name: signals-evidence-locker on: workflow_dispatch: inputs: out_dir: description: "Output directory containing signed artifacts" required: false default: "evidence-locker/signals/2025-12-05" allow_dev_key: description: "Allow dev key fallback (1=yes, 0=no)" required: false default: "0" retention_target: description: "Retention days target" required: false default: "180" jobs: prepare-signals-evidence: runs-on: ubuntu-latest env: MODULE_ROOT: docs/modules/signals OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-05' }} COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }} COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }} CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 - name: Task Pack offline bundle fixtures run: python3 scripts/packs/run-fixtures-check.sh - name: Install cosign uses: sigstore/cosign-installer@v3 with: cosign-release: 'v2.2.4' - name: Check signing key configured run: | if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only." exit 1 fi if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads." fi - name: Verify artifacts exist run: | cd "$MODULE_ROOT" sha256sum -c SHA256SUMS - name: Sign signals artifacts run: | chmod +x tools/cosign/sign-signals.sh OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh - name: Build deterministic signals evidence tar run: | set -euo pipefail test -d "$MODULE_ROOT" || { echo "missing $MODULE_ROOT" >&2; exit 1; } tmpdir=$(mktemp -d) rsync -a --relative \ "$OUT_DIR/SHA256SUMS" \ "$OUT_DIR/confidence_decay_config.sigstore.json" \ "$OUT_DIR/unknowns_scoring_manifest.sigstore.json" \ "$OUT_DIR/heuristics_catalog.sigstore.json" \ "$MODULE_ROOT/decay/confidence_decay_config.yaml" \ "$MODULE_ROOT/unknowns/unknowns_scoring_manifest.json" \ "$MODULE_ROOT/heuristics/heuristics.catalog.json" \ "$tmpdir/" (cd "$tmpdir/$OUT_DIR" && sha256sum --check SHA256SUMS) tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \ -cf /tmp/signals-evidence.tar -C "$tmpdir" . sha256sum /tmp/signals-evidence.tar > /tmp/signals-evidence.tar.sha256 - name: Upload artifact (fallback) uses: actions/upload-artifact@v4 with: name: signals-evidence-2025-12-05 path: | /tmp/signals-evidence.tar /tmp/signals-evidence.tar.sha256 - name: Push to Evidence Locker if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }} env: TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }} URL: ${{ env.EVIDENCE_LOCKER_URL }} run: | upload_path="${OUT_DIR#evidence-locker/}" curl -f -X PUT "$URL/${upload_path}/signals-evidence.tar" \ -H "Authorization: Bearer $TOKEN" \ --data-binary @/tmp/signals-evidence.tar - name: Skip push (missing secret or URL) if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }} run: | echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2