name: Advisory AI Feed Release on: workflow_dispatch: inputs: allow_dev_key: description: 'Allow dev key for testing (1=yes)' required: false default: '0' push: branches: [main] paths: - 'src/AdvisoryAI/feeds/**' - 'docs/samples/advisory-feeds/**' jobs: package-feeds: runs-on: ubuntu-22.04 env: COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} steps: - name: Checkout uses: actions/checkout@v4 - name: Setup cosign uses: sigstore/cosign-installer@v3 with: cosign-release: 'v2.6.0' - name: Fallback to dev key when secret is absent run: | if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then echo "[warn] COSIGN_PRIVATE_KEY_B64 not set; using dev key for non-production" echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV fi # Manual override if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV fi - name: Package advisory feeds run: | chmod +x ops/deployment/advisory-ai/package-advisory-feeds.sh ops/deployment/advisory-ai/package-advisory-feeds.sh - name: Generate SBOM run: | # Install syft curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0 # Generate SBOM for feed bundle syft dir:out/advisory-ai/feeds/stage \ -o spdx-json=out/advisory-ai/feeds/advisory-feeds.sbom.json \ --name advisory-feeds - name: Upload artifacts uses: actions/upload-artifact@v4 with: name: advisory-feeds-${{ github.run_number }} path: | out/advisory-ai/feeds/advisory-feeds.tar.gz out/advisory-ai/feeds/advisory-feeds.manifest.json out/advisory-ai/feeds/advisory-feeds.manifest.dsse.json out/advisory-ai/feeds/advisory-feeds.sbom.json out/advisory-ai/feeds/provenance.json if-no-files-found: warn retention-days: 30