# .gitea/workflows/release.yml # Deterministic release pipeline producing signed images, SBOMs, provenance, and manifest name: Release Bundle on: push: tags: - 'v*' workflow_dispatch: inputs: version: description: 'Release version (overrides tag, e.g. 2025.10.0-edge)' required: false type: string channel: description: 'Release channel (edge|stable|lts)' required: false default: 'edge' type: choice options: - edge - stable - lts calendar: description: 'Calendar tag (YYYY.MM) - optional override' required: false type: string push_images: description: 'Push container images to registry' required: false default: true type: boolean jobs: build-release: runs-on: ubuntu-22.04 env: DOTNET_VERSION: '10.0.100-rc.1.25451.107' REGISTRY: registry.stella-ops.org steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Validate NuGet restore source ordering run: python3 ops/devops/validate_restore_sources.py - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Set up Node.js 20 uses: actions/setup-node@v4 with: node-version: '20.14.0' - name: Set up .NET SDK uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} include-prerelease: true - name: Install cross-arch objcopy tooling run: | sudo apt-get update sudo apt-get install -y --no-install-recommends binutils-aarch64-linux-gnu - name: Publish Python analyzer plug-in run: | set -euo pipefail dotnet publish src/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \ --configuration Release \ --output out/analyzers/python \ --no-self-contained mkdir -p plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.dll plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/ if [ -f out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb ]; then cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/ fi - name: Run Python analyzer smoke checks run: | dotnet run \ --project tools/LanguageAnalyzerSmoke/LanguageAnalyzerSmoke.csproj \ --configuration Release \ -- \ --repo-root . # Note: this step enforces DEVOPS-REL-14-004 by signing the restart-only Python plug-in. # Ensure COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN is configured, otherwise the job will fail. - name: Sign Python analyzer artefacts env: COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_IDENTITY_TOKEN: ${{ secrets.COSIGN_IDENTITY_TOKEN }} run: | set -euo pipefail if [[ -z "${COSIGN_KEY_REF:-}" && -z "${COSIGN_IDENTITY_TOKEN:-}" ]]; then echo "::error::COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN must be provided to sign analyzer artefacts." >&2 exit 1 fi export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" export COSIGN_EXPERIMENTAL=1 PLUGIN_DIR="plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python" ARTIFACTS=( "StellaOps.Scanner.Analyzers.Lang.Python.dll" "manifest.json" ) for artifact in "${ARTIFACTS[@]}"; do FILE="${PLUGIN_DIR}/${artifact}" if [[ ! -f "${FILE}" ]]; then echo "::error::Missing analyzer artefact ${FILE}" >&2 exit 1 fi sha256sum "${FILE}" | awk '{print $1}' > "${FILE}.sha256" SIGN_ARGS=(--yes "${FILE}") if [[ -n "${COSIGN_KEY_REF:-}" ]]; then SIGN_ARGS=(--key "${COSIGN_KEY_REF}" "${SIGN_ARGS[@]}") fi if [[ -n "${COSIGN_IDENTITY_TOKEN:-}" ]]; then SIGN_ARGS=(--identity-token "${COSIGN_IDENTITY_TOKEN}" "${SIGN_ARGS[@]}") fi cosign sign-blob "${SIGN_ARGS[@]}" > "${FILE}.sig" done - name: Install Helm 3.16.0 run: | curl -fsSL https://get.helm.sh/helm-v3.16.0-linux-amd64.tar.gz -o /tmp/helm.tgz tar -xzf /tmp/helm.tgz -C /tmp sudo install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm - name: Install Cosign uses: sigstore/cosign-installer@v3.4.0 - name: Install Syft run: | set -euo pipefail SYFT_VERSION="v1.21.0" curl -fsSL "https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" -o /tmp/syft.tgz tar -xzf /tmp/syft.tgz -C /tmp sudo install -m 0755 /tmp/syft /usr/local/bin/syft - name: Determine release metadata id: meta run: | set -euo pipefail RAW_VERSION="${{ github.ref_name }}" if [[ "${{ github.event_name }}" != "push" ]]; then RAW_VERSION="${{ github.event.inputs.version }}" fi if [[ -z "$RAW_VERSION" ]]; then echo "::error::Release version not provided" >&2 exit 1 fi VERSION="${RAW_VERSION#v}" CHANNEL="${{ github.event.inputs.channel || '' }}" if [[ -z "$CHANNEL" ]]; then CHANNEL="edge" fi CALENDAR_INPUT="${{ github.event.inputs.calendar || '' }}" if [[ -z "$CALENDAR_INPUT" ]]; then YEAR=$(echo "$VERSION" | awk -F'.' '{print $1}') MONTH=$(echo "$VERSION" | awk -F'.' '{print $2}') if [[ -n "$YEAR" && -n "$MONTH" ]]; then CALENDAR_INPUT="$YEAR.$MONTH" else CALENDAR_INPUT=$(date -u +'%Y.%m') fi fi PUSH_INPUT="${{ github.event.inputs.push_images || '' }}" if [[ "${{ github.event_name }}" == "push" ]]; then PUSH_INPUT="true" elif [[ -z "$PUSH_INPUT" ]]; then PUSH_INPUT="true" fi if [[ "$PUSH_INPUT" == "false" || "$PUSH_INPUT" == "0" ]]; then PUSH_FLAG="false" else PUSH_FLAG="true" fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "channel=$CHANNEL" >> "$GITHUB_OUTPUT" echo "calendar=$CALENDAR_INPUT" >> "$GITHUB_OUTPUT" echo "push=$PUSH_FLAG" >> "$GITHUB_OUTPUT" - name: Enforce CLI parity gate run: | python3 ops/devops/check_cli_parity.py - name: Log in to registry if: steps.meta.outputs.push == 'true' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Prepare release output directory run: | rm -rf out/release mkdir -p out/release - name: Build release bundle # NOTE (DEVOPS-REL-17-004): build_release.py now fails if out/release/debug is missing env: COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_IDENTITY_TOKEN: ${{ secrets.COSIGN_IDENTITY_TOKEN }} run: | set -euo pipefail EXTRA_ARGS=() if [[ "${{ steps.meta.outputs.push }}" != "true" ]]; then EXTRA_ARGS+=("--no-push") fi ./ops/devops/release/build_release.py \ --version "${{ steps.meta.outputs.version }}" \ --channel "${{ steps.meta.outputs.channel }}" \ --calendar "${{ steps.meta.outputs.calendar }}" \ --git-sha "${{ github.sha }}" \ "${EXTRA_ARGS[@]}" - name: Verify release artefacts run: | python ops/devops/release/verify_release.py --release-dir out/release - name: Upload release artefacts uses: actions/upload-artifact@v4 with: name: stellaops-release-${{ steps.meta.outputs.version }} path: out/release if-no-files-found: error