stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/modules/sbom-service/offline-feed-plan.md

1.4 KiB
Raw Permalink Blame History

SBOM Service Offline Feed Plan (prep for PREP-SBOM-CONSOLE-23-001)

Problem

SbomService builds/tests were failing restore due to missing NuGet packages (notably Microsoft.IdentityModel.Tokens >= 8.14.0 and Pkcs11Interop >= 4.1.0). Offline/air-gap posture requires a cached feed.

What landed (2025-11-20)

  • Offline cache populated under local-nugets/packages/ via tools/offline/fetch-sbomservice-deps.sh.
  • Key package hashes:
    • Microsoft.IdentityModel.Tokens.8.14.0.nupkg · SHA256 00b78c7b7023132e1d6b31d305e47524732dce6faca92dd16eb8d05a835bba7a
    • Pkcs11Interop.4.1.0.nupkg · SHA256 8d2b323a3abb9de47a06a3c3b662aa526ee5c1637b70db072c66dc28e6f14c1e
  • Script: tools/offline/fetch-sbomservice-deps.sh (idempotent) hydrates required packages into local-nugets/packages using a minimal probe project with --ignore-failed-sources to stay air-gap friendly.

How to use

# refresh cache if versions change
./tools/offline/fetch-sbomservice-deps.sh

# run SbomService tests offline
DOTNET_NOLOGO=1 dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --no-build --ignore-failed-sources

Next actions

  • If additional packages surface during dotnet restore, append them to the probe project in the script and re-run.
  • Keep local-nugets/ under version control for deterministic builds; update hashes when packages change.

Owners

  • SBOM Service Guild · Build/Infra (sprint 0142_0001_0001).