# Attestor CI/Secrets (DEVOPS-ATTEST-73-001/002)

Artifacts added for the DevOps attestation track:

- `ci.yml` — GitHub Actions workflow (parity stub) that restores/builds/tests Attestor solution and uploads test artefacts. Offline/airgap friendly when mirrored into local runner; set DOTNET_* envs for determinism.
- Secrets storage plan:
  - Use KMS-backed cosign key refs (e.g., `azurekms://...` or `awskms://...`).
  - Store ref in CI secret `ATTESTOR_COSIGN_KEY`; pipeline passes via env and never writes key material to disk.
  - Audit logs: enable KMS audit + CI job logs; avoid plaintext key dumps.
- Next steps: wire `.gitea/workflows/attestor-ci.yml` to mirror this job, add `cosign sign-blob` stage for DSSE envelopes, and publish artefacts to `ops/devops/artifacts/attestor/<ts>/` with checksums.