTIFACT_DIR/manifest.json $CHECKSUM_DIR/
+
+          # Create latest symlink manifest
+          cat > out/checksums/risk-bundle/latest.json <<EOF
+          {
+            "date": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+            "path": "$(date -u +%Y-%m-%d)/checksums.txt",
+            "manifest": "$(date -u +%Y-%m-%d)/manifest.json"
+          }
+          EOF
+
+          echo "Checksums published to $CHECKSUM_DIR"
+          cat $CHECKSUM_DIR/checksums.txt
+
+      - name: Upload published checksums
+        uses: actions/upload-artifact@v4
+        with:
+          name: risk-bundle-published-checksums
+          path: out/checksums/risk-bundle/