up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
This commit is contained in:
StellaOps Bot
86
.gitea/workflows/policy-simulate.yml
Normal file
86
.gitea/workflows/policy-simulate.yml
Normal file
@@ -0,0 +1,86 @@
|
||||
name: Policy Simulation
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- 'docs/policy/**'
|
||||
- 'docs/examples/policies/**'
|
||||
- 'scripts/policy/**'
|
||||
- '.gitea/workflows/policy-simulate.yml'
|
||||
push:
|
||||
branches: [ main ]
|
||||
paths:
|
||||
- 'docs/policy/**'
|
||||
- 'docs/examples/policies/**'
|
||||
- 'scripts/policy/**'
|
||||
- '.gitea/workflows/policy-simulate.yml'
|
||||
|
||||
jobs:
|
||||
policy-simulate:
|
||||
runs-on: ubuntu-22.04
|
||||
env:
|
||||
DOTNET_NOLOGO: 1
|
||||
DOTNET_CLI_TELEMETRY_OPTOUT: 1
|
||||
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
|
||||
TZ: UTC
|
||||
THRESHOLD: 0
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setup .NET 10 RC
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: 10.0.100-rc.2.25502.107
|
||||
include-prerelease: true
|
||||
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@v3.4.0
|
||||
|
||||
- name: Cache NuGet packages
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: |
|
||||
~/.nuget/packages
|
||||
local-nugets/packages
|
||||
key: policy-sim-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
|
||||
- name: Restore CLI
|
||||
run: |
|
||||
dotnet restore src/Cli/StellaOps.Cli/StellaOps.Cli.csproj --configfile nuget.config
|
||||
|
||||
- name: Generate policy signing key (ephemeral)
|
||||
run: |
|
||||
OUT_DIR=out/policy-sign/keys PREFIX=ci-policy COSIGN_PASSWORD= scripts/policy/rotate-key.sh
|
||||
|
||||
- name: Sign sample policy blob
|
||||
run: |
|
||||
export COSIGN_KEY_B64=$(base64 -w0 out/policy-sign/keys/ci-policy-cosign.key)
|
||||
COSIGN_PASSWORD= \
|
||||
scripts/policy/sign-policy.sh --file docs/examples/policies/baseline.stella --out-dir out/policy-sign
|
||||
|
||||
- name: Attest and verify sample policy blob
|
||||
run: |
|
||||
export COSIGN_KEY_B64=$(base64 -w0 out/policy-sign/keys/ci-policy-cosign.key)
|
||||
COSIGN_PASSWORD= \
|
||||
scripts/policy/attest-verify.sh --file docs/examples/policies/baseline.stella --out-dir out/policy-sign
|
||||
|
||||
- name: Run batch policy simulation
|
||||
run: |
|
||||
scripts/policy/batch-simulate.sh
|
||||
|
||||
- name: Upload simulation artifacts
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: policy-simulation
|
||||
path: out/policy-sim
|
||||
retention-days: 7
|
||||
|
||||
- name: Upload signing artifacts
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: policy-signing
|
||||
path: out/policy-sign
|
||||
retention-days: 7
|
||||
Reference in New Issue
Block a user