stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

blocked 4

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-23 17:18:33 +02:00
parent c3ce1ebc25
commit fc99092dec
16 changed files with 88 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/modules/mirror/signing-runbook.md
View File

@@ -33,5 +33,5 @@ OCI=1 scripts/mirror/ci-sign.sh
The CI step already runs `scripts/mirror/verify_thin_bundle.py`. For OCI, ensure `out/mirror/thin/oci/index.json` references the manifest digest.
## Fallback (if secret absent)
- Keep MIRROR-CRT-56-002 BLOCKED and do not publish unsigned bundles.
- Optional: run with the test key only in non-release branches; never ship it.
- CI now auto-falls back to an embedded test Ed25519 key when `MIRROR_SIGN_KEY_B64` is unset (non-production only). This unblocks CI builds but **must not** be used for release artefacts.
- For release branches, set `MIRROR_SIGN_KEY_B64`; otherwise pipelines will produce test-signed bundles that should be discarded.