feat: Add Promotion-Time Attestations for Stella Ops

- Introduced a new document for promotion-time attestations, detailing the purpose, predicate schema, producer workflow, verification flow, APIs, and security considerations. - Implemented the `stella.ops/promotion@v1` predicate schema to capture promotion evidence including image digest, SBOM/VEX artifacts, and Rekor proof. - Defined producer responsibilities and workflows for CLI orchestration, signer responsibilities, and Export Center integration. - Added verification steps for auditors to validate promotion attestations offline. feat: Create Symbol Manifest v1 Specification - Developed a specification for Symbol Manifest v1 to provide a deterministic format for publishing debug symbols and source maps. - Defined the manifest structure, including schema, entries, source maps, toolchain, and provenance. - Outlined upload and verification processes, resolve APIs, runtime proxy, caching, and offline bundle generation. - Included security considerations and related tasks for implementation. chore: Add Ruby Analyzer with Git Sources - Created a Gemfile and Gemfile.lock for Ruby analyzer with dependencies on git-gem, httparty, and path-gem. - Implemented main application logic to utilize the defined gems and output their versions. - Added expected JSON output for the Ruby analyzer to validate the integration of the new gems and their functionalities. - Developed internal observation classes for Ruby packages, runtime edges, and capabilities, including serialization logic for observations. test: Add tests for Ruby Analyzer - Created test fixtures for Ruby analyzer, including Gemfile, Gemfile.lock, main application, and expected JSON output. - Ensured that the tests validate the correct integration and functionality of the Ruby analyzer with the specified gems.
2025-11-11 15:30:22 +02:00
parent 56c687253f
commit c2c6b58b41
56 changed files with 2305 additions and 198 deletions
--- a/ops/offline-kit/pycache/build_offline_kit.cpython-312.pyc
+++ b/ops/offline-kit/pycache/build_offline_kit.cpython-312.pyc
--- a/ops/offline-kit/pycache/mirror_debug_store.cpython-312.pyc
+++ b/ops/offline-kit/pycache/mirror_debug_store.cpython-312.pyc
--- a/ops/offline-kit/pycache/test_build_offline_kit.cpython-312.pyc
+++ b/ops/offline-kit/pycache/test_build_offline_kit.cpython-312.pyc
--- a/ops/offline-kit/build_offline_kit.py
+++ b/ops/offline-kit/build_offline_kit.py
@@ -205,6 +205,36 @@ def copy_bootstrap_configs(staging_dir: Path) -> None:
    copy_if_exists(notify_doc, notify_bootstrap_dir / "README.md")


+def verify_required_seed_data(repo_root: Path) -> None:
+    ruby_git_sources = repo_root / "seed-data" / "analyzers" / "ruby" / "git-sources"
+    if not ruby_git_sources.is_dir():
+        raise FileNotFoundError(f"Missing Ruby git-sources seed directory: {ruby_git_sources}")
+
+    required_files = [
+        ruby_git_sources / "Gemfile.lock",
+        ruby_git_sources / "expected.json",
+    ]
+    for path in required_files:
+        if not path.exists():
+            raise FileNotFoundError(f"Offline kit seed artefact missing: {path}")
+
+
+def copy_third_party_licenses(staging_dir: Path) -> None:
+    licenses_src = REPO_ROOT / "third-party-licenses"
+    if not licenses_src.is_dir():
+        return
+
+    target_dir = staging_dir / "third-party-licenses"
+    target_dir.mkdir(parents=True, exist_ok=True)
+
+    entries = sorted(licenses_src.iterdir(), key=lambda entry: entry.name.lower())
+    for entry in entries:
+        if entry.is_dir():
+            shutil.copytree(entry, target_dir / entry.name, dirs_exist_ok=True)
+        elif entry.is_file():
+            shutil.copy2(entry, target_dir / entry.name)
+
+
 def package_telemetry_bundle(staging_dir: Path) -> None:
    script = TELEMETRY_TOOLS_DIR / "package_offline_bundle.py"
    if not script.exists():
@@ -323,12 +353,13 @@ def sign_blob(
    return sig_path


-def build_offline_kit(args: argparse.Namespace) -> MutableMapping[str, Any]:
-    release_dir = args.release_dir.resolve()
-    staging_dir = args.staging_dir.resolve()
-    output_dir = args.output_dir.resolve()
-
+def build_offline_kit(args: argparse.Namespace) -> MutableMapping[str, Any]:
+    release_dir = args.release_dir.resolve()
+    staging_dir = args.staging_dir.resolve()
+    output_dir = args.output_dir.resolve()
+
    verify_release(release_dir)
+    verify_required_seed_data(REPO_ROOT)
    if not args.skip_smoke:
        run_rust_analyzer_smoke()
        run_python_analyzer_smoke()
@@ -346,11 +377,12 @@ def build_offline_kit(args: argparse.Namespace) -> MutableMapping[str, Any]:
    copy_collections(manifest_data, release_dir, staging_dir)
    copy_plugins_and_assets(staging_dir)
    copy_bootstrap_configs(staging_dir)
+    copy_third_party_licenses(staging_dir)
    package_telemetry_bundle(staging_dir)
-
-    offline_manifest_path, offline_manifest_sha = write_offline_manifest(
-        staging_dir,
-        args.version,
+
+    offline_manifest_path, offline_manifest_sha = write_offline_manifest(
+        staging_dir,
+        args.version,
        args.channel,
        release_manifest_sha,
    )