# .gitea/workflows/secrets-bundle-release.yml # Sprint: SPRINT_20260104_005_AIRGAP (Secret Offline Kit Integration) # Task: OKS-007 - Add bundle to release workflow # Description: Build, sign, and release secrets rule bundles for offline deployment name: Secrets Bundle Release on: workflow_dispatch: inputs: version: description: 'Bundle version (CalVer YYYY.MM format)' required: true type: string include_in_offline_kit: description: 'Include bundle in offline kit' type: boolean default: true sign_bundle: description: 'Sign bundle with DSSE' type: boolean default: true dry_run: description: 'Dry run (build but do not publish)' type: boolean default: false push: branches: [main] paths: - 'offline/rules/secrets/sources/**' - '.gitea/workflows/secrets-bundle-release.yml' pull_request: branches: [main, develop] paths: - 'offline/rules/secrets/sources/**' env: BUNDLE_ID: secrets.ruleset DOTNET_NOLOGO: 1 DOTNET_CLI_TELEMETRY_OPTOUT: 1 REGISTRY: git.stella-ops.org jobs: # =========================================================================== # VALIDATE VERSION # =========================================================================== validate: name: Validate Inputs runs-on: ubuntu-22.04 outputs: version: ${{ steps.resolve.outputs.version }} sign_bundle: ${{ steps.resolve.outputs.sign_bundle }} dry_run: ${{ steps.resolve.outputs.dry_run }} include_in_kit: ${{ steps.resolve.outputs.include_in_kit }} steps: - name: Resolve inputs id: resolve run: | if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then VERSION="${{ github.event.inputs.version }}" SIGN_BUNDLE="${{ github.event.inputs.sign_bundle }}" DRY_RUN="${{ github.event.inputs.dry_run }}" INCLUDE_IN_KIT="${{ github.event.inputs.include_in_offline_kit }}" else # Auto-generate version for push/PR builds VERSION="$(date +%Y.%m)" SIGN_BUNDLE="false" # Don't sign non-release builds DRY_RUN="true" INCLUDE_IN_KIT="false" fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "sign_bundle=$SIGN_BUNDLE" >> "$GITHUB_OUTPUT" echo "dry_run=$DRY_RUN" >> "$GITHUB_OUTPUT" echo "include_in_kit=$INCLUDE_IN_KIT" >> "$GITHUB_OUTPUT" echo "=== Bundle Configuration ===" echo "Version: $VERSION" echo "Sign Bundle: $SIGN_BUNDLE" echo "Dry Run: $DRY_RUN" echo "Include in Kit: $INCLUDE_IN_KIT" - name: Validate version format run: | VERSION="${{ steps.resolve.outputs.version }}" if ! [[ "$VERSION" =~ ^[0-9]{4}\.[0-9]{2}$ ]]; then echo "::error::Invalid version format. Expected CalVer YYYY.MM (e.g., 2026.01)" exit 1 fi # =========================================================================== # BUILD BUNDLE # =========================================================================== build-bundle: name: Build Secrets Bundle runs-on: ubuntu-22.04 needs: [validate] steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup directories run: | VERSION="${{ needs.validate.outputs.version }}" mkdir -p "out/bundles/secrets/${VERSION}" mkdir -p "offline/rules/secrets/${VERSION}" - name: Collect rule sources run: | VERSION="${{ needs.validate.outputs.version }}" BUNDLE_DIR="out/bundles/secrets/${VERSION}" SOURCE_DIR="offline/rules/secrets/sources" if [[ ! -d "$SOURCE_DIR" ]]; then echo "Creating sample rule source directory..." mkdir -p "$SOURCE_DIR" # Create minimal placeholder if no sources exist cat > "${SOURCE_DIR}/placeholder.json" << 'EOF' { "id": "placeholder-rule", "name": "Placeholder Rule", "description": "This is a placeholder rule. Add actual rules to offline/rules/secrets/sources/", "pattern": "^PLACEHOLDER_", "severity": "low", "confidence": 0.1 } EOF fi RULE_COUNT=$(find "$SOURCE_DIR" -name "*.json" | wc -l) echo "Found ${RULE_COUNT} rule source files" - name: Build rule bundle run: | VERSION="${{ needs.validate.outputs.version }}" BUNDLE_DIR="out/bundles/secrets/${VERSION}" SOURCE_DIR="offline/rules/secrets/sources" BUNDLE_ID="${{ env.BUNDLE_ID }}" # Compile rules to JSONL format echo "Compiling rules to JSONL..." RULE_COUNT=0 > "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl" for rule_file in "${SOURCE_DIR}"/*.json; do if [[ -f "$rule_file" ]]; then # Validate JSON and add to bundle if jq -e '.' "$rule_file" > /dev/null 2>&1; then jq -c '.' "$rule_file" >> "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl" RULE_COUNT=$((RULE_COUNT + 1)) else echo "::warning::Invalid JSON in $rule_file, skipping" fi fi done echo "Compiled ${RULE_COUNT} rules" # Compute file digests RULES_DIGEST=$(sha256sum "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl" | cut -d' ' -f1) RULES_SIZE=$(stat -f%z "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl" 2>/dev/null || stat -c%s "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl") # Generate manifest cat > "${BUNDLE_DIR}/${BUNDLE_ID}.manifest.json" << EOF { "bundleId": "${BUNDLE_ID}", "bundleType": "secrets", "version": "${VERSION}", "ruleCount": ${RULE_COUNT}, "createdAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)", "gitSha": "${{ github.sha }}", "gitRef": "${{ github.ref }}", "files": [ { "name": "${BUNDLE_ID}.rules.jsonl", "digest": "sha256:${RULES_DIGEST}", "sizeBytes": ${RULES_SIZE} } ] } EOF echo "=== Bundle Manifest ===" cat "${BUNDLE_DIR}/${BUNDLE_ID}.manifest.json" - name: Upload unsigned bundle uses: actions/upload-artifact@v4 with: name: secrets-bundle-unsigned-${{ needs.validate.outputs.version }} path: out/bundles/secrets/${{ needs.validate.outputs.version }} retention-days: 30 # =========================================================================== # SIGN BUNDLE # =========================================================================== sign-bundle: name: Sign Secrets Bundle runs-on: ubuntu-22.04 needs: [validate, build-bundle] if: needs.validate.outputs.sign_bundle == 'true' steps: - name: Checkout uses: actions/checkout@v4 - name: Download unsigned bundle uses: actions/download-artifact@v4 with: name: secrets-bundle-unsigned-${{ needs.validate.outputs.version }} path: bundle - name: Sign bundle with DSSE env: SECRETS_SIGNER_KEY: ${{ secrets.SECRETS_SIGNER_KEY }} SECRETS_SIGNER_KEY_ID: ${{ secrets.SECRETS_SIGNER_KEY_ID }} run: | VERSION="${{ needs.validate.outputs.version }}" BUNDLE_ID="${{ env.BUNDLE_ID }}" MANIFEST_PATH="bundle/${BUNDLE_ID}.manifest.json" if [[ -z "${SECRETS_SIGNER_KEY}" ]]; then echo "::warning::SECRETS_SIGNER_KEY not configured, generating test signature" # Generate a test DSSE envelope (not cryptographically valid) PAYLOAD_B64=$(base64 -w0 "${MANIFEST_PATH}") cat > "bundle/${BUNDLE_ID}.dsse.json" << EOF { "payloadType": "application/vnd.stellaops.rulebundle.manifest+json", "payload": "${PAYLOAD_B64}", "signatures": [ { "keyid": "test-key-unsigned", "sig": "$(echo 'unsigned-test-signature' | base64 -w0)" } ] } EOF # Update manifest to indicate test signing jq '.signerKeyId = "test-key-unsigned" | .signedAt = "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"' \ "${MANIFEST_PATH}" > "${MANIFEST_PATH}.tmp" && mv "${MANIFEST_PATH}.tmp" "${MANIFEST_PATH}" else # Real DSSE signing echo "Signing bundle with key: ${SECRETS_SIGNER_KEY_ID}" # Create PAE (Pre-Authentication Encoding) PAYLOAD_TYPE="application/vnd.stellaops.rulebundle.manifest+json" PAYLOAD=$(cat "${MANIFEST_PATH}") PAYLOAD_B64=$(echo -n "$PAYLOAD" | base64 -w0) PAE="DSSEv1 ${#PAYLOAD_TYPE} ${PAYLOAD_TYPE} ${#PAYLOAD} ${PAYLOAD}" # Sign using openssl (ES256) echo "${SECRETS_SIGNER_KEY}" | base64 -d > /tmp/signing-key.pem SIG=$(echo -n "$PAE" | openssl dgst -sha256 -sign /tmp/signing-key.pem | base64 -w0) rm -f /tmp/signing-key.pem cat > "bundle/${BUNDLE_ID}.dsse.json" << EOF { "payloadType": "${PAYLOAD_TYPE}", "payload": "${PAYLOAD_B64}", "signatures": [ { "keyid": "${SECRETS_SIGNER_KEY_ID}", "sig": "${SIG}" } ] } EOF # Update manifest with signing info jq '.signerKeyId = "'"${SECRETS_SIGNER_KEY_ID}"'" | .signedAt = "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"' \ "${MANIFEST_PATH}" > "${MANIFEST_PATH}.tmp" && mv "${MANIFEST_PATH}.tmp" "${MANIFEST_PATH}" fi echo "=== DSSE Envelope ===" jq '.' "bundle/${BUNDLE_ID}.dsse.json" - name: Verify signature structure run: | BUNDLE_ID="${{ env.BUNDLE_ID }}" # Verify DSSE structure jq -e '.payloadType and .payload and .signatures[0].keyid and .signatures[0].sig' \ "bundle/${BUNDLE_ID}.dsse.json" > /dev/null echo "Signature structure verified" - name: Upload signed bundle uses: actions/upload-artifact@v4 with: name: secrets-bundle-signed-${{ needs.validate.outputs.version }} path: bundle retention-days: 90 # =========================================================================== # PACKAGE FOR OFFLINE KIT # =========================================================================== package-offline-kit: name: Package for Offline Kit runs-on: ubuntu-22.04 needs: [validate, build-bundle, sign-bundle] if: always() && needs.build-bundle.result == 'success' && needs.validate.outputs.include_in_kit == 'true' steps: - name: Checkout uses: actions/checkout@v4 - name: Download bundle uses: actions/download-artifact@v4 with: name: ${{ needs.sign-bundle.result == 'success' && format('secrets-bundle-signed-{0}', needs.validate.outputs.version) || format('secrets-bundle-unsigned-{0}', needs.validate.outputs.version) }} path: bundle - name: Package bundle run: | VERSION="${{ needs.validate.outputs.version }}" BUNDLE_ID="${{ env.BUNDLE_ID }}" # Create offline kit structure mkdir -p "offline-kit/rules/secrets/${VERSION}" cp bundle/* "offline-kit/rules/secrets/${VERSION}/" # Create symlink for latest cd "offline-kit/rules/secrets" ln -sf "${VERSION}" latest # Generate checksums cd "${VERSION}" sha256sum ${BUNDLE_ID}.* > SHA256SUMS echo "=== Offline Kit Contents ===" find ../.. -type f | head -20 - name: Create tarball run: | VERSION="${{ needs.validate.outputs.version }}" cd offline-kit tar -czvf "../secrets-bundle-kit-${VERSION}.tar.gz" . - name: Upload offline kit package uses: actions/upload-artifact@v4 with: name: secrets-bundle-kit-${{ needs.validate.outputs.version }} path: secrets-bundle-kit-*.tar.gz retention-days: 90 # =========================================================================== # PUBLISH # =========================================================================== publish: name: Publish Bundle runs-on: ubuntu-22.04 needs: [validate, sign-bundle, package-offline-kit] if: needs.validate.outputs.dry_run != 'true' && needs.sign-bundle.result == 'success' steps: - name: Checkout uses: actions/checkout@v4 - name: Download signed bundle uses: actions/download-artifact@v4 with: name: secrets-bundle-signed-${{ needs.validate.outputs.version }} path: bundle - name: Download offline kit package uses: actions/download-artifact@v4 with: name: secrets-bundle-kit-${{ needs.validate.outputs.version }} path: kit continue-on-error: true - name: Commit bundle to repository run: | VERSION="${{ needs.validate.outputs.version }}" BUNDLE_ID="${{ env.BUNDLE_ID }}" TARGET_DIR="offline/rules/secrets/${VERSION}" git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" mkdir -p "${TARGET_DIR}" cp bundle/* "${TARGET_DIR}/" # Update latest symlink cd offline/rules/secrets rm -f latest ln -sf "${VERSION}" latest cd - git add "offline/rules/secrets/${VERSION}" git add "offline/rules/secrets/latest" if git diff --cached --quiet; then echo "No changes to commit" else git commit -m "release: secrets rule bundle ${VERSION} Bundle ID: ${BUNDLE_ID} Version: ${VERSION} Git SHA: ${{ github.sha }} 🤖 Generated with [Claude Code](https://claude.ai/claude-code) Co-Authored-By: github-actions[bot] " git push fi - name: Create release tag env: GITHUB_TOKEN: ${{ secrets.GITEA_TOKEN }} run: | VERSION="${{ needs.validate.outputs.version }}" BUNDLE_ID="${{ env.BUNDLE_ID }}" # Get rule count from manifest RULE_COUNT=$(jq -r '.ruleCount // 0' "bundle/${BUNDLE_ID}.manifest.json") SIGNER_KEY_ID=$(jq -r '.signerKeyId // "unknown"' "bundle/${BUNDLE_ID}.manifest.json") # Create release notes cat > release-notes.md << EOF ## Secrets Rule Bundle ${VERSION} ### Bundle Information - **Bundle ID:** ${BUNDLE_ID} - **Version:** ${VERSION} - **Rule Count:** ${RULE_COUNT} - **Signer Key ID:** ${SIGNER_KEY_ID} - **Git SHA:** ${{ github.sha }} ### Installation #### For Online Environments \`\`\`bash stella secrets bundle update --version ${VERSION} \`\`\` #### For Offline/Air-Gapped Environments 1. Download the offline kit package 2. Transfer to air-gapped environment 3. Run the installation script: \`\`\`bash ./devops/offline/scripts/install-secrets-bundle.sh /path/to/rules/secrets/${VERSION} \`\`\` ### Files | File | Description | |------|-------------| | \`${BUNDLE_ID}.manifest.json\` | Bundle manifest with metadata | | \`${BUNDLE_ID}.rules.jsonl\` | Rule definitions (JSONL format) | | \`${BUNDLE_ID}.dsse.json\` | DSSE signature envelope | EOF # Prepare assets mkdir -p release-assets cp bundle/* release-assets/ if [[ -f "kit/secrets-bundle-kit-${VERSION}.tar.gz" ]]; then cp "kit/secrets-bundle-kit-${VERSION}.tar.gz" release-assets/ fi # Create release gh release create "secrets-bundle-${VERSION}" \ --title "Secrets Rule Bundle ${VERSION}" \ --notes-file release-notes.md \ release-assets/* # =========================================================================== # SUMMARY # =========================================================================== summary: name: Build Summary runs-on: ubuntu-22.04 needs: [validate, build-bundle, sign-bundle, package-offline-kit, publish] if: always() steps: - name: Generate Summary run: | echo "## Secrets Bundle Release Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Configuration" >> $GITHUB_STEP_SUMMARY echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY echo "| Version | ${{ needs.validate.outputs.version }} |" >> $GITHUB_STEP_SUMMARY echo "| Sign Bundle | ${{ needs.validate.outputs.sign_bundle }} |" >> $GITHUB_STEP_SUMMARY echo "| Dry Run | ${{ needs.validate.outputs.dry_run }} |" >> $GITHUB_STEP_SUMMARY echo "| Include in Kit | ${{ needs.validate.outputs.include_in_kit }} |" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Job Results" >> $GITHUB_STEP_SUMMARY echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY echo "| Build Bundle | ${{ needs.build-bundle.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Sign Bundle | ${{ needs.sign-bundle.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY echo "| Package Offline Kit | ${{ needs.package-offline-kit.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY echo "| Publish | ${{ needs.publish.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY