save checkpoint. addition features and their state. check some ofthem
This commit is contained in:
master
@@ -8,7 +8,9 @@ ARG GIT_SHA=0000000
|
||||
ARG SOURCE_DATE_EPOCH=0
|
||||
|
||||
FROM ${NODE_IMAGE} AS build
|
||||
ARG NODE_IMAGE
|
||||
WORKDIR /workspace
|
||||
RUN case "${NODE_IMAGE}" in *@sha256:*) ;; *) echo "NODE_IMAGE must be digest-pinned (@sha256:...)"; exit 86;; esac
|
||||
ENV CI=1 \
|
||||
SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
|
||||
COPY src/Web/StellaOps.Web/package.json src/Web/StellaOps.Web/package-lock.json ./
|
||||
@@ -17,10 +19,12 @@ COPY src/Web/StellaOps.Web/ ./
|
||||
RUN npm run build -- --configuration=production
|
||||
|
||||
FROM ${NGINX_IMAGE} AS runtime
|
||||
ARG NGINX_IMAGE
|
||||
ARG VERSION
|
||||
ARG CHANNEL
|
||||
ARG GIT_SHA
|
||||
WORKDIR /usr/share/nginx/html
|
||||
RUN case "${NGINX_IMAGE}" in *@sha256:*) ;; *) echo "NGINX_IMAGE must be digest-pinned (@sha256:...)"; exit 87;; esac
|
||||
RUN rm -rf ./*
|
||||
COPY --from=build /workspace/dist/stellaops-web/ /usr/share/nginx/html/
|
||||
COPY ops/devops/release/docker/nginx-default.conf /etc/nginx/conf.d/default.conf
|
||||
|
||||
@@ -11,10 +11,12 @@ ARG GIT_SHA=0000000
|
||||
ARG SOURCE_DATE_EPOCH=0
|
||||
|
||||
FROM ${SDK_IMAGE} AS build
|
||||
ARG SDK_IMAGE
|
||||
ARG PROJECT
|
||||
ARG GIT_SHA
|
||||
ARG SOURCE_DATE_EPOCH
|
||||
WORKDIR /src
|
||||
RUN case "${SDK_IMAGE}" in *@sha256:*) ;; *) echo "SDK_IMAGE must be digest-pinned (@sha256:...)"; exit 86;; esac
|
||||
ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
|
||||
DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 \
|
||||
NUGET_XMLDOC_MODE=skip \
|
||||
@@ -33,11 +35,13 @@ RUN --mount=type=cache,target=/root/.nuget/packages \
|
||||
/p:TreatWarningsAsErrors=true
|
||||
|
||||
FROM ${RUNTIME_IMAGE} AS runtime
|
||||
ARG RUNTIME_IMAGE
|
||||
WORKDIR /app
|
||||
ARG ENTRYPOINT_DLL
|
||||
ARG VERSION
|
||||
ARG CHANNEL
|
||||
ARG GIT_SHA
|
||||
RUN case "${RUNTIME_IMAGE}" in *@sha256:*) ;; *) echo "RUNTIME_IMAGE must be digest-pinned (@sha256:...)"; exit 87;; esac
|
||||
ENV DOTNET_EnableDiagnostics=0 \
|
||||
ASPNETCORE_URLS=http://0.0.0.0:8080
|
||||
COPY --from=build /app/publish/ ./
|
||||
|
||||
@@ -583,6 +583,23 @@ run_dotnet_build() {
|
||||
return $result
|
||||
}
|
||||
|
||||
run_repro_policy_checks() {
|
||||
log_subsection "Repro Bundle Policy Checks"
|
||||
|
||||
local policy_script="$REPO_ROOT/devops/tools/verify-repro-bundle-policy.sh"
|
||||
if [[ ! -f "$policy_script" ]]; then
|
||||
log_error "Repro policy script not found: $policy_script"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [[ "$DRY_RUN" == "true" ]]; then
|
||||
log_info "[DRY-RUN] Would execute: bash \"$policy_script\""
|
||||
return 0
|
||||
fi
|
||||
|
||||
bash "$policy_script"
|
||||
}
|
||||
|
||||
# =============================================================================
|
||||
# MODE IMPLEMENTATIONS
|
||||
# =============================================================================
|
||||
@@ -658,6 +675,7 @@ run_pr_mode() {
|
||||
|
||||
# Build .NET solution
|
||||
run_dotnet_build || return 1
|
||||
run_repro_policy_checks || return 1
|
||||
|
||||
# Run each .NET category
|
||||
if [[ -n "$SPECIFIC_CATEGORY" ]]; then
|
||||
|
||||
@@ -2,12 +2,34 @@
|
||||
set -euo pipefail
|
||||
|
||||
# DEVOPS-ATTEST-74-002: package attestation outputs into an offline bundle with checksums.
|
||||
# Determinism profile:
|
||||
# - fixed locale/timezone
|
||||
# - deterministic archive metadata/order
|
||||
# - digest pin checks for optional toolchain inputs
|
||||
|
||||
if [[ $# -lt 1 ]]; then
|
||||
echo "Usage: $0 <attest-dir> [bundle-out]" >&2
|
||||
exit 64
|
||||
fi
|
||||
|
||||
export LC_ALL=C
|
||||
export TZ=UTC
|
||||
|
||||
SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-0}
|
||||
if ! [[ "$SOURCE_DATE_EPOCH" =~ ^[0-9]+$ ]]; then
|
||||
echo "[attest-bundle] SOURCE_DATE_EPOCH must be an integer epoch value" >&2
|
||||
exit 64
|
||||
fi
|
||||
|
||||
# Enforce digest pinning when toolchain/build images are provided.
|
||||
for image_var in BUILDER_IMG TOOLCHAIN_IMAGE; do
|
||||
image_value=${!image_var:-}
|
||||
if [[ -n "$image_value" && "$image_value" != *@sha256:* ]]; then
|
||||
echo "[attest-bundle] ${image_var} must be digest-pinned (@sha256:...): ${image_value}" >&2
|
||||
exit 65
|
||||
fi
|
||||
done
|
||||
|
||||
ATTEST_DIR=$1
|
||||
BUNDLE_OUT=${2:-"out/attest-bundles"}
|
||||
|
||||
@@ -18,9 +40,9 @@ fi
|
||||
|
||||
mkdir -p "$BUNDLE_OUT"
|
||||
|
||||
TS=$(date -u +"%Y%m%dT%H%M%SZ")
|
||||
BUNDLE_NAME="attestation-bundle-${TS}"
|
||||
BUNDLE_NAME=${BUNDLE_NAME:-"attestation-bundle-${SOURCE_DATE_EPOCH}"}
|
||||
WORK_DIR="${BUNDLE_OUT}/${BUNDLE_NAME}"
|
||||
rm -rf "$WORK_DIR"
|
||||
mkdir -p "$WORK_DIR"
|
||||
|
||||
copy_if_exists() {
|
||||
@@ -44,20 +66,37 @@ copy_if_exists "*.crt"
|
||||
copy_if_exists "*.pem"
|
||||
copy_if_exists "*.json"
|
||||
|
||||
mapfile -t MANIFEST_FILES < <(find "$WORK_DIR" -maxdepth 1 -type f -printf "%f\n" | sort)
|
||||
FILES_JSON=$(printf '%s\n' "${MANIFEST_FILES[@]}" | jq -R . | jq -s .)
|
||||
|
||||
# Manifest
|
||||
cat > "${WORK_DIR}/manifest.json" <<EOF
|
||||
{
|
||||
"created_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
|
||||
"source_dir": "${ATTEST_DIR}",
|
||||
"files": $(ls -1 "${WORK_DIR}" | jq -R . | jq -s .)
|
||||
"created_at": "$(date -u -d "@${SOURCE_DATE_EPOCH}" +"%Y-%m-%dT%H:%M:%SZ")",
|
||||
"source_dir": "$(basename "${ATTEST_DIR}")",
|
||||
"source_date_epoch": ${SOURCE_DATE_EPOCH},
|
||||
"files": ${FILES_JSON}
|
||||
}
|
||||
EOF
|
||||
|
||||
find "$WORK_DIR" -type d -exec chmod 0755 {} +
|
||||
find "$WORK_DIR" -type f -exec chmod 0644 {} +
|
||||
|
||||
# Checksums
|
||||
(
|
||||
cd "$WORK_DIR"
|
||||
sha256sum * > SHA256SUMS
|
||||
find . -maxdepth 1 -type f -printf "%f\n" | sort | xargs -r sha256sum > SHA256SUMS
|
||||
)
|
||||
|
||||
tar -C "$BUNDLE_OUT" -czf "${WORK_DIR}.tgz" "${BUNDLE_NAME}"
|
||||
GZIP=-n tar \
|
||||
--sort=name \
|
||||
--mtime="@${SOURCE_DATE_EPOCH}" \
|
||||
--owner=0 \
|
||||
--group=0 \
|
||||
--numeric-owner \
|
||||
--pax-option=delete=atime,delete=ctime \
|
||||
-C "$BUNDLE_OUT" \
|
||||
-czf "${WORK_DIR}.tgz" \
|
||||
"${BUNDLE_NAME}"
|
||||
|
||||
echo "[attest-bundle] bundle created at ${WORK_DIR}.tgz"
|
||||
|
||||
76
devops/tools/verify-repro-bundle-policy.sh
Normal file
76
devops/tools/verify-repro-bundle-policy.sh
Normal file
@@ -0,0 +1,76 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Verifies repro-bundle fail-closed policy controls:
|
||||
# - build-attestation-bundle.sh enforces digest-pinned images
|
||||
# - deterministic env defaults are present
|
||||
# - release Dockerfiles fail without @sha256 pinning
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
|
||||
|
||||
BUNDLE_SCRIPT="${REPO_ROOT}/devops/tools/build-attestation-bundle.sh"
|
||||
DOTNET_DOCKERFILE="${REPO_ROOT}/devops/release/docker/Dockerfile.dotnet-service"
|
||||
ANGULAR_DOCKERFILE="${REPO_ROOT}/devops/release/docker/Dockerfile.angular-ui"
|
||||
|
||||
fail() {
|
||||
echo "[repro-policy] $*" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
require_line() {
|
||||
local file=$1
|
||||
local pattern=$2
|
||||
if ! grep -Fq "$pattern" "$file"; then
|
||||
fail "Missing required pattern in ${file}: ${pattern}"
|
||||
fi
|
||||
}
|
||||
|
||||
[[ -f "${BUNDLE_SCRIPT}" ]] || fail "Missing script: ${BUNDLE_SCRIPT}"
|
||||
[[ -f "${DOTNET_DOCKERFILE}" ]] || fail "Missing Dockerfile: ${DOTNET_DOCKERFILE}"
|
||||
[[ -f "${ANGULAR_DOCKERFILE}" ]] || fail "Missing Dockerfile: ${ANGULAR_DOCKERFILE}"
|
||||
|
||||
bash -n "${BUNDLE_SCRIPT}"
|
||||
|
||||
require_line "${BUNDLE_SCRIPT}" "export LC_ALL=C"
|
||||
require_line "${BUNDLE_SCRIPT}" "export TZ=UTC"
|
||||
require_line "${BUNDLE_SCRIPT}" "SOURCE_DATE_EPOCH=\${SOURCE_DATE_EPOCH:-0}"
|
||||
require_line "${BUNDLE_SCRIPT}" "must be digest-pinned (@sha256:...)"
|
||||
|
||||
require_line "${DOTNET_DOCKERFILE}" 'RUN case "${SDK_IMAGE}" in *@sha256:*)'
|
||||
require_line "${DOTNET_DOCKERFILE}" 'RUN case "${RUNTIME_IMAGE}" in *@sha256:*)'
|
||||
require_line "${ANGULAR_DOCKERFILE}" 'RUN case "${NODE_IMAGE}" in *@sha256:*)'
|
||||
require_line "${ANGULAR_DOCKERFILE}" 'RUN case "${NGINX_IMAGE}" in *@sha256:*)'
|
||||
|
||||
tmp_dir="$(mktemp -d)"
|
||||
trap 'rm -rf "${tmp_dir}"' EXIT
|
||||
|
||||
attest_dir="${tmp_dir}/attest"
|
||||
bundle_out="${tmp_dir}/out"
|
||||
mkdir -p "${attest_dir}"
|
||||
printf '{"fixture":"ok"}\n' > "${attest_dir}/fixture.json"
|
||||
|
||||
# Positive path (pinned image)
|
||||
BUILDER_IMG='registry.example.org/build/my-builder@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' \
|
||||
SOURCE_DATE_EPOCH=0 \
|
||||
bash "${BUNDLE_SCRIPT}" "${attest_dir}" "${bundle_out}" > /dev/null
|
||||
|
||||
[[ -f "${bundle_out}/attestation-bundle-0.tgz" ]] || fail "Expected deterministic bundle archive was not created"
|
||||
|
||||
# Negative path (unpinned image must fail closed with exit 65)
|
||||
set +e
|
||||
BUILDER_IMG='registry.example.org/build/my-builder:latest' \
|
||||
SOURCE_DATE_EPOCH=0 \
|
||||
bash "${BUNDLE_SCRIPT}" "${attest_dir}" "${bundle_out}" > "${tmp_dir}/negative.out" 2> "${tmp_dir}/negative.err"
|
||||
status=$?
|
||||
set -e
|
||||
|
||||
if [[ ${status} -ne 65 ]]; then
|
||||
fail "Expected unpinned image run to fail with exit 65, got ${status}"
|
||||
fi
|
||||
|
||||
if ! grep -Fq "must be digest-pinned" "${tmp_dir}/negative.err"; then
|
||||
fail "Expected digest pinning failure message was not emitted"
|
||||
fi
|
||||
|
||||
echo "[repro-policy] PASS"
|
||||
Reference in New Issue
Block a user