stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
7df0677e34cf7ae3ff68549f10b1f03d0c4f09b3
git.stella-ops.org/ops/devops/attestation/README.md
StellaOps Bot 71e9a56cfd
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
feat: Add Scanner CI runner and related artifacts 
- Implemented `run-scanner-ci.sh` to build and run tests for the Scanner solution with a warmed NuGet cache.
- Created `excititor-vex-traces.json` dashboard for monitoring Excititor VEX observations.
- Added Docker Compose configuration for the OTLP span sink in `docker-compose.spansink.yml`.
- Configured OpenTelemetry collector in `otel-spansink.yaml` to receive and process traces.
- Developed `run-spansink.sh` script to run the OTLP span sink for Excititor traces.
- Introduced `FileSystemRiskBundleObjectStore` for storing risk bundle artifacts in the filesystem.
- Built `RiskBundleBuilder` for creating risk bundles with associated metadata and providers.
- Established `RiskBundleJob` to execute the risk bundle creation and storage process.
- Defined models for risk bundle inputs, entries, and manifests in `RiskBundleModels.cs`.
- Implemented signing functionality for risk bundle manifests with `HmacRiskBundleManifestSigner`.
- Created unit tests for `RiskBundleBuilder`, `RiskBundleJob`, and signing functionality to ensure correctness.
- Added filesystem artifact reader tests to validate manifest parsing and artifact listing.
- Included test manifests for egress scenarios in the task runner tests.
- Developed timeline query service tests to verify tenant and event ID handling.
2025-11-30 19:12:35 +02:00

812 B
Raw Blame History

Attestor CI/Secrets (DEVOPS-ATTEST-73-001/002)

Artifacts added for the DevOps attestation track:

  • ci.yml — GitHub Actions workflow (parity stub) that restores/builds/tests Attestor solution and uploads test artefacts. Offline/airgap friendly when mirrored into local runner; set DOTNET_* envs for determinism.
  • Secrets storage plan:
    • Use KMS-backed cosign key refs (e.g., azurekms://... or awskms://...).
    • Store ref in CI secret ATTESTOR_COSIGN_KEY; pipeline passes via env and never writes key material to disk.
    • Audit logs: enable KMS audit + CI job logs; avoid plaintext key dumps.
  • Next steps: wire .gitea/workflows/attestor-ci.yml to mirror this job, add cosign sign-blob stage for DSSE envelopes, and publish artefacts to ops/devops/artifacts/attestor/<ts>/ with checksums.