Refactor and enhance scanner worker functionality

- Cleaned up code formatting and organization across multiple files for improved readability. - Introduced `OsScanAnalyzerDispatcher` to handle OS analyzer execution and plugin loading. - Updated `ScanJobContext` to include an `Analysis` property for storing scan results. - Enhanced `ScanJobProcessor` to utilize the new `OsScanAnalyzerDispatcher`. - Improved logging and error handling in `ScanProgressReporter` for better traceability. - Updated project dependencies and added references to new analyzer plugins. - Revised task documentation to reflect current status and dependencies.
2025-10-19 18:34:15 +03:00
parent daa6a4ae8c
commit 7e2fa0a42a
59 changed files with 5563 additions and 2288 deletions
--- a/.gitea/workflows/build-test-deploy.yml
+++ b/.gitea/workflows/build-test-deploy.yml
@@ -35,7 +35,22 @@ env:
  CI_CACHE_ROOT: /data/.cache/stella-ops/feedser
  RUNNER_TOOL_CACHE: /toolcache

-jobs:
+jobs:
+  profile-validation:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        run: |
+          curl -fsSL https://get.helm.sh/helm-v3.16.0-linux-amd64.tar.gz -o /tmp/helm.tgz
+          tar -xzf /tmp/helm.tgz -C /tmp
+          sudo install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
+
+      - name: Validate deployment profiles
+        run: ./deploy/tools/validate-profiles.sh
+
  build-test:
    runs-on: ubuntu-22.04
    environment: ${{ github.event_name == 'pull_request' && 'preview' || 'staging' }}
@@ -61,15 +76,82 @@ jobs:
      - name: Build solution (warnings as errors)
        run: dotnet build src/StellaOps.Feedser.sln --configuration $BUILD_CONFIGURATION --no-restore -warnaserror

-      - name: Run unit and integration tests
-        run: |
-          mkdir -p "$TEST_RESULTS_DIR"
-          dotnet test src/StellaOps.Feedser.sln \
-            --configuration $BUILD_CONFIGURATION \
-            --no-build \
-            --logger "trx;LogFileName=stellaops-feedser-tests.trx" \
-            --results-directory "$TEST_RESULTS_DIR"
-
+      - name: Run unit and integration tests
+        run: |
+          mkdir -p "$TEST_RESULTS_DIR"
+          dotnet test src/StellaOps.Feedser.sln \
+            --configuration $BUILD_CONFIGURATION \
+            --no-build \
+            --logger "trx;LogFileName=stellaops-feedser-tests.trx" \
+            --results-directory "$TEST_RESULTS_DIR"
+
+      - name: Publish BuildX SBOM generator
+        run: |
+          dotnet publish src/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj \
+            --configuration $BUILD_CONFIGURATION \
+            --output out/buildx
+
+      - name: Verify BuildX descriptor determinism
+        run: |
+          dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \
+            --manifest out/buildx \
+            --cas out/cas
+
+          cat <<'JSON' > out/buildx-sbom.cdx.json
+{"bomFormat":"CycloneDX","specVersion":"1.5"}
+JSON
+
+          dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \
+            --manifest out/buildx \
+            --image sha256:5c2c5bfe0d4d77f1a0f9866fd415dd8da5b62af05d7c3d4b53f28de3ebef0101 \
+            --sbom out/buildx-sbom.cdx.json \
+            --sbom-name buildx-sbom.cdx.json \
+            --artifact-type application/vnd.stellaops.sbom.layer+json \
+            --sbom-format cyclonedx-json \
+            --sbom-kind inventory \
+            --repository ${{ github.repository }} \
+            --build-ref ${{ github.sha }} \
+            > out/buildx-descriptor.json
+
+          dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \
+            --manifest out/buildx \
+            --image sha256:5c2c5bfe0d4d77f1a0f9866fd415dd8da5b62af05d7c3d4b53f28de3ebef0101 \
+            --sbom out/buildx-sbom.cdx.json \
+            --sbom-name buildx-sbom.cdx.json \
+            --artifact-type application/vnd.stellaops.sbom.layer+json \
+            --sbom-format cyclonedx-json \
+            --sbom-kind inventory \
+            --repository ${{ github.repository }} \
+            --build-ref ${{ github.sha }} \
+            > out/buildx-descriptor-repeat.json
+
+          python - <<'PY'
+import json, sys
+from pathlib import Path
+
+def normalize(path: str) -> dict:
+    data = json.loads(Path(path).read_text(encoding='utf-8'))
+    data.pop('generatedAt', None)
+    return data
+
+baseline = normalize('out/buildx-descriptor.json')
+repeat = normalize('out/buildx-descriptor-repeat.json')
+
+if baseline != repeat:
+    sys.exit('BuildX descriptor output changed between runs.')
+PY
+
+      - name: Upload BuildX determinism artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: buildx-determinism
+          path: |
+            out/buildx-descriptor.json
+            out/buildx-descriptor-repeat.json
+            out/buildx-sbom.cdx.json
+          if-no-files-found: error
+          retention-days: 7
+
      - name: Publish Feedser web service
        run: |
          mkdir -p "$PUBLISH_DIR"