name: Signals Reachability Scoring & Events on: workflow_dispatch: inputs: allow_dev_key: description: "Allow dev signing key fallback (1=yes, 0=no)" required: false default: "0" evidence_out_dir: description: "Evidence output dir for signing/upload" required: false default: "evidence-locker/signals/2025-12-05" push: branches: [ main ] paths: - 'src/Signals/**' - 'scripts/signals/reachability-smoke.sh' - '.gitea/workflows/signals-reachability.yml' - 'tools/cosign/sign-signals.sh' jobs: reachability-smoke: runs-on: ubuntu-22.04 env: DOTNET_NOLOGO: 1 DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1 TZ: UTC steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Task Pack offline bundle fixtures run: python3 scripts/packs/run-fixtures-check.sh - name: Setup .NET 10 RC uses: actions/setup-dotnet@v4 with: dotnet-version: 10.0.100 include-prerelease: true - name: Restore run: dotnet restore src/Signals/StellaOps.Signals.sln --configfile nuget.config - name: Build run: dotnet build src/Signals/StellaOps.Signals.sln -c Release --no-restore - name: Reachability scoring + cache/events smoke run: | chmod +x scripts/signals/reachability-smoke.sh scripts/signals/reachability-smoke.sh sign-and-upload: runs-on: ubuntu-22.04 needs: reachability-smoke env: COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }} OUT_DIR: ${{ github.event.inputs.evidence_out_dir || 'evidence-locker/signals/2025-12-05' }} CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }} EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }} steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Task Pack offline bundle fixtures run: python3 scripts/packs/run-fixtures-check.sh - name: Install cosign uses: sigstore/cosign-installer@v3 with: cosign-release: 'v2.2.4' - name: Check signing key configured run: | if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only." exit 1 fi if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads." fi - name: Verify artifacts exist run: | cd docs/modules/signals sha256sum -c SHA256SUMS - name: Sign signals artifacts run: | chmod +x tools/cosign/sign-signals.sh OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh - name: Upload signed artifacts uses: actions/upload-artifact@v4 with: name: signals-evidence-${{ github.run_number }} path: | ${{ env.OUT_DIR }}/*.sigstore.json ${{ env.OUT_DIR }}/*.dsse ${{ env.OUT_DIR }}/SHA256SUMS if-no-files-found: error retention-days: 30 - name: Push to Evidence Locker if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }} env: TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }} URL: ${{ env.EVIDENCE_LOCKER_URL }} run: | tar -cf /tmp/signals-evidence.tar -C "$OUT_DIR" . sha256sum /tmp/signals-evidence.tar curl -f -X PUT "$URL/signals/$(date -u +%Y-%m-%d)/signals-evidence.tar" \ -H "Authorization: Bearer $TOKEN" \ --data-binary @/tmp/signals-evidence.tar echo "Uploaded to Evidence Locker" - name: Evidence Locker skip notice if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }} run: | echo "::notice::Evidence Locker upload skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"