blocked 4

2025-11-23 17:53:41 +02:00
parent fc99092dec
commit c13355923f
22 changed files with 460 additions and 27 deletions
--- a/.gitea/workflows/mirror-sign.yml
+++ b/.gitea/workflows/mirror-sign.yml
@@ -0,0 +1,44 @@
+name: Mirror Thin Bundle Sign & Verify
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+
+jobs:
+  mirror-sign:
+    runs-on: ubuntu-22.04
+    env:
+      MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
+      REQUIRE_PROD_SIGNING: 1
+      OCI: 1
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100-rc.1.25451.107
+          include-prerelease: true
+
+      - name: Run mirror signing
+        run: |
+          set -euo pipefail
+          scripts/mirror/check_signing_prereqs.sh
+          scripts/mirror/ci-sign.sh
+
+      - name: Upload signed artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: mirror-thin-v1-signed
+          path: |
+            out/mirror/thin/mirror-thin-v1.tar.gz
+            out/mirror/thin/mirror-thin-v1.manifest.json
+            out/mirror/thin/mirror-thin-v1.manifest.dsse.json
+            out/mirror/thin/tuf/
+            out/mirror/thin/oci/
+          if-no-files-found: error
+          retention-days: 14