test fixes and new product advisories work

2026-01-28 02:30:48 +02:00
parent 82caceba56
commit 644887997c
288 changed files with 69101 additions and 375 deletions
--- a/docs/releases/RELEASE_PROCESS.md
+++ b/docs/releases/RELEASE_PROCESS.md
@@ -213,9 +213,81 @@ For critical security fixes:

 ---

+## Release Evidence Pack
+
+Every release includes a **Release Evidence Pack** for customer verification and compliance.
+
+### Evidence Pack Contents
+
+| Component | Description |
+|-----------|-------------|
+| Artifacts | Release binaries and container references |
+| Checksums | SHA-256 and SHA-512 checksum files |
+| Signatures | Cosign signatures for all artifacts |
+| SBOMs | CycloneDX Software Bill of Materials |
+| Provenance | SLSA v1.0 provenance statements |
+| Rekor Proofs | Transparency log inclusion proofs |
+| Verification Scripts | `verify.sh` and `verify.ps1` |
+
+### Generation Workflow
+
+The evidence pack is generated by `.gitea/workflows/release-evidence-pack.yml`:
+
+1. **Verify Test Gates** - Ensures all test workflows passed
+2. **Generate Checksums** - Create SHA256SUMS and SHA512SUMS
+3. **Sign Artifacts** - Sign with cosign (keyless or key-based)
+4. **Generate SBOMs** - Create CycloneDX SBOMs per artifact
+5. **Generate Provenance** - Create SLSA v1.0 statements
+6. **Collect Rekor Proofs** - Fetch inclusion proofs from Rekor
+7. **Build Pack** - Assemble final evidence pack bundle
+8. **Self-Verify** - Run verify.sh to validate the pack
+
+### Manual Trigger
+
+```bash
+# Trigger evidence pack generation for a release
+gh workflow run release-evidence-pack.yml \
+  -f version=2.5.0 \
+  -f release_tag=v2.5.0
+```
+
+### Verification
+
+Customers can verify releases offline:
+
+```bash
+tar -xzf stella-release-2.5.0-evidence-pack.tgz
+cd stella-release-2.5.0-evidence-pack
+./verify.sh --verbose
+```
+
+See [Release Evidence Pack](./RELEASE_EVIDENCE_PACK.md) for detailed documentation.
+
+---
+
+## Reproducible Builds
+
+All release builds are reproducible using `SOURCE_DATE_EPOCH`:
+
+```bash
+# Set from git commit timestamp
+export SOURCE_DATE_EPOCH=$(git show -s --format=%ct HEAD)
+
+# Build with deterministic settings
+dotnet build -c Release /p:Deterministic=true /p:ContinuousIntegrationBuild=true
+```
+
+The CI verifies reproducibility by building twice and comparing checksums.
+
+See [Reproducible Builds](./REPRODUCIBLE_BUILDS.md) for details.
+
+---
+
 ## Post-Release Tasks

 - [ ] Verify artifacts in registry
+- [ ] Generate and publish Release Evidence Pack
+- [ ] Verify evidence pack passes self-verification
 - [ ] Update documentation site
 - [ ] Send release announcement
 - [ ] Update compatibility matrix