up

2025-12-09 00:20:52 +02:00
parent 3d01bf9edc
commit bc0762e97d
261 changed files with 14033 additions and 4427 deletions
--- a/.gitea/workflows/icscisa-kisa-refresh.yml
+++ b/.gitea/workflows/icscisa-kisa-refresh.yml
@@ -0,0 +1,68 @@
+name: ICS/KISA Feed Refresh
+
+on:
+  schedule:
+    - cron: '0 2 * * MON'
+  workflow_dispatch:
+    inputs:
+      live_fetch:
+        description: 'Attempt live RSS fetch (fallback to samples on failure)'
+        required: false
+        default: true
+        type: boolean
+      offline_snapshot:
+        description: 'Force offline samples only (no network)'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  refresh:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    env:
+      ICSCISA_FEED_URL: ${{ secrets.ICSCISA_FEED_URL }}
+      KISA_FEED_URL: ${{ secrets.KISA_FEED_URL }}
+      FEED_GATEWAY_HOST: concelier-webservice
+      FEED_GATEWAY_SCHEME: http
+      LIVE_FETCH: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.live_fetch || 'true' }}
+      OFFLINE_SNAPSHOT: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.offline_snapshot || 'false' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set run metadata
+        id: meta
+        run: |
+          RUN_DATE=$(date -u +%Y%m%d)
+          RUN_ID="icscisa-kisa-$(date -u +%Y%m%dT%H%M%SZ)"
+          echo "run_date=$RUN_DATE" >> $GITHUB_OUTPUT
+          echo "run_id=$RUN_ID" >> $GITHUB_OUTPUT
+          echo "RUN_DATE=$RUN_DATE" >> $GITHUB_ENV
+          echo "RUN_ID=$RUN_ID" >> $GITHUB_ENV
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Run ICS/KISA refresh
+        run: |
+          python scripts/feeds/run_icscisa_kisa_refresh.py \
+            --out-dir out/feeds/icscisa-kisa \
+            --run-date "${{ steps.meta.outputs.run_date }}" \
+            --run-id "${{ steps.meta.outputs.run_id }}"
+
+      - name: Show fetch log
+        run: cat out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}/fetch.log
+
+      - name: Upload refresh artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: icscisa-kisa-${{ steps.meta.outputs.run_date }}
+          path: out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}
+          if-no-files-found: error
+          retention-days: 21
--- a/.gitea/workflows/mirror-sign.yml
+++ b/.gitea/workflows/mirror-sign.yml
@@ -46,6 +46,16 @@ jobs:
        run: |
          scripts/mirror/verify_thin_bundle.py out/mirror/thin/mirror-thin-v1.tar.gz

+      - name: Prepare Export Center handoff (metadata + optional schedule)
+        run: |
+          scripts/mirror/export-center-wire.sh
+        env:
+          EXPORT_CENTER_BASE_URL: ${{ secrets.EXPORT_CENTER_BASE_URL }}
+          EXPORT_CENTER_TOKEN: ${{ secrets.EXPORT_CENTER_TOKEN }}
+          EXPORT_CENTER_TENANT: ${{ secrets.EXPORT_CENTER_TENANT }}
+          EXPORT_CENTER_PROJECT: ${{ secrets.EXPORT_CENTER_PROJECT }}
+          EXPORT_CENTER_AUTO_SCHEDULE: ${{ secrets.EXPORT_CENTER_AUTO_SCHEDULE }}
+
      - name: Upload signed artifacts
        uses: actions/upload-artifact@v4
        with:
@@ -57,5 +67,8 @@ jobs:
            out/mirror/thin/tuf/
            out/mirror/thin/oci/
            out/mirror/thin/milestone.json
+            out/mirror/thin/export-center/export-center-handoff.json
+            out/mirror/thin/export-center/export-center-targets.json
+            out/mirror/thin/export-center/schedule-response.json
          if-no-files-found: error
          retention-days: 14
--- a/.gitea/workflows/signals-dsse-sign.yml
+++ b/.gitea/workflows/signals-dsse-sign.yml
@@ -28,6 +28,8 @@ jobs:
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-01' }}
      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
+      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
+      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -90,9 +92,9 @@ jobs:
          retention-days: 90

      - name: Push to Evidence Locker
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
-          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
          tar -cf /tmp/signals-dsse.tar -C "$OUT_DIR" .
@@ -102,7 +104,7 @@ jobs:
          echo "Pushed to Evidence Locker"

      - name: Evidence Locker skip notice
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "::notice::Evidence Locker push skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
          echo "Artifacts available as workflow artifact for manual ingestion"
--- a/.gitea/workflows/signals-evidence-locker.yml
+++ b/.gitea/workflows/signals-evidence-locker.yml
@@ -2,6 +2,14 @@ name: signals-evidence-locker
 on:
  workflow_dispatch:
    inputs:
+      out_dir:
+        description: "Output directory containing signed artifacts"
+        required: false
+        default: "evidence-locker/signals/2025-12-05"
+      allow_dev_key:
+        description: "Allow dev key fallback (1=yes, 0=no)"
+        required: false
+        default: "0"
      retention_target:
        description: "Retention days target"
        required: false
@@ -12,7 +20,12 @@ jobs:
    runs-on: ubuntu-latest
    env:
      MODULE_ROOT: docs/modules/signals
-      OUT_DIR: evidence-locker/signals/2025-12-05
+      OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-05' }}
+      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
+      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
+      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -20,6 +33,21 @@ jobs:
      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh

+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.2.4'
+
+      - name: Verify artifacts exist
+        run: |
+          cd "$MODULE_ROOT"
+          sha256sum -c SHA256SUMS
+
+      - name: Sign signals artifacts
+        run: |
+          chmod +x tools/cosign/sign-signals.sh
+          OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
+
      - name: Build deterministic signals evidence tar
        run: |
          set -euo pipefail
@@ -52,16 +80,17 @@ jobs:
            /tmp/signals-evidence.tar.sha256

      - name: Push to Evidence Locker
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
-          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
-          curl -f -X PUT "$URL/signals/2025-12-05/signals-evidence.tar" \
+          upload_path="${OUT_DIR#evidence-locker/}"
+          curl -f -X PUT "$URL/${upload_path}/signals-evidence.tar" \
            -H "Authorization: Bearer $TOKEN" \
            --data-binary @/tmp/signals-evidence.tar

      - name: Skip push (missing secret or URL)
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2
--- a/.gitea/workflows/signals-reachability.yml
+++ b/.gitea/workflows/signals-reachability.yml
@@ -0,0 +1,117 @@
+name: Signals Reachability Scoring & Events
+
+on:
+  workflow_dispatch:
+    inputs:
+      allow_dev_key:
+        description: "Allow dev signing key fallback (1=yes, 0=no)"
+        required: false
+        default: "0"
+      evidence_out_dir:
+        description: "Evidence output dir for signing/upload"
+        required: false
+        default: "evidence-locker/signals/2025-12-05"
+  push:
+    branches: [ main ]
+    paths:
+      - 'src/Signals/**'
+      - 'scripts/signals/reachability-smoke.sh'
+      - '.gitea/workflows/signals-reachability.yml'
+      - 'tools/cosign/sign-signals.sh'
+
+jobs:
+  reachability-smoke:
+    runs-on: ubuntu-22.04
+    env:
+      DOTNET_NOLOGO: 1
+      DOTNET_CLI_TELEMETRY_OPTOUT: 1
+      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
+      TZ: UTC
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Task Pack offline bundle fixtures
+        run: python3 scripts/packs/run-fixtures-check.sh
+
+      - name: Setup .NET 10 RC
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100
+          include-prerelease: true
+
+      - name: Restore
+        run: dotnet restore src/Signals/StellaOps.Signals.sln --configfile nuget.config
+
+      - name: Build
+        run: dotnet build src/Signals/StellaOps.Signals.sln -c Release --no-restore
+
+      - name: Reachability scoring + cache/events smoke
+        run: |
+          chmod +x scripts/signals/reachability-smoke.sh
+          scripts/signals/reachability-smoke.sh
+
+  sign-and-upload:
+    runs-on: ubuntu-22.04
+    needs: reachability-smoke
+    env:
+      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
+      OUT_DIR: ${{ github.event.inputs.evidence_out_dir || 'evidence-locker/signals/2025-12-05' }}
+      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
+      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Task Pack offline bundle fixtures
+        run: python3 scripts/packs/run-fixtures-check.sh
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.2.4'
+
+      - name: Verify artifacts exist
+        run: |
+          cd docs/modules/signals
+          sha256sum -c SHA256SUMS
+
+      - name: Sign signals artifacts
+        run: |
+          chmod +x tools/cosign/sign-signals.sh
+          OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
+
+      - name: Upload signed artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: signals-evidence-${{ github.run_number }}
+          path: |
+            ${{ env.OUT_DIR }}/*.sigstore.json
+            ${{ env.OUT_DIR }}/*.dsse
+            ${{ env.OUT_DIR }}/SHA256SUMS
+          if-no-files-found: error
+          retention-days: 30
+
+      - name: Push to Evidence Locker
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        env:
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
+          URL: ${{ env.EVIDENCE_LOCKER_URL }}
+        run: |
+          tar -cf /tmp/signals-evidence.tar -C "$OUT_DIR" .
+          sha256sum /tmp/signals-evidence.tar
+          curl -f -X PUT "$URL/signals/$(date -u +%Y-%m-%d)/signals-evidence.tar" \
+            -H "Authorization: Bearer $TOKEN" \
+            --data-binary @/tmp/signals-evidence.tar
+          echo "Uploaded to Evidence Locker"
+
+      - name: Evidence Locker skip notice
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        run: |
+          echo "::notice::Evidence Locker upload skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
--- a/.gitea/workflows/sm-remote-ci.yml
+++ b/.gitea/workflows/sm-remote-ci.yml
@@ -0,0 +1,33 @@
+name: sm-remote-ci
+
+on:
+  push:
+    paths:
+      - "src/SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/**"
+      - "ops/sm-remote/**"
+      - ".gitea/workflows/sm-remote-ci.yml"
+  pull_request:
+    paths:
+      - "src/SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/**"
+      - "ops/sm-remote/**"
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: Restore
+        run: dotnet restore src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/StellaOps.Cryptography.Plugin.SmRemote.Tests.csproj
+      - name: Test
+        run: dotnet test src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/StellaOps.Cryptography.Plugin.SmRemote.Tests.csproj --no-build --verbosity normal
+      - name: Publish service
+        run: dotnet publish src/SmRemote/StellaOps.SmRemote.Service/StellaOps.SmRemote.Service.csproj -c Release -o out/sm-remote