stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

audit, advisories and doctors/setup work

Browse Source
This commit is contained in:
master
2026-01-13 18:53:39 +02:00
parent 9ca7cb183e
commit d7be6ba34b
811 changed files with 54242 additions and 4056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
docs/benchmarks/doctor/doctor-plugin-release-orchestrator-gitlab.yaml Normal file
View File

@@ -0,0 +1,115 @@
apiVersion: stella.ops/doctor.v1
kind: DoctorPlugin
metadata:
name: doctor-release-orchestrator-gitlab
labels:
module: release-orchestrator
integration: gitlab
spec:
discovery:
when:
- env: GITLAB_URL
- fileExists: config/release-orchestrator/gitlab.yaml
checks:
- id: scm.webhook.reachability
description: "GitLab webhook is reachable and signed"
run:
exec: |
stella orchestrator scm test-webhook \
--url "$GITLAB_URL" \
--project "$(stella cfg get gitlab.project)" \
--secret-ref "vault:scm/webhook_secret"
parse:
expect:
- contains: "200 OK"
how_to_fix:
summary: "Create/repair webhook with correct secret and events."
commands:
- stella orchestrator scm create-webhook --events push,tag,release
- stella secrets put scm/webhook_secret --from-random 32
- id: scm.branch.protection
description: "Main branches are protected with required approvals and checks"
run:
exec: |
stella orchestrator scm audit-branch-policy --branches main,release/*
parse:
expectJson:
path: $.allCompliant
equals: true
how_to_fix:
summary: "Apply baseline branch policy"
commands:
- stella orchestrator scm apply-branch-policy --preset strict
- id: registry.pushpull
description: "Robot account can push/pull and read attestations"
run:
exec: |
stella registry selftest --repo "$REGISTRY_REPO" --attestations
parse:
expect:
- contains: "push: ok"
- contains: "pull: ok"
- contains: "attestations: ok"
how_to_fix:
summary: "Create robot, grant repo:write, enable attestations"
commands:
- stella registry robot create --name orchestrator
- stella registry repo grant --robot orchestrator --write
- stella registry attestation enable --repo "$REGISTRY_REPO"
- id: sbom.ingestion
description: "SBOM/VEX ingestion endpoint accepts CycloneDX 1.6 and SPDX 3.0.1"
run:
exec: |
stella sbom ingest --file samples/cdx-1.6.json --type cyclonedx
stella sbom ingest --file samples/spdx-3.0.1.json --type spdx
parse:
expect:
- contains: "ingested: 2"
how_to_fix:
summary: "Enable SBOM service and permissions"
commands:
- stella svc enable sbom
- stella auth grant sbom:ingest --role orchestrator
- id: vault.connectivity
description: "Vault connectivity, auth, and policy"
run:
exec: |
stella vault doctor --policy doctor-orchestrator
parse:
expect:
- contains: "policy: ok"
- contains: "login: ok"
how_to_fix:
summary: "Create policy and AppRole"
commands:
- stella vault bootstrap --role orchestrator --policy doctor-orchestrator
- id: ldap.authority.mapping
description: "LDAP binds and maps groups -> roles"
run:
exec: |
stella authority ldap test --user "$TEST_USER_EMAIL"
parse:
expect:
- contains: "role: Deployer"
how_to_fix:
summary: "Adjust group -> role mapping"
commands:
- stella authority map add --group ops-deploy --role Deployer
- id: migrations.pending
description: "All orchestrator DB migrations applied"
run:
exec: |
stella db migrate status --service orchestrator --json
parse:
expectJson:
path: $.pending
equals: 0
how_to_fix:
summary: "Apply migrations safely (dry-run first)"
commands:
- stella db migrate apply --service orchestrator --dry-run
- stella db migrate apply --service orchestrator --apply
attestations:
dsse:
enabled: true
outFile: artifacts/doctor/orchestrator-gitlab.dsse.json