stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7a5210e2aa2afc487fc791c7f8247f3393ce5250
git.stella-ops.org/.gitea
History
master a4badc275e UI work to fill SBOM sourcing management gap. UI planning remaining functionality exposure. Work on CI/Tests stabilization 
Introduces CGS determinism test runs to CI workflows for Windows, macOS, Linux, Alpine, and Debian, fulfilling CGS-008 cross-platform requirements. Updates local-ci scripts to support new smoke steps, test timeouts, progress intervals, and project slicing for improved test isolation and diagnostics.
2025-12-29 19:12:38 +02:00
..
config
Fix build and code structure improvements. New but essential UI functionality. CI improvements. Documentation improvements. AI module improvements.
2025-12-29 07:45:03 +02:00
docs
Fix build and code structure improvements. New but essential UI functionality. CI improvements. Documentation improvements. AI module improvements.
2025-12-29 07:45:03 +02:00
scripts
Fix build and code structure improvements. New but essential UI functionality. CI improvements. Documentation improvements. AI module improvements.
2025-12-29 07:45:03 +02:00
workflows
UI work to fill SBOM sourcing management gap. UI planning remaining functionality exposure. Work on CI/Tests stabilization
2025-12-29 19:12:38 +02:00
AGENTS.md
Refactor code structure for improved readability and maintainability; optimize performance in key functions.
2025-12-22 19:10:27 +02:00
README.md
Fix build and code structure improvements. New but essential UI functionality. CI improvements. Documentation improvements. AI module improvements.
2025-12-29 07:45:03 +02:00

README.md

StellaOps CI/CD Infrastructure

Comprehensive CI/CD infrastructure for the StellaOps platform using Gitea Actions.

Quick Reference

Resource Location
Workflows .gitea/workflows/ (96 workflows)
Scripts .gitea/scripts/
Documentation .gitea/docs/
DevOps Configs devops/
Release Manifests devops/releases/

Workflow Categories

Core Build & Test

Workflow File Description
Build Test Deploy build-test-deploy.yml Main CI pipeline for all modules
Test Matrix test-matrix.yml Unified test execution with TRX reporting
Test Lanes test-lanes.yml Parallel test lane execution
Integration Tests integration-tests-gate.yml Integration test quality gate

Release Pipelines

Workflow File Description
Suite Release release-suite.yml Full platform release (YYYY.MM versioning)
Service Release service-release.yml Per-service release pipeline
Module Publish module-publish.yml NuGet and container publishing
Release Validation release-validation.yml Post-release verification
Promote promote.yml Environment promotion (dev/stage/prod)

CLI & SDK

Workflow File Description
CLI Build cli-build.yml Multi-platform CLI builds
CLI Chaos Parity cli-chaos-parity.yml CLI behavioral consistency tests
SDK Generator sdk-generator.yml Client SDK generation
SDK Publish sdk-publish.yml SDK package publishing

Security & Compliance

Workflow File Description
Artifact Signing artifact-signing.yml Cosign artifact signing
Dependency Security dependency-security-scan.yml Vulnerability scanning
License Audit license-audit.yml OSS license compliance
License Gate dependency-license-gate.yml PR license compliance gate
Crypto Compliance crypto-compliance.yml Cryptographic compliance checks
Provenance Check provenance-check.yml Supply chain provenance

Attestation & Evidence

Workflow File Description
Attestation Bundle attestation-bundle.yml in-toto attestation bundling
Evidence Locker evidence-locker.yml Evidence artifact storage
VEX Proof Bundles vex-proof-bundles.yml VEX proof generation
Signals Evidence signals-evidence-locker.yml Signal evidence collection
Signals DSSE Sign signals-dsse-sign.yml DSSE envelope signing

Scanner & Analysis

Workflow File Description
Scanner Analyzers scanner-analyzers.yml Language analyzer CI
Scanner Determinism scanner-determinism.yml Output reproducibility tests
Reachability Bench reachability-bench.yaml Reachability analysis benchmarks
Reachability Corpus reachability-corpus-ci.yml Corpus maintenance
EPSS Ingest Perf epss-ingest-perf.yml EPSS ingestion performance

Determinism & Reproducibility

Workflow File Description
Determinism Gate determinism-gate.yml Build determinism quality gate
Cross-Platform Det. cross-platform-determinism.yml Cross-OS reproducibility
Bench Determinism bench-determinism.yml Benchmark determinism
E2E Reproducibility e2e-reproducibility.yml End-to-end reproducibility

Module-Specific

Workflow File Description
Advisory AI Release advisory-ai-release.yml AI module release
AOC Guard aoc-guard.yml AOC policy enforcement
Authority Key Rotation authority-key-rotation.yml Key rotation automation
Concelier Tests concelier-attestation-tests.yml Concelier attestation tests
Findings Ledger findings-ledger-ci.yml Findings ledger CI
Policy Lint policy-lint.yml Policy DSL validation
Router Chaos router-chaos.yml Router chaos testing
Signals CI signals-ci.yml Signals module CI

Infrastructure & Ops

Workflow File Description
Containers Multiarch containers-multiarch.yml Multi-architecture builds
Docker Regional docker-regional-builds.yml Regional Docker builds
Helm Validation (via scripts) Helm chart validation
Console Runner console-runner-image.yml Runner image builds
Obs SLO obs-slo.yml Observability SLO checks
Obs Stream obs-stream.yml Telemetry streaming

Documentation & API

Workflow File Description
Docs docs.yml Documentation site build
OAS CI oas-ci.yml OpenAPI spec validation
API Governance api-governance.yml API governance checks
Schema Validation schema-validation.yml JSON schema validation

Dependency Management

Workflow File Description
Renovate renovate.yml Automated dependency updates
License Gate dependency-license-gate.yml License compliance gate
Security Scan dependency-security-scan.yml Vulnerability scanning

Script Categories

Build Scripts (scripts/build/)

Script Purpose
build-cli.sh Build CLI for specific runtime
build-multiarch.sh Multi-architecture container builds
build-airgap-bundle.sh Air-gap deployment bundle

Test Scripts (scripts/test/)

Script Purpose
determinism-run.sh Determinism verification
run-fixtures-check.sh Test fixture validation

Validation Scripts (scripts/validate/)

Script Purpose
validate-compose.sh Docker Compose validation
validate-helm.sh Helm chart validation
validate-licenses.sh License compliance
validate-migrations.sh Database migration validation
validate-sbom.sh SBOM validation
validate-spdx.sh SPDX format validation
validate-vex.sh VEX document validation
validate-workflows.sh Workflow YAML validation
verify-binaries.sh Binary integrity verification

Signing Scripts (scripts/sign/)

Script Purpose
sign-authority-gaps.sh Sign authority gap attestations
sign-policy.sh Sign policy artifacts
sign-signals.sh Sign signals data

Release Scripts (scripts/release/)

Script Purpose
build_release.py Suite release orchestration
verify_release.py Release verification
bump-service-version.py Service version management
read-service-version.sh Read current version
generate-docker-tag.sh Generate Docker tags
generate_changelog.py AI-assisted changelog
generate_suite_docs.py Release documentation
generate_compose.py Docker Compose generation
collect_versions.py Version collection
check_cli_parity.py CLI version parity

Evidence Scripts (scripts/evidence/)

Script Purpose
upload-all-evidence.sh Upload all evidence bundles
signals-upload-evidence.sh Upload signals evidence
zastava-upload-evidence.sh Upload Zastava evidence

Metrics Scripts (scripts/metrics/)

Script Purpose
compute-reachability-metrics.sh Reachability analysis metrics
compute-ttfs-metrics.sh Time-to-first-scan metrics
enforce-performance-slos.sh SLO enforcement

Utility Scripts (scripts/util/)

Script Purpose
cleanup-runner-space.sh Runner disk cleanup
dotnet-filter.sh .NET project filtering
enable-openssl11-shim.sh OpenSSL 1.1 compatibility

Environment Variables

Required Secrets

Secret Purpose Workflows
GITEA_TOKEN API access, commits All
RENOVATE_TOKEN Dependency bot access renovate.yml
COSIGN_PRIVATE_KEY_B64 Artifact signing Release pipelines
AI_API_KEY Changelog generation release-suite.yml
REGISTRY_USERNAME Container registry Build/deploy
REGISTRY_PASSWORD Container registry Build/deploy
SSH_PRIVATE_KEY Deployment access Deploy pipelines

Common Variables

Variable Default Purpose
DOTNET_VERSION 10.0.100 .NET SDK version
NODE_VERSION 20 Node.js version
RENOVATE_VERSION 37.100.0 Renovate version
REGISTRY_HOST git.stella-ops.org Container registry

Versioning Strategy

Suite Releases (Platform)

  • Format: YYYY.MM with codenames (Ubuntu-style)
  • Example: 2026.04 Nova
  • Triggered by: Tag suite-YYYY.MM
  • Documentation: docs/releases/YYYY.MM/

Service Releases (Individual)

  • Format: SemVer MAJOR.MINOR.PATCH
  • Docker tag: {version}+{YYYYMMDDHHmmss}
  • Example: 1.2.3+20250128143022
  • Triggered by: Tag service-{name}-v{version}
  • Version source: src/Directory.Versions.props

Module Releases

  • Format: SemVer MAJOR.MINOR.PATCH
  • Triggered by: Tag module-{name}-v{version}

Documentation

Document Description
Architecture Workflow architecture and dependencies
Scripts Inventory Complete script documentation
Troubleshooting Common issues and solutions
Development Guide Creating new workflows
Runners Self-hosted runner setup
Dependency Management Renovate guide

Related Documentation

Contributing

  1. Read AGENTS.md before making changes
  2. Follow workflow naming conventions
  3. Pin tool versions where possible
  4. Keep workflows deterministic and offline-friendly
  5. Update documentation when adding/modifying workflows
  6. Test locally with act when possible

Support