2e70c9fdb6
Some checks failed
LNM Migration CI / build-runner (push) Has been cancelled
Ledger OpenAPI CI / deprecation-check (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Ledger Packs CI / build-pack (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Ledger OpenAPI CI / validate-oas (push) Has been cancelled
Ledger OpenAPI CI / check-wellknown (push) Has been cancelled
Ledger Packs CI / verify-pack (push) Has been cancelled
LNM Migration CI / validate-metrics (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
2.2 KiB
2.2 KiB
AOC Backfill Release Plan (DEVOPS-STORE-AOC-19-005-REL)
Scope: Release/offline-kit packaging for Concelier AOC backfill operations.
Prerequisites
- Dataset hash from dev rehearsal (AOC-19-005 dev outputs)
- AOC guard tests passing (DEVOPS-AOC-19-001/002/003 - DONE)
- Supersedes rollout plan reviewed (ops/devops/aoc/supersedes-rollout.md)
Artefacts
- Backfill runner bundle:
aoc-backfill-runner.tar.gz- CLI tool + scriptsaoc-backfill-runner.sbom.json- SPDX SBOMaoc-backfill-runner.dsse.json- Cosign attestation
- Dataset bundle:
aoc-dataset-{hash}.tar.gz- Seeded datasetaoc-dataset-{hash}.manifest.json- Manifest with checksumsaoc-dataset-{hash}.provenance.json- SLSA provenance
- Offline kit slice:
- All above + SHA256SUMS + verification scripts
Packaging Script
# Production (CI with secrets)
./ops/devops/aoc/package-backfill-release.sh
# Development (dev key)
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
DATASET_HASH=dev-rehearsal-placeholder \
./ops/devops/aoc/package-backfill-release.sh
Pipeline Outline
- Build backfill runner from
src/Aoc/StellaOps.Aoc.Cli/ - Generate SBOM with syft
- Sign with cosign (dev key fallback)
- Package dataset (when hash available)
- Create offline bundle with checksums
- Verification:
stella aoc verify --dry-runcosign verify-blobfor all bundlessha256sum --check
- Publish to release bucket + offline kit
Runbook
- Validate AOC guard tests pass in CI
- Run dev rehearsal with test dataset
- Capture dataset hash from rehearsal
- Execute packaging script with production key
- Verify all signatures and checksums
- Upload to release bucket
- Include in offline kit manifest
CI Workflow
.gitea/workflows/aoc-backfill-release.yml
Verification
# Verify bundle signatures
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle out/aoc/aoc-backfill-runner.dsse.json \
out/aoc/aoc-backfill-runner.tar.gz
# Verify checksums
cd out/aoc && sha256sum -c SHA256SUMS
Owners
- DevOps Guild (pipeline + packaging)
- Concelier Storage Guild (dataset + backfill logic)
- Platform Security (signing policy)