# SBOM Service CI Runner Harness (DEVOPS-SBOM-23-001)

Purpose: deterministic, offline-friendly CI harness for SBOM Service. Produces warmed-cache restore, build binlog, TRX outputs, and a NuGet cache hash to unblock SBOM console/consumer sprints.

Usage
- From repo root run: `ops/devops/sbom-ci-runner/run-sbom-ci.sh`
- Outputs land in `ops/devops/artifacts/sbom-ci/<UTC timestamp>/`:
  - `build.binlog` (solution build)
  - `tests/sbom.trx` (VSTest results)
  - `nuget-cache.hash` (sha256 over file name+size listing for offline cache traceability)
  - `summary.json` (paths + sources + cache hash)

Environment defaults
- `DOTNET_CLI_TELEMETRY_OPTOUT=1`, `DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1`, `DOTNET_RESTORE_DISABLE_PARALLEL=1`
- `NUGET_PACKAGES=$REPO/.nuget/packages`
- `NUGET_SOURCES=$REPO/local-nugets;$REPO/.nuget/packages`
- `TEST_FILTER` empty (set to narrow tests)

What it does
1) Warm NuGet cache from `local-nugets/` into `$NUGET_PACKAGES` for air-gap parity.
2) `dotnet restore` + `dotnet build` on `src/SbomService/StellaOps.SbomService.sln` with `/bl`.
3) Run `StellaOps.SbomService.Tests` with TRX output (honors `TEST_FILTER`).
4) Produce `nuget-cache.hash` using sorted file name+size list hashed with sha256 (lightweight evidence of cache contents).
5) Emit `summary.json` with artefact paths and cache hash value.

Notes
- Offline-only; no external services required.
- Timestamped output folders keep ordering deterministic; consumers should sort lexicographically.
- Extend `test_project` in the script if additional SBOM test projects are added.