CD/CD consolidation

2025-12-26 17:32:23 +02:00
parent a866eb6277
commit c786faae84
638 changed files with 3821 additions and 181 deletions
--- a/.gitea/scripts/evidence/signals-upload-evidence.sh
+++ b/.gitea/scripts/evidence/signals-upload-evidence.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+STAGED_DIR="evidence-locker/signals/2025-12-05"
+MODULE_ROOT="docs/modules/signals"
+TAR_OUT="/tmp/signals-evidence.tar"
+
+if [[ -z "${EVIDENCE_LOCKER_URL:-}" || -z "${CI_EVIDENCE_LOCKER_TOKEN:-}" ]]; then
+  echo "EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN are required" >&2
+  exit 1
+fi
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+rsync -a --relative \
+  "$STAGED_DIR/SHA256SUMS" \
+  "$STAGED_DIR/confidence_decay_config.sigstore.json" \
+  "$STAGED_DIR/unknowns_scoring_manifest.sigstore.json" \
+  "$STAGED_DIR/heuristics_catalog.sigstore.json" \
+  "$MODULE_ROOT/decay/confidence_decay_config.yaml" \
+  "$MODULE_ROOT/unknowns/unknowns_scoring_manifest.json" \
+  "$MODULE_ROOT/heuristics/heuristics.catalog.json" \
+  "$tmpdir/"
+
+pushd "$tmpdir/$STAGED_DIR" >/dev/null
+sha256sum --check SHA256SUMS
+popd >/dev/null
+
+# Build deterministic tarball
+pushd "$tmpdir" >/dev/null
+tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
+  -cf "$TAR_OUT" .
+popd >/dev/null
+
+sha256sum "$TAR_OUT"
+
+curl --retry 3 --retry-delay 2 --fail \
+  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
+  -X PUT "$EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar" \
+  --data-binary "@$TAR_OUT"
+
+echo "Uploaded $TAR_OUT to $EVIDENCE_LOCKER_URL/signals/2025-12-05/"
--- a/.gitea/scripts/evidence/upload-all-evidence.sh
+++ b/.gitea/scripts/evidence/upload-all-evidence.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Upload both Zastava and Signals evidence bundles to the locker.
+# Requires EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN.
+
+EVIDENCE_LOCKER_URL=${EVIDENCE_LOCKER_URL:-}
+CI_EVIDENCE_LOCKER_TOKEN=${CI_EVIDENCE_LOCKER_TOKEN:-}
+
+if [[ -z "$EVIDENCE_LOCKER_URL" || -z "$CI_EVIDENCE_LOCKER_TOKEN" ]]; then
+  echo "EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN are required" >&2
+  exit 1
+fi
+
+# Defaults
+ZASTAVA_TAR=${ZASTAVA_TAR:-evidence-locker/zastava/2025-12-02/zastava-evidence.tar}
+ZASTAVA_VERIFY=${ZASTAVA_VERIFY:-tools/zastava-verify-evidence-tar.sh}
+ZASTAVA_PATH=\$EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar
+
+SIGNALS_TAR=${SIGNALS_TAR:-evidence-locker/signals/2025-12-05/signals-evidence.tar}
+SIGNALS_VERIFY=${SIGNALS_VERIFY:-tools/signals-verify-evidence-tar.sh}
+SIGNALS_PATH=\$EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar
+
+# Verify
+if [[ -x "$ZASTAVA_VERIFY" ]]; then
+  "$ZASTAVA_VERIFY" "$ZASTAVA_TAR"
+fi
+if [[ -x "$SIGNALS_VERIFY" ]]; then
+  "$SIGNALS_VERIFY" "$SIGNALS_TAR"
+fi
+
+# Upload Zastava
+curl --retry 3 --retry-delay 2 --fail \
+  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
+  -X PUT "$EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar" \
+  --data-binary @"$ZASTAVA_TAR"
+
+echo "Uploaded Zastava evidence to $EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar"
+
+# Upload Signals
+curl --retry 3 --retry-delay 2 --fail \
+  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
+  -X PUT "$EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar" \
+  --data-binary @"$SIGNALS_TAR"
+
+echo "Uploaded Signals evidence to $EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar"
--- a/.gitea/scripts/evidence/zastava-upload-evidence.sh
+++ b/.gitea/scripts/evidence/zastava-upload-evidence.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ -z "${EVIDENCE_LOCKER_URL:-}" || -z "${CI_EVIDENCE_LOCKER_TOKEN:-}" ]]; then
+  echo "EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN are required" >&2
+  exit 1
+fi
+
+STAGED_DIR="evidence-locker/zastava/2025-12-02"
+TAR_OUT="/tmp/zastava-evidence.tar"
+MODULE_ROOT="docs/modules/zastava"
+
+test -d "$MODULE_ROOT" || { echo "missing module root $MODULE_ROOT" >&2; exit 1; }
+mkdir -p "$STAGED_DIR"
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+rsync -a --relative \
+  "$MODULE_ROOT/SHA256SUMS" \
+  "$MODULE_ROOT/schemas/" \
+  "$MODULE_ROOT/exports/" \
+  "$MODULE_ROOT/thresholds.yaml" \
+  "$MODULE_ROOT/thresholds.yaml.dsse" \
+  "$MODULE_ROOT/kit/verify.sh" \
+  "$MODULE_ROOT/kit/README.md" \
+  "$MODULE_ROOT/kit/ed25519.pub" \
+  "$MODULE_ROOT/kit/zastava-kit.tzst" \
+  "$MODULE_ROOT/kit/zastava-kit.tzst.dsse" \
+  "$MODULE_ROOT/evidence/README.md" \
+  "$tmpdir/"
+
+pushd "$tmpdir/docs/modules/zastava" >/dev/null
+sha256sum --check SHA256SUMS
+
+# Build deterministic tarball for reproducibility (payloads + DSSE)
+tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
+  -cf "$TAR_OUT" .
+popd >/dev/null
+
+sha256sum "$TAR_OUT"
+
+curl --retry 3 --retry-delay 2 --fail \
+  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
+  -X PUT "$EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar" \
+  --data-binary "@$TAR_OUT"
+
+echo "Uploaded $TAR_OUT to $EVIDENCE_LOCKER_URL/zastava/2025-12-02/"