3d01bf9edc
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
199 lines
6.8 KiB
YAML
199 lines
6.8 KiB
YAML
name: Risk Bundle CI
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
paths:
|
|
- 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**'
|
|
- 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**'
|
|
- 'ops/devops/risk-bundle/**'
|
|
- '.gitea/workflows/risk-bundle-ci.yml'
|
|
- 'docs/modules/export-center/operations/risk-bundle-*.md'
|
|
pull_request:
|
|
branches: [ main, develop ]
|
|
paths:
|
|
- 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**'
|
|
- 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**'
|
|
- 'ops/devops/risk-bundle/**'
|
|
- '.gitea/workflows/risk-bundle-ci.yml'
|
|
- 'docs/modules/export-center/operations/risk-bundle-*.md'
|
|
workflow_dispatch:
|
|
inputs:
|
|
include_osv:
|
|
description: 'Include OSV providers (larger bundle)'
|
|
type: boolean
|
|
default: false
|
|
publish_checksums:
|
|
description: 'Publish checksums to artifact store'
|
|
type: boolean
|
|
default: true
|
|
|
|
jobs:
|
|
risk-bundle-build:
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
DOTNET_VERSION: '10.0.100'
|
|
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
|
|
BUNDLE_OUTPUT: ${{ github.workspace }}/.artifacts/risk-bundle
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Export OpenSSL 1.1 shim for Mongo2Go
|
|
run: scripts/enable-openssl11-shim.sh
|
|
|
|
- name: Set up .NET SDK
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: ${{ env.DOTNET_VERSION }}
|
|
include-prerelease: true
|
|
|
|
- name: Restore
|
|
run: dotnet restore src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj
|
|
|
|
- name: Build
|
|
run: dotnet build src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj -c Release /p:ContinuousIntegrationBuild=true
|
|
|
|
- name: Test RiskBundle unit tests
|
|
run: |
|
|
mkdir -p $ARTIFACT_DIR
|
|
dotnet test src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj \
|
|
-c Release \
|
|
--filter "FullyQualifiedName~RiskBundle" \
|
|
--logger "trx;LogFileName=risk-bundle-tests.trx" \
|
|
--results-directory $ARTIFACT_DIR
|
|
|
|
- name: Build risk bundle (fixtures)
|
|
run: |
|
|
mkdir -p $BUNDLE_OUTPUT
|
|
ops/devops/risk-bundle/build-bundle.sh --output "$BUNDLE_OUTPUT" --fixtures-only
|
|
|
|
- name: Verify bundle integrity
|
|
run: ops/devops/risk-bundle/verify-bundle.sh "$BUNDLE_OUTPUT/risk-bundle.tar.gz"
|
|
|
|
- name: Generate checksums
|
|
run: |
|
|
cd $BUNDLE_OUTPUT
|
|
sha256sum risk-bundle.tar.gz > risk-bundle.tar.gz.sha256
|
|
sha256sum manifest.json > manifest.json.sha256
|
|
cat risk-bundle.tar.gz.sha256 manifest.json.sha256 > checksums.txt
|
|
echo "Bundle checksums:"
|
|
cat checksums.txt
|
|
|
|
- name: Upload risk bundle artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: risk-bundle-artifacts
|
|
path: |
|
|
${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz
|
|
${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz.sig
|
|
${{ env.BUNDLE_OUTPUT }}/manifest.json
|
|
${{ env.BUNDLE_OUTPUT }}/checksums.txt
|
|
${{ env.ARTIFACT_DIR }}/*.trx
|
|
|
|
- name: Upload test results
|
|
uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: risk-bundle-test-results
|
|
path: ${{ env.ARTIFACT_DIR }}/*.trx
|
|
|
|
risk-bundle-offline-kit:
|
|
runs-on: ubuntu-22.04
|
|
needs: risk-bundle-build
|
|
env:
|
|
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
|
|
OFFLINE_KIT_DIR: ${{ github.workspace }}/.artifacts/offline-kit
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Download risk bundle artifacts
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: risk-bundle-artifacts
|
|
path: ${{ env.ARTIFACT_DIR }}
|
|
|
|
- name: Package for offline kit
|
|
run: |
|
|
mkdir -p $OFFLINE_KIT_DIR/risk-bundles
|
|
cp $ARTIFACT_DIR/risk-bundle.tar.gz $OFFLINE_KIT_DIR/risk-bundles/
|
|
cp $ARTIFACT_DIR/risk-bundle.tar.gz.sig $OFFLINE_KIT_DIR/risk-bundles/ 2>/dev/null || true
|
|
cp $ARTIFACT_DIR/manifest.json $OFFLINE_KIT_DIR/risk-bundles/
|
|
cp $ARTIFACT_DIR/checksums.txt $OFFLINE_KIT_DIR/risk-bundles/
|
|
|
|
# Create offline kit manifest entry
|
|
cat > $OFFLINE_KIT_DIR/risk-bundles/kit-manifest.json <<EOF
|
|
{
|
|
"component": "risk-bundle",
|
|
"version": "$(date -u +%Y%m%d-%H%M%S)",
|
|
"files": [
|
|
{"path": "risk-bundle.tar.gz", "checksum_file": "risk-bundle.tar.gz.sha256"},
|
|
{"path": "manifest.json", "checksum_file": "manifest.json.sha256"}
|
|
],
|
|
"verification": {
|
|
"checksums": "checksums.txt",
|
|
"signature": "risk-bundle.tar.gz.sig"
|
|
}
|
|
}
|
|
EOF
|
|
|
|
- name: Verify offline kit structure
|
|
run: |
|
|
echo "Offline kit structure:"
|
|
find $OFFLINE_KIT_DIR -type f
|
|
echo ""
|
|
echo "Checksum verification:"
|
|
cd $OFFLINE_KIT_DIR/risk-bundles
|
|
sha256sum -c checksums.txt
|
|
|
|
- name: Upload offline kit
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: risk-bundle-offline-kit
|
|
path: ${{ env.OFFLINE_KIT_DIR }}
|
|
|
|
publish-checksums:
|
|
runs-on: ubuntu-22.04
|
|
needs: risk-bundle-build
|
|
if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event.inputs.publish_checksums == 'true')
|
|
env:
|
|
ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Download risk bundle artifacts
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: risk-bundle-artifacts
|
|
path: ${{ env.ARTIFACT_DIR }}
|
|
|
|
- name: Publish checksums
|
|
run: |
|
|
echo "Publishing checksums for risk bundle..."
|
|
CHECKSUM_DIR=out/checksums/risk-bundle/$(date -u +%Y-%m-%d)
|
|
mkdir -p $CHECKSUM_DIR
|
|
cp $ARTIFACT_DIR/checksums.txt $CHECKSUM_DIR/
|
|
cp $ARTIFACT_DIR/manifest.json $CHECKSUM_DIR/
|
|
|
|
# Create latest symlink manifest
|
|
cat > out/checksums/risk-bundle/latest.json <<EOF
|
|
{
|
|
"date": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
|
|
"path": "$(date -u +%Y-%m-%d)/checksums.txt",
|
|
"manifest": "$(date -u +%Y-%m-%d)/manifest.json"
|
|
}
|
|
EOF
|
|
|
|
echo "Checksums published to $CHECKSUM_DIR"
|
|
cat $CHECKSUM_DIR/checksums.txt
|
|
|
|
- name: Upload published checksums
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: risk-bundle-published-checksums
|
|
path: out/checksums/risk-bundle/
|