stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

tests pipeline run attempt

Browse Source
This commit is contained in:
master
2026-02-01 21:58:00 +02:00
parent 89befce20f
commit a53edd1e48
122 changed files with 274 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

252
.gitea/workflows-archived/release.yml Normal file
View File

@@ -0,0 +1,252 @@
# .gitea/workflows/release.yml
# Deterministic release pipeline producing signed images, SBOMs, provenance, and manifest
name: Release Bundle
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Release version (overrides tag, e.g. 2025.10.0-edge)'
required: false
type: string
channel:
description: 'Release channel (edge|stable|lts)'
required: false
default: 'edge'
type: choice
options:
- edge
- stable
- lts
calendar:
description: 'Calendar tag (YYYY.MM) - optional override'
required: false
type: string
push_images:
description: 'Push container images to registry'
required: false
default: true
type: boolean
jobs:
build-release:
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
env:
DOTNET_VERSION: '10.0.100'
REGISTRY: registry.stella-ops.org
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 .gitea/scripts/test/run-fixtures-check.sh
- name: Validate NuGet restore source ordering
run: python3 devops/validate_restore_sources.py
- name: Validate telemetry storage configuration
run: python3 devops/telemetry/validate_storage_stack.py
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up Node.js 20
uses: actions/setup-node@v4
with:
node-version: '20.14.0'
- name: Set up .NET SDK
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
include-prerelease: true
- name: Install cross-arch objcopy tooling
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends binutils-aarch64-linux-gnu
- name: Publish Python analyzer plug-in
run: |
set -euo pipefail
dotnet publish src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \
--configuration Release \
--output out/analyzers/python \
--no-self-contained
mkdir -p plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python
cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.dll plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/
if [ -f out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb ]; then
cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/
fi
- name: Run Python analyzer smoke checks
run: |
dotnet run \
--project tools/LanguageAnalyzerSmoke/LanguageAnalyzerSmoke.csproj \
--configuration Release \
-- \
--repo-root .
# Note: this step enforces DEVOPS-REL-14-004 by signing the restart-only Python plug-in.
# Ensure COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN is configured, otherwise the job will fail.
- name: Sign Python analyzer artefacts
env:
COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_IDENTITY_TOKEN: ${{ secrets.COSIGN_IDENTITY_TOKEN }}
run: |
set -euo pipefail
if [[ -z "${COSIGN_KEY_REF:-}" && -z "${COSIGN_IDENTITY_TOKEN:-}" ]]; then
echo "::error::COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN must be provided to sign analyzer artefacts." >&2
exit 1
fi
export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}"
export COSIGN_EXPERIMENTAL=1
PLUGIN_DIR="plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python"
ARTIFACTS=(
"StellaOps.Scanner.Analyzers.Lang.Python.dll"
"manifest.json"
)
for artifact in "${ARTIFACTS[@]}"; do
FILE="${PLUGIN_DIR}/${artifact}"
if [[ ! -f "${FILE}" ]]; then
echo "::error::Missing analyzer artefact ${FILE}" >&2
exit 1
fi
sha256sum "${FILE}" | awk '{print $1}' > "${FILE}.sha256"
SIGN_ARGS=(--yes "${FILE}")
if [[ -n "${COSIGN_KEY_REF:-}" ]]; then
SIGN_ARGS=(--key "${COSIGN_KEY_REF}" "${SIGN_ARGS[@]}")
fi
if [[ -n "${COSIGN_IDENTITY_TOKEN:-}" ]]; then
SIGN_ARGS=(--identity-token "${COSIGN_IDENTITY_TOKEN}" "${SIGN_ARGS[@]}")
fi
cosign sign-blob "${SIGN_ARGS[@]}" > "${FILE}.sig"
done
- name: Install Helm 3.16.0
run: |
curl -fsSL https://get.helm.sh/helm-v3.16.0-linux-amd64.tar.gz -o /tmp/helm.tgz
tar -xzf /tmp/helm.tgz -C /tmp
sudo install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
- name: Install Cosign
uses: sigstore/cosign-installer@v3.4.0
- name: Install Syft
run: |
set -euo pipefail
SYFT_VERSION="v1.21.0"
curl -fsSL "https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" -o /tmp/syft.tgz
tar -xzf /tmp/syft.tgz -C /tmp
sudo install -m 0755 /tmp/syft /usr/local/bin/syft
- name: Determine release metadata
id: meta
run: |
set -euo pipefail
RAW_VERSION="${{ github.ref_name }}"
if [[ "${{ github.event_name }}" != "push" ]]; then
RAW_VERSION="${{ github.event.inputs.version }}"
fi
if [[ -z "$RAW_VERSION" ]]; then
echo "::error::Release version not provided" >&2
exit 1
fi
VERSION="${RAW_VERSION#v}"
CHANNEL="${{ github.event.inputs.channel || '' }}"
if [[ -z "$CHANNEL" ]]; then
CHANNEL="edge"
fi
CALENDAR_INPUT="${{ github.event.inputs.calendar || '' }}"
if [[ -z "$CALENDAR_INPUT" ]]; then
YEAR=$(echo "$VERSION" | awk -F'.' '{print $1}')
MONTH=$(echo "$VERSION" | awk -F'.' '{print $2}')
if [[ -n "$YEAR" && -n "$MONTH" ]]; then
CALENDAR_INPUT="$YEAR.$MONTH"
else
CALENDAR_INPUT=$(date -u +'%Y.%m')
fi
fi
PUSH_INPUT="${{ github.event.inputs.push_images || '' }}"
if [[ "${{ github.event_name }}" == "push" ]]; then
PUSH_INPUT="true"
elif [[ -z "$PUSH_INPUT" ]]; then
PUSH_INPUT="true"
fi
if [[ "$PUSH_INPUT" == "false" || "$PUSH_INPUT" == "0" ]]; then
PUSH_FLAG="false"
else
PUSH_FLAG="true"
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "channel=$CHANNEL" >> "$GITHUB_OUTPUT"
echo "calendar=$CALENDAR_INPUT" >> "$GITHUB_OUTPUT"
echo "push=$PUSH_FLAG" >> "$GITHUB_OUTPUT"
- name: Enforce CLI parity gate
run: |
python3 .gitea/scripts/release/check_cli_parity.py
- name: Log in to registry
if: steps.meta.outputs.push == 'true'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Prepare release output directory
run: |
rm -rf out/release
mkdir -p out/release
- name: Build release bundle
# NOTE (DEVOPS-REL-17-004): build_release.py now fails if out/release/debug is missing
env:
COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_IDENTITY_TOKEN: ${{ secrets.COSIGN_IDENTITY_TOKEN }}
run: |
set -euo pipefail
EXTRA_ARGS=()
if [[ "${{ steps.meta.outputs.push }}" != "true" ]]; then
EXTRA_ARGS+=("--no-push")
fi
./.gitea/scripts/release/build_release.py \
--version "${{ steps.meta.outputs.version }}" \
--channel "${{ steps.meta.outputs.channel }}" \
--calendar "${{ steps.meta.outputs.calendar }}" \
--git-sha "${{ github.sha }}" \
"${EXTRA_ARGS[@]}"
- name: Verify release artefacts
run: |
python .gitea/scripts/release/verify_release.py --release-dir out/release
- name: Upload release artefacts
uses: actions/upload-artifact@v4
with:
name: stellaops-release-${{ steps.meta.outputs.version }}
path: out/release
if-no-files-found: error
- name: Upload debug artefacts (build-id store)
uses: actions/upload-artifact@v4
with:
name: stellaops-debug-${{ steps.meta.outputs.version }}
path: out/release/debug
if-no-files-found: error