stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-09 00:20:52 +02:00
parent 3d01bf9edc
commit bc0762e97d
261 changed files with 14033 additions and 4427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/modules/signals/evidence/README.md
View File

@@ -11,21 +11,24 @@ Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest:
## CI Automated Signing
The `.gitea/workflows/signals-dsse-sign.yml` workflow automates DSSE signing.
- `.gitea/workflows/signals-dsse-sign.yml` ƒ?" DSSE signing of decay/unknowns/heuristics on push or manual dispatch.
- `.gitea/workflows/signals-reachability.yml` ƒ?" reachability smoke (SIGNALS-24-004/005), DSSE signing, and optional Evidence Locker upload.
- `.gitea/workflows/signals-evidence-locker.yml` ƒ?" production re-sign + deterministic tar upload; defaults to `evidence-locker/signals/2025-12-05`.
### Prerequisites (CI Secrets)
| Secret | Description |
### Prerequisites (CI Secrets or Repo Vars)
| Secret/Var | Description |
|--------|-------------|
| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key (required for production) |
| `COSIGN_PASSWORD` | Password for encrypted key (if applicable) |
| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker push (optional) |
| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker push |
| `EVIDENCE_LOCKER_URL` | Base URL for locker PUT (e.g., `https://locker.example.com`) |
### Trigger
- **Automatic**: Push to `main` affecting `docs/modules/signals/**` or `tools/cosign/sign-signals.sh`
- **Manual**: Workflow dispatch with `allow_dev_key=1` for testing
- **Automatic**: Push to `main` affecting `docs/modules/signals/**`, `tools/cosign/sign-signals.sh`, or Signals sources (reachability workflow).
- **Manual**: Workflow dispatch with `allow_dev_key=1` for testing; `out_dir` input defaults to `evidence-locker/signals/2025-12-05`.
### Output
Signed artifacts uploaded as workflow artifact `signals-dsse-signed-{run}` and optionally pushed to Evidence Locker.
Signed artifacts uploaded as workflow artifacts and, when secrets/vars are present, pushed to Evidence Locker. Evidence tar SHA256 is emitted in job logs.
## Development Signing (Local Testing)