stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 14 Releases Wiki Activity
Files
6e45066e371667ef96fbd4cc99a05223f151f12c
git.stella-ops.org/ops/devops
History
StellaOps Bot 999e26a48e up
2025-12-13 02:22:15 +02:00
..
advisoryai-ci-runner
feat: Add Scanner CI runner and related artifacts
2025-11-30 19:12:35 +02:00
airgap
up
2025-11-30 22:36:03 +02:00
aoc
feat: Add UI benchmark driver and scenarios for graph interactions
2025-12-02 01:28:17 +02:00
artifacts
feat: Implement BerkeleyDB reader for RPM databases
2025-12-07 16:24:45 +02:00
attestation
feat: Add UI benchmark driver and scenarios for graph interactions
2025-12-02 01:28:17 +02:00
ci-110-runner
up
2025-11-25 22:09:44 +02:00
concelier
feat: Add UI benchmark driver and scenarios for graph interactions
2025-12-02 01:28:17 +02:00
concelier-ci-runner
work
2025-11-25 08:01:23 +02:00
console
ops/devops: fix console runner build paths and log built image
2025-12-07 15:23:08 +02:00
devportal
up
2025-11-24 09:07:40 +02:00
docker
Add tests and implement timeline ingestion options with NATS and Redis subscribers
2025-12-03 09:46:48 +02:00
evidence-locker
up
2025-11-24 20:57:49 +02:00
export
work
2025-11-23 23:40:10 +02:00
exporter
up
2025-11-24 20:57:49 +02:00
findings-ledger
Add post-quantum cryptography support with PqSoftCryptoProvider
2025-12-07 15:04:19 +02:00
graph-indexer
feat: Add UI benchmark driver and scenarios for graph interactions
2025-12-02 01:28:17 +02:00
lnm
work
2025-11-23 23:40:10 +02:00
local-postgres
Refactor and update test projects, remove obsolete tests, and upgrade dependencies
2025-12-10 19:13:29 +02:00
mock-release
feat(api): Implement Console Export Client and Models
2025-12-07 00:27:33 +02:00
observability
up
2025-11-25 22:09:44 +02:00
orchestrator
up
2025-11-25 22:09:44 +02:00
postgres
up
2025-12-03 00:10:19 +02:00
provenance
up
2025-11-24 20:57:49 +02:00
release
Add unit tests for PackRunAttestation and SealedInstallEnforcer
2025-12-06 22:25:30 +02:00
risk-bundle
up the blokcing tasks
2025-12-11 02:32:18 +02:00
rules
up
2025-11-25 22:09:44 +02:00
sbom-ci-runner
up
2025-11-30 21:01:00 +02:00
scanner-ci-runner
feat: Add Scanner CI runner and related artifacts
2025-11-30 19:12:35 +02:00
scanner-java
feat: Add UI benchmark driver and scenarios for graph interactions
2025-12-02 01:28:17 +02:00
scripts
up
2025-11-28 09:41:08 +02:00
sdk
up
2025-11-25 22:09:44 +02:00
sealed-mode-ci
feat: Enhance Authority Identity Provider Registry with Bootstrap Capability
2025-11-09 12:18:14 +02:00
secrets
up
2025-12-09 00:20:52 +02:00
signals
up
2025-12-13 02:22:15 +02:00
symbols
up
2025-11-24 20:57:49 +02:00
telemetry
feat: Add VEX Lens CI and Load Testing Plan
2025-12-02 07:18:28 +02:00
tenant
Add tests and implement timeline ingestion options with NATS and Redis subscribers
2025-12-03 09:46:48 +02:00
vex
feat: Add VEX Lens CI and Load Testing Plan
2025-12-02 07:18:28 +02:00
vuln
feat: Enhance traceability and logging in Risk and Vulnerability clients
2025-12-02 19:24:26 +02:00
AGENTS.md
Add LDAP Distinguished Name Helper and Credential Audit Context
2025-11-09 12:21:38 +02:00
check_cli_parity.py
Restructure solution layout by module
2025-10-28 15:10:40 +02:00
nuget-preview-packages.csv
Restructure solution layout by module
2025-10-28 15:10:40 +02:00
policy-signing.md
up
2025-11-25 22:09:44 +02:00
README-space.md
up
2025-11-25 22:09:44 +02:00
README.md
Refactor and update test projects, remove obsolete tests, and upgrade dependencies
2025-12-10 19:13:29 +02:00
sync-preview-nuget.sh
Restructure solution layout by module
2025-10-28 15:10:40 +02:00
TASKS.completed.md
feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries
2025-10-31 14:37:45 +02:00
validate_restore_sources.py
Restructure solution layout by module
2025-10-28 15:10:40 +02:00

README.md

DevOps Release Automation

The release workflow builds and signs the StellaOps service containers, generates SBOM + provenance attestations, and emits a canonical release.yaml. The logic lives under ops/devops/release/ and is invoked by the new .gitea/workflows/release.yml pipeline.

Local dry run

./ops/devops/release/build_release.py \
  --version 2025.10.0-edge \
  --channel edge \
  --dry-run

Outputs land under out/release/. Use --no-push to run full builds without pushing to the registry.

After the build completes, run the verifier to validate recorded hashes and artefact presence:

python ops/devops/release/verify_release.py --release-dir out/release

Python analyzer smoke & signing

dotnet run --project src/Tools/LanguageAnalyzerSmoke exercises the Python language analyzer plug-in against the golden fixtures (cold/warm timings, determinism). The release workflow runs this harness automatically and then produces Cosign signatures + SHA-256 sidecars for StellaOps.Scanner.Analyzers.Lang.Python.dll and its manifest.json. Keep COSIGN_KEY_REF/COSIGN_IDENTITY_TOKEN populated so the step can sign the artefacts; the generated .sig/.sha256 files ship with the Offline Kit bundle.

Required tooling

  • Docker 25+ with Buildx
  • .NET 10 preview SDK (builds container stages and the SBOM generator)
  • Node.js 20 (Angular UI build)
  • Helm 3.16+
  • Cosign 2.2+

Supply signing material via environment variables:

  • COSIGN_KEY_REF e.g. file:./keys/cosign.key or azurekms://…
  • COSIGN_PASSWORD password protecting the above key

The workflow defaults to multi-arch (linux/amd64,linux/arm64), SBOM in CycloneDX, and SLSA provenance (https://slsa.dev/provenance/v1).

Debug store extraction

build_release.py now exports stripped debug artefacts for every ELF discovered in the published images. The files land under out/release/debug/.build-id/<aa>/<rest>.debug, with metadata captured in debug/debug-manifest.json (and a .sha256 sidecar). Use jq to inspect the manifest or readelf -n to spot-check a build-id. Offline Kit packaging should reuse the debug/ directory as-is.

UI auth smoke (Playwright)

As part of DEVOPS-UI-13-006 the pipelines will execute the UI auth smoke tests (npm run test:e2e) after building the Angular bundle. See docs/modules/ui/operations/auth-smoke.md for the job design, environment stubs, and offline runner considerations.

NuGet preview bootstrap

.NET 10 preview packages (Microsoft.Extensions.*, JwtBearer 10.0 RC, Sqlite 9 RC) ship from the public dotnet-public Azure DevOps feed. We mirror them into ./local-nuget so restores succeed inside Offline Kit.

  1. Run ./ops/devops/sync-preview-nuget.sh whenever you update the manifest.
  2. The script now understands the optional SourceBase column (V3 flat container) and writes packages alongside their SHA-256 checks.
  3. NuGet.config registers the mirror (local), dotnet-public, and nuget.org.

Use python3 ops/devops/validate_restore_sources.py to prove the repo still prefers the local mirror and that Directory.Build.props enforces the same order. The validator now runs automatically in the build-test-deploy and release workflows so CI fails fast when a feed priority regression slips in.

Detailed operator instructions live in docs/modules/devops/runbooks/nuget-preview-bootstrap.md.

CI harnesses (offline-friendly)

  • Concelier: ops/devops/concelier-ci-runner/run-concelier-ci.sh builds concelier-webservice.slnf and runs WebService + Storage Mongo tests. Outputs binlog + TRX + summary under ops/devops/artifacts/concelier-ci/<ts>/.
  • Advisory AI: ops/devops/advisoryai-ci-runner/run-advisoryai-ci.sh builds src/AdvisoryAI/StellaOps.AdvisoryAI.sln, runs StellaOps.AdvisoryAI.Tests, and emits binlog + TRX + summary under ops/devops/artifacts/advisoryai-ci/<ts>/. For offline parity, configure a local NuGet feed in nuget.config.
  • Scanner: ops/devops/scanner-ci-runner/run-scanner-ci.sh builds src/Scanner/StellaOps.Scanner.sln and runs core/analyzer/web/worker test buckets with binlog + TRX outputs under ops/devops/artifacts/scanner-ci/<ts>/.

Telemetry collector tooling (DEVOPS-OBS-50-001)

  • ops/devops/telemetry/generate_dev_tls.sh generates a development CA and client/server certificates for the OpenTelemetry collector overlay (mutual TLS).
  • ops/devops/telemetry/smoke_otel_collector.py sends OTLP traces/metrics/logs over TLS and validates that the collector increments its receiver counters.
  • ops/devops/telemetry/package_offline_bundle.py re-packages collector assets for the Offline Kit.
  • ops/devops/telemetry/tenant_isolation_smoke.py verifies Tempo/Loki tenant isolation with mTLS and scoped headers.
  • deploy/compose/docker-compose.telemetry-storage.yaml Prometheus/Tempo/Loki stack for staging validation.

Combine these helpers with deploy/compose/docker-compose.telemetry.yaml to run a secured collector locally before rolling out the Helm-based deployment.