git.stella-ops.org/devops/attestation

Attestor CI/Secrets (DEVOPS-ATTEST-73-001/002)

Artifacts added for the DevOps attestation track:

• ci.yml — GitHub Actions workflow (parity stub) that restores/builds/tests Attestor solution and uploads test artefacts. Offline/airgap friendly when mirrored into local runner; set DOTNET_* envs for determinism.
• Secrets storage plan:
  • Use KMS-backed cosign key refs (e.g., azurekms://... or awskms://...).
  • Store ref in CI secret ATTESTOR_COSIGN_KEY; pipeline passes via env and never writes key material to disk.
  • Audit logs: enable KMS audit + CI job logs; avoid plaintext key dumps.
• Next steps: wire .gitea/workflows/attestor-ci.yml to mirror this job, add cosign sign-blob stage for DSSE envelopes, and publish artefacts to ops/devops/artifacts/attestor/<ts>/ with checksums.