2e70c9fdb6
Some checks failed
LNM Migration CI / build-runner (push) Has been cancelled
Ledger OpenAPI CI / deprecation-check (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Ledger Packs CI / build-pack (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Ledger OpenAPI CI / validate-oas (push) Has been cancelled
Ledger OpenAPI CI / check-wellknown (push) Has been cancelled
Ledger Packs CI / verify-pack (push) Has been cancelled
LNM Migration CI / validate-metrics (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
71 lines
2.3 KiB
YAML
71 lines
2.3 KiB
YAML
name: Advisory AI Feed Release
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
allow_dev_key:
|
|
description: 'Allow dev key for testing (1=yes)'
|
|
required: false
|
|
default: '0'
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'src/AdvisoryAI/feeds/**'
|
|
- 'docs/samples/advisory-feeds/**'
|
|
|
|
jobs:
|
|
package-feeds:
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
with:
|
|
cosign-release: 'v2.6.0'
|
|
|
|
- name: Fallback to dev key when secret is absent
|
|
run: |
|
|
if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then
|
|
echo "[warn] COSIGN_PRIVATE_KEY_B64 not set; using dev key for non-production"
|
|
echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
|
|
echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
|
|
fi
|
|
# Manual override
|
|
if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then
|
|
echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
|
|
echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
|
|
fi
|
|
|
|
- name: Package advisory feeds
|
|
run: |
|
|
chmod +x ops/deployment/advisory-ai/package-advisory-feeds.sh
|
|
ops/deployment/advisory-ai/package-advisory-feeds.sh
|
|
|
|
- name: Generate SBOM
|
|
run: |
|
|
# Install syft
|
|
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0
|
|
|
|
# Generate SBOM for feed bundle
|
|
syft dir:out/advisory-ai/feeds/stage \
|
|
-o spdx-json=out/advisory-ai/feeds/advisory-feeds.sbom.json \
|
|
--name advisory-feeds
|
|
|
|
- name: Upload artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: advisory-feeds-${{ github.run_number }}
|
|
path: |
|
|
out/advisory-ai/feeds/advisory-feeds.tar.gz
|
|
out/advisory-ai/feeds/advisory-feeds.manifest.json
|
|
out/advisory-ai/feeds/advisory-feeds.manifest.dsse.json
|
|
out/advisory-ai/feeds/advisory-feeds.sbom.json
|
|
out/advisory-ai/feeds/provenance.json
|
|
if-no-files-found: warn
|
|
retention-days: 30
|