150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
83 lines
2.0 KiB
Bash
83 lines
2.0 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# DEVOPS-CLI-41-001: Build multi-platform CLI binaries with SBOM and checksums.
|
|
|
|
RIDS="${RIDS:-linux-x64,win-x64,osx-arm64}"
|
|
CONFIG="${CONFIG:-Release}"
|
|
PROJECT="src/Cli/StellaOps.Cli/StellaOps.Cli.csproj"
|
|
OUT_ROOT="out/cli"
|
|
SBOM_TOOL="${SBOM_TOOL:-syft}" # syft|none
|
|
SIGN="${SIGN:-false}"
|
|
COSIGN_KEY="${COSIGN_KEY:-}"
|
|
|
|
IFS=',' read -ra TARGETS <<< "$RIDS"
|
|
|
|
mkdir -p "$OUT_ROOT"
|
|
|
|
if ! command -v dotnet >/dev/null 2>&1; then
|
|
echo "[cli-build] dotnet CLI not found" >&2
|
|
exit 69
|
|
fi
|
|
|
|
generate_sbom() {
|
|
local dir="$1"
|
|
local sbom="$2"
|
|
if [[ "$SBOM_TOOL" == "syft" ]] && command -v syft >/dev/null 2>&1; then
|
|
syft "dir:${dir}" -o json > "$sbom"
|
|
fi
|
|
}
|
|
|
|
sign_file() {
|
|
local file="$1"
|
|
if [[ "$SIGN" == "true" && -n "$COSIGN_KEY" && -x "$(command -v cosign || true)" ]]; then
|
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key "$COSIGN_KEY" --output-signature "${file}.sig" "$file"
|
|
fi
|
|
}
|
|
|
|
for rid in "${TARGETS[@]}"; do
|
|
echo "[cli-build] publishing for $rid"
|
|
out_dir="${OUT_ROOT}/${rid}"
|
|
publish_dir="${out_dir}/publish"
|
|
mkdir -p "$publish_dir"
|
|
|
|
dotnet publish "$PROJECT" -c "$CONFIG" -r "$rid" \
|
|
-o "$publish_dir" \
|
|
--self-contained true \
|
|
-p:PublishSingleFile=true \
|
|
-p:PublishTrimmed=false \
|
|
-p:DebugType=None \
|
|
>/dev/null
|
|
|
|
# Package
|
|
archive_ext="tar.gz"
|
|
archive_cmd=(tar -C "$publish_dir" -czf)
|
|
if [[ "$rid" == win-* ]]; then
|
|
archive_ext="zip"
|
|
archive_cmd=(zip -jr)
|
|
fi
|
|
|
|
archive_name="stella-cli-${rid}.${archive_ext}"
|
|
archive_path="${out_dir}/${archive_name}"
|
|
"${archive_cmd[@]}" "$archive_path" "$publish_dir"
|
|
|
|
sha256sum "$archive_path" > "${archive_path}.sha256"
|
|
sign_file "$archive_path"
|
|
|
|
# SBOM
|
|
generate_sbom "$publish_dir" "${archive_path}.sbom.json"
|
|
done
|
|
|
|
# Build manifest
|
|
manifest="${OUT_ROOT}/manifest.json"
|
|
cat > "$manifest" <<EOF
|
|
{
|
|
"generated_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
|
|
"config": "$CONFIG",
|
|
"rids": [$(printf '"%s",' "${TARGETS[@]}" | sed 's/,$//')],
|
|
"artifacts_root": "$OUT_ROOT"
|
|
}
|
|
EOF
|
|
|
|
echo "[cli-build] artifacts in $OUT_ROOT"
|