11 lines
812 B
Markdown
11 lines
812 B
Markdown
# Attestor CI/Secrets (DEVOPS-ATTEST-73-001/002)
|
|
|
|
Artifacts added for the DevOps attestation track:
|
|
|
|
- `ci.yml` — GitHub Actions workflow (parity stub) that restores/builds/tests Attestor solution and uploads test artefacts. Offline/airgap friendly when mirrored into local runner; set DOTNET_* envs for determinism.
|
|
- Secrets storage plan:
|
|
- Use KMS-backed cosign key refs (e.g., `azurekms://...` or `awskms://...`).
|
|
- Store ref in CI secret `ATTESTOR_COSIGN_KEY`; pipeline passes via env and never writes key material to disk.
|
|
- Audit logs: enable KMS audit + CI job logs; avoid plaintext key dumps.
|
|
- Next steps: wire `.gitea/workflows/attestor-ci.yml` to mirror this job, add `cosign sign-blob` stage for DSSE envelopes, and publish artefacts to `ops/devops/artifacts/attestor/<ts>/` with checksums.
|