stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

CD/CD consolidation

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 17:32:23 +02:00
parent a866eb6277
commit c786faae84
638 changed files with 3821 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
devops/attestation/README.md Normal file
View File

@@ -0,0 +1,10 @@
# Attestor CI/Secrets (DEVOPS-ATTEST-73-001/002)
Artifacts added for the DevOps attestation track:
- `ci.yml` — GitHub Actions workflow (parity stub) that restores/builds/tests Attestor solution and uploads test artefacts. Offline/airgap friendly when mirrored into local runner; set DOTNET_* envs for determinism.
- Secrets storage plan:
- Use KMS-backed cosign key refs (e.g., `azurekms://...` or `awskms://...`).
- Store ref in CI secret `ATTESTOR_COSIGN_KEY`; pipeline passes via env and never writes key material to disk.
- Audit logs: enable KMS audit + CI job logs; avoid plaintext key dumps.
- Next steps: wire `.gitea/workflows/attestor-ci.yml` to mirror this job, add `cosign sign-blob` stage for DSSE envelopes, and publish artefacts to `ops/devops/artifacts/attestor/<ts>/` with checksums.