9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
39 lines
1.8 KiB
Markdown
39 lines
1.8 KiB
Markdown
# SDK Publishing Pipeline (DEVOPS-SDK-63-001)
|
|
|
|
Scope: registry credentials, signing keys, and secure storage for SDK publishing.
|
|
|
|
Artifacts
|
|
- Scripts: `scripts/sdk/generate-cert.sh`, `scripts/sdk/sign-packages.sh`, `scripts/sdk/publish.sh`.
|
|
- CI: `.gitea/workflows/sdk-publish.yml` (build/test if present, sign, publish, and export offline kit).
|
|
- Local feed: defaults to `local-nugets/packages` for offline/file-based distribution.
|
|
|
|
Secrets / env
|
|
- `SDK_SIGNING_CERT_B64` — base64 PKCS#12 (PFX) code-signing cert (generate with `generate-cert.sh`).
|
|
- `SDK_SIGNING_CERT_PASSWORD` — PFX password (empty allowed for dev).
|
|
- `SDK_NUGET_SOURCE` — NuGet feed (HTTP URL or local path; default `local-nugets/packages`).
|
|
- `SDK_NUGET_API_KEY` — API key for HTTP feeds (not used for file feeds).
|
|
|
|
Usage
|
|
1) Generate signing cert (dev/stage):
|
|
```bash
|
|
scripts/sdk/generate-cert.sh
|
|
# read base64 from out/sdk-signing/README.txt and load into secrets
|
|
```
|
|
2) Build/pack SDK (upstream generator publishes .nupkg into `out/sdk/` or `local-nugets/packages/`).
|
|
3) Sign packages:
|
|
```bash
|
|
SDK_SIGNING_CERT_B64=... SDK_SIGNING_CERT_PASSWORD=... scripts/sdk/sign-packages.sh
|
|
```
|
|
4) Publish:
|
|
```bash
|
|
SDK_NUGET_SOURCE=https://nuget.example.com/v3/index.json SDK_NUGET_API_KEY=... scripts/sdk/publish.sh
|
|
# or to file feed (default): scripts/sdk/publish.sh
|
|
```
|
|
|
|
CI behavior
|
|
- Restores, (optionally) builds/tests if SDK solution present, signs any `.nupkg` under `out/sdk` or `local-nugets/packages`, then publishes to `SDK_NUGET_SOURCE`, and uploads `out/sdk` as artifact.
|
|
- No-op if no packages present (keeps pipeline green for config-only updates).
|
|
|
|
Secure storage
|
|
- Do not commit keys. Store certs in the CI secret store; for manual ops, keep encrypted blobs outside the repo (e.g., vault entry with `SDK_SIGNING_CERT_B64` + password).
|