name: Risk Bundle CI on: push: branches: [ main ] paths: - 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**' - 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**' - 'ops/devops/risk-bundle/**' - '.gitea/workflows/risk-bundle-ci.yml' - 'docs/modules/export-center/operations/risk-bundle-*.md' pull_request: branches: [ main, develop ] paths: - 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**' - 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**' - 'ops/devops/risk-bundle/**' - '.gitea/workflows/risk-bundle-ci.yml' - 'docs/modules/export-center/operations/risk-bundle-*.md' workflow_dispatch: inputs: include_osv: description: 'Include OSV providers (larger bundle)' type: boolean default: false publish_checksums: description: 'Publish checksums to artifact store' type: boolean default: true jobs: risk-bundle-build: runs-on: ubuntu-22.04 env: DOTNET_VERSION: '10.0.100' ARTIFACT_DIR: ${{ github.workspace }}/.artifacts BUNDLE_OUTPUT: ${{ github.workspace }}/.artifacts/risk-bundle steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Export OpenSSL 1.1 shim for Mongo2Go run: scripts/enable-openssl11-shim.sh - name: Set up .NET SDK uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} include-prerelease: true - name: Restore run: dotnet restore src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj - name: Build run: dotnet build src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj -c Release /p:ContinuousIntegrationBuild=true - name: Test RiskBundle unit tests run: | mkdir -p $ARTIFACT_DIR dotnet test src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj \ -c Release \ --filter "FullyQualifiedName~RiskBundle" \ --logger "trx;LogFileName=risk-bundle-tests.trx" \ --results-directory $ARTIFACT_DIR - name: Build risk bundle (fixtures) run: | mkdir -p $BUNDLE_OUTPUT ops/devops/risk-bundle/build-bundle.sh --output "$BUNDLE_OUTPUT" --fixtures-only - name: Verify bundle integrity run: ops/devops/risk-bundle/verify-bundle.sh "$BUNDLE_OUTPUT/risk-bundle.tar.gz" - name: Generate checksums run: | cd $BUNDLE_OUTPUT sha256sum risk-bundle.tar.gz > risk-bundle.tar.gz.sha256 sha256sum manifest.json > manifest.json.sha256 cat risk-bundle.tar.gz.sha256 manifest.json.sha256 > checksums.txt echo "Bundle checksums:" cat checksums.txt - name: Upload risk bundle artifacts uses: actions/upload-artifact@v4 with: name: risk-bundle-artifacts path: | ${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz ${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz.sig ${{ env.BUNDLE_OUTPUT }}/manifest.json ${{ env.BUNDLE_OUTPUT }}/checksums.txt ${{ env.ARTIFACT_DIR }}/*.trx - name: Upload test results uses: actions/upload-artifact@v4 if: always() with: name: risk-bundle-test-results path: ${{ env.ARTIFACT_DIR }}/*.trx risk-bundle-offline-kit: runs-on: ubuntu-22.04 needs: risk-bundle-build env: ARTIFACT_DIR: ${{ github.workspace }}/.artifacts OFFLINE_KIT_DIR: ${{ github.workspace }}/.artifacts/offline-kit steps: - name: Checkout uses: actions/checkout@v4 - name: Download risk bundle artifacts uses: actions/download-artifact@v4 with: name: risk-bundle-artifacts path: ${{ env.ARTIFACT_DIR }} - name: Package for offline kit run: | mkdir -p $OFFLINE_KIT_DIR/risk-bundles cp $ARTIFACT_DIR/risk-bundle.tar.gz $OFFLINE_KIT_DIR/risk-bundles/ cp $ARTIFACT_DIR/risk-bundle.tar.gz.sig $OFFLINE_KIT_DIR/risk-bundles/ 2>/dev/null || true cp $ARTIFACT_DIR/manifest.json $OFFLINE_KIT_DIR/risk-bundles/ cp $ARTIFACT_DIR/checksums.txt $OFFLINE_KIT_DIR/risk-bundles/ # Create offline kit manifest entry cat > $OFFLINE_KIT_DIR/risk-bundles/kit-manifest.json < out/checksums/risk-bundle/latest.json <