2e70c9fdb6
Some checks failed
LNM Migration CI / build-runner (push) Has been cancelled
Ledger OpenAPI CI / deprecation-check (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Ledger Packs CI / build-pack (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Ledger OpenAPI CI / validate-oas (push) Has been cancelled
Ledger OpenAPI CI / check-wellknown (push) Has been cancelled
Ledger Packs CI / verify-pack (push) Has been cancelled
LNM Migration CI / validate-metrics (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
74 lines
2.2 KiB
Markdown
74 lines
2.2 KiB
Markdown
# AOC Backfill Release Plan (DEVOPS-STORE-AOC-19-005-REL)
|
|
|
|
Scope: Release/offline-kit packaging for Concelier AOC backfill operations.
|
|
|
|
## Prerequisites
|
|
- Dataset hash from dev rehearsal (AOC-19-005 dev outputs)
|
|
- AOC guard tests passing (DEVOPS-AOC-19-001/002/003 - DONE)
|
|
- Supersedes rollout plan reviewed (ops/devops/aoc/supersedes-rollout.md)
|
|
|
|
## Artefacts
|
|
- Backfill runner bundle:
|
|
- `aoc-backfill-runner.tar.gz` - CLI tool + scripts
|
|
- `aoc-backfill-runner.sbom.json` - SPDX SBOM
|
|
- `aoc-backfill-runner.dsse.json` - Cosign attestation
|
|
- Dataset bundle:
|
|
- `aoc-dataset-{hash}.tar.gz` - Seeded dataset
|
|
- `aoc-dataset-{hash}.manifest.json` - Manifest with checksums
|
|
- `aoc-dataset-{hash}.provenance.json` - SLSA provenance
|
|
- Offline kit slice:
|
|
- All above + SHA256SUMS + verification scripts
|
|
|
|
## Packaging Script
|
|
|
|
```bash
|
|
# Production (CI with secrets)
|
|
./ops/devops/aoc/package-backfill-release.sh
|
|
|
|
# Development (dev key)
|
|
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
|
|
DATASET_HASH=dev-rehearsal-placeholder \
|
|
./ops/devops/aoc/package-backfill-release.sh
|
|
```
|
|
|
|
## Pipeline Outline
|
|
1) Build backfill runner from `src/Aoc/StellaOps.Aoc.Cli/`
|
|
2) Generate SBOM with syft
|
|
3) Sign with cosign (dev key fallback)
|
|
4) Package dataset (when hash available)
|
|
5) Create offline bundle with checksums
|
|
6) Verification:
|
|
- `stella aoc verify --dry-run`
|
|
- `cosign verify-blob` for all bundles
|
|
- `sha256sum --check`
|
|
7) Publish to release bucket + offline kit
|
|
|
|
## Runbook
|
|
1) Validate AOC guard tests pass in CI
|
|
2) Run dev rehearsal with test dataset
|
|
3) Capture dataset hash from rehearsal
|
|
4) Execute packaging script with production key
|
|
5) Verify all signatures and checksums
|
|
6) Upload to release bucket
|
|
7) Include in offline kit manifest
|
|
|
|
## CI Workflow
|
|
`.gitea/workflows/aoc-backfill-release.yml`
|
|
|
|
## Verification
|
|
```bash
|
|
# Verify bundle signatures
|
|
cosign verify-blob \
|
|
--key tools/cosign/cosign.dev.pub \
|
|
--bundle out/aoc/aoc-backfill-runner.dsse.json \
|
|
out/aoc/aoc-backfill-runner.tar.gz
|
|
|
|
# Verify checksums
|
|
cd out/aoc && sha256sum -c SHA256SUMS
|
|
```
|
|
|
|
## Owners
|
|
- DevOps Guild (pipeline + packaging)
|
|
- Concelier Storage Guild (dataset + backfill logic)
|
|
- Platform Security (signing policy)
|