108d1c64b3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
128 lines
4.4 KiB
YAML
128 lines
4.4 KiB
YAML
name: Signals Reachability Scoring & Events
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
allow_dev_key:
|
|
description: "Allow dev signing key fallback (1=yes, 0=no)"
|
|
required: false
|
|
default: "0"
|
|
evidence_out_dir:
|
|
description: "Evidence output dir for signing/upload"
|
|
required: false
|
|
default: "evidence-locker/signals/2025-12-05"
|
|
push:
|
|
branches: [ main ]
|
|
paths:
|
|
- 'src/Signals/**'
|
|
- 'scripts/signals/reachability-smoke.sh'
|
|
- '.gitea/workflows/signals-reachability.yml'
|
|
- 'tools/cosign/sign-signals.sh'
|
|
|
|
jobs:
|
|
reachability-smoke:
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
DOTNET_NOLOGO: 1
|
|
DOTNET_CLI_TELEMETRY_OPTOUT: 1
|
|
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
|
|
TZ: UTC
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Task Pack offline bundle fixtures
|
|
run: python3 scripts/packs/run-fixtures-check.sh
|
|
|
|
- name: Setup .NET 10 RC
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: 10.0.100
|
|
include-prerelease: true
|
|
|
|
- name: Restore
|
|
run: dotnet restore src/Signals/StellaOps.Signals.sln --configfile nuget.config
|
|
|
|
- name: Build
|
|
run: dotnet build src/Signals/StellaOps.Signals.sln -c Release --no-restore
|
|
|
|
- name: Reachability scoring + cache/events smoke
|
|
run: |
|
|
chmod +x scripts/signals/reachability-smoke.sh
|
|
scripts/signals/reachability-smoke.sh
|
|
|
|
sign-and-upload:
|
|
runs-on: ubuntu-22.04
|
|
needs: reachability-smoke
|
|
env:
|
|
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
|
|
OUT_DIR: ${{ github.event.inputs.evidence_out_dir || 'evidence-locker/signals/2025-12-05' }}
|
|
CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
|
|
EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Task Pack offline bundle fixtures
|
|
run: python3 scripts/packs/run-fixtures-check.sh
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
with:
|
|
cosign-release: 'v2.2.4'
|
|
|
|
- name: Check signing key configured
|
|
run: |
|
|
if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then
|
|
echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only."
|
|
exit 1
|
|
fi
|
|
if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
|
|
echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads."
|
|
fi
|
|
|
|
- name: Verify artifacts exist
|
|
run: |
|
|
cd docs/modules/signals
|
|
sha256sum -c SHA256SUMS
|
|
|
|
- name: Sign signals artifacts
|
|
run: |
|
|
chmod +x tools/cosign/sign-signals.sh
|
|
OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
|
|
|
|
- name: Upload signed artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: signals-evidence-${{ github.run_number }}
|
|
path: |
|
|
${{ env.OUT_DIR }}/*.sigstore.json
|
|
${{ env.OUT_DIR }}/*.dsse
|
|
${{ env.OUT_DIR }}/SHA256SUMS
|
|
if-no-files-found: error
|
|
retention-days: 30
|
|
|
|
- name: Push to Evidence Locker
|
|
if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
|
|
env:
|
|
TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
|
|
URL: ${{ env.EVIDENCE_LOCKER_URL }}
|
|
run: |
|
|
tar -cf /tmp/signals-evidence.tar -C "$OUT_DIR" .
|
|
sha256sum /tmp/signals-evidence.tar
|
|
curl -f -X PUT "$URL/signals/$(date -u +%Y-%m-%d)/signals-evidence.tar" \
|
|
-H "Authorization: Bearer $TOKEN" \
|
|
--data-binary @/tmp/signals-evidence.tar
|
|
echo "Uploaded to Evidence Locker"
|
|
|
|
- name: Evidence Locker skip notice
|
|
if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
|
|
run: |
|
|
echo "::notice::Evidence Locker upload skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
|