git.stella-ops.org/.gitea/workflows/supply-chain-hardening.yml

name: Supply Chain Hardening

on:
  pull_request:
    paths:
      - 'tests/supply-chain/**'
      - 'src/Scanner/**'
      - 'src/Attestor/**'
      - 'src/BinaryIndex/**'
      - '.gitea/workflows/supply-chain-hardening.yml'
  push:
    branches:
      - main
    paths:
      - 'tests/supply-chain/**'
      - 'src/Scanner/**'
      - 'src/Attestor/**'
      - 'src/BinaryIndex/**'
      - '.gitea/workflows/supply-chain-hardening.yml'
  schedule:
    - cron: '15 3 * * *'
  workflow_dispatch:
    inputs:
      profile:
        description: 'Execution profile'
        required: false
        default: 'smoke'
        type: choice
        options:
          - smoke
          - nightly

jobs:
  hardening-suite:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Resolve profile
        shell: bash
        run: |
          PROFILE="smoke"
          RETENTION_DAYS="14"
          if [ "${{ github.event_name }}" = "schedule" ]; then
            PROFILE="nightly"
            RETENTION_DAYS="30"
          elif [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.profile }}" ]; then
            PROFILE="${{ github.event.inputs.profile }}"
            if [ "$PROFILE" = "nightly" ]; then
              RETENTION_DAYS="30"
            fi
          fi
          echo "SUPPLY_CHAIN_PROFILE=${PROFILE}" >> "$GITHUB_ENV"
          echo "SUPPLY_CHAIN_RETENTION_DAYS=${RETENTION_DAYS}" >> "$GITHUB_ENV"

      - name: Run deterministic supply-chain suite
        shell: bash
        run: |
          python tests/supply-chain/run_suite.py \
            --profile "${SUPPLY_CHAIN_PROFILE}" \
            --seed 20260226 \
            --output out/supply-chain

      - name: Quality gate
        shell: bash
        run: |
          python - <<'PY'
          import json
          from pathlib import Path

          summary = json.loads(Path("out/supply-chain/summary.json").read_text(encoding="utf-8"))
          failed = [lane for lane in summary["lanes"] if lane["returnCode"] != 0]
          if failed:
              raise SystemExit(f"Supply-chain hardening failed lanes: {failed}")

          fuzz_report = json.loads(Path("out/supply-chain/02-schema-fuzz/report.json").read_text(encoding="utf-8"))
          if fuzz_report["counts"]["crash"] != 0:
              raise SystemExit(f"Fuzz crash count must be zero, got {fuzz_report['counts']['crash']}")

          print("Quality gate passed")
          PY

      - name: Upload hardening artifacts
        uses: actions/upload-artifact@v4
        with:
          name: supply-chain-hardening-${{ github.run_id }}
          path: out/supply-chain
          retention-days: ${{ env.SUPPLY_CHAIN_RETENTION_DAYS }}