stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
95d5898650beb7a00ae9934c2426904a70045af2
git.stella-ops.org/.gitea/workflows/secrets-bundle-release.yml
StellaOps Bot 110591d6bf Merge all changes
2026-01-08 08:54:27 +02:00

505 lines
18 KiB
YAML
Raw Blame History

# .gitea/workflows/secrets-bundle-release.yml
# Sprint: SPRINT_20260104_005_AIRGAP (Secret Offline Kit Integration)
# Task: OKS-007 - Add bundle to release workflow
# Description: Build, sign, and release secrets rule bundles for offline deployment
name: Secrets Bundle Release
on:
workflow_dispatch:
inputs:
version:
description: 'Bundle version (CalVer YYYY.MM format)'
required: true
type: string
include_in_offline_kit:
description: 'Include bundle in offline kit'
type: boolean
default: true
sign_bundle:
description: 'Sign bundle with DSSE'
type: boolean
default: true
dry_run:
description: 'Dry run (build but do not publish)'
type: boolean
default: false
push:
branches: [main]
paths:
- 'offline/rules/secrets/sources/**'
- '.gitea/workflows/secrets-bundle-release.yml'
pull_request:
branches: [main, develop]
paths:
- 'offline/rules/secrets/sources/**'
env:
BUNDLE_ID: secrets.ruleset
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
REGISTRY: git.stella-ops.org
jobs:
# ===========================================================================
# VALIDATE VERSION
# ===========================================================================
validate:
name: Validate Inputs
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
outputs:
version: ${{ steps.resolve.outputs.version }}
sign_bundle: ${{ steps.resolve.outputs.sign_bundle }}
dry_run: ${{ steps.resolve.outputs.dry_run }}
include_in_kit: ${{ steps.resolve.outputs.include_in_kit }}
steps:
- name: Resolve inputs
id: resolve
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
VERSION="${{ github.event.inputs.version }}"
SIGN_BUNDLE="${{ github.event.inputs.sign_bundle }}"
DRY_RUN="${{ github.event.inputs.dry_run }}"
INCLUDE_IN_KIT="${{ github.event.inputs.include_in_offline_kit }}"
else
# Auto-generate version for push/PR builds
VERSION="$(date +%Y.%m)"
SIGN_BUNDLE="false" # Don't sign non-release builds
DRY_RUN="true"
INCLUDE_IN_KIT="false"
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "sign_bundle=$SIGN_BUNDLE" >> "$GITHUB_OUTPUT"
echo "dry_run=$DRY_RUN" >> "$GITHUB_OUTPUT"
echo "include_in_kit=$INCLUDE_IN_KIT" >> "$GITHUB_OUTPUT"
echo "=== Bundle Configuration ==="
echo "Version: $VERSION"
echo "Sign Bundle: $SIGN_BUNDLE"
echo "Dry Run: $DRY_RUN"
echo "Include in Kit: $INCLUDE_IN_KIT"
- name: Validate version format
run: |
VERSION="${{ steps.resolve.outputs.version }}"
if ! [[ "$VERSION" =~ ^[0-9]{4}\.[0-9]{2}$ ]]; then
echo "::error::Invalid version format. Expected CalVer YYYY.MM (e.g., 2026.01)"
exit 1
fi
# ===========================================================================
# BUILD BUNDLE
# ===========================================================================
build-bundle:
name: Build Secrets Bundle
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup directories
run: |
VERSION="${{ needs.validate.outputs.version }}"
mkdir -p "out/bundles/secrets/${VERSION}"
mkdir -p "offline/rules/secrets/${VERSION}"
- name: Collect rule sources
run: |
VERSION="${{ needs.validate.outputs.version }}"
BUNDLE_DIR="out/bundles/secrets/${VERSION}"
SOURCE_DIR="offline/rules/secrets/sources"
if [[ ! -d "$SOURCE_DIR" ]]; then
echo "Creating sample rule source directory..."
mkdir -p "$SOURCE_DIR"
# Create minimal placeholder if no sources exist
cat > "${SOURCE_DIR}/placeholder.json" << 'EOF'
{
"id": "placeholder-rule",
"name": "Placeholder Rule",
"description": "This is a placeholder rule. Add actual rules to offline/rules/secrets/sources/",
"pattern": "^PLACEHOLDER_",
"severity": "low",
"confidence": 0.1
}
EOF
fi
RULE_COUNT=$(find "$SOURCE_DIR" -name "*.json" | wc -l)
echo "Found ${RULE_COUNT} rule source files"
- name: Build rule bundle
run: |
VERSION="${{ needs.validate.outputs.version }}"
BUNDLE_DIR="out/bundles/secrets/${VERSION}"
SOURCE_DIR="offline/rules/secrets/sources"
BUNDLE_ID="${{ env.BUNDLE_ID }}"
# Compile rules to JSONL format
echo "Compiling rules to JSONL..."
RULE_COUNT=0
> "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl"
for rule_file in "${SOURCE_DIR}"/*.json; do
if [[ -f "$rule_file" ]]; then
# Validate JSON and add to bundle
if jq -e '.' "$rule_file" > /dev/null 2>&1; then
jq -c '.' "$rule_file" >> "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl"
RULE_COUNT=$((RULE_COUNT + 1))
else
echo "::warning::Invalid JSON in $rule_file, skipping"
fi
fi
done
echo "Compiled ${RULE_COUNT} rules"
# Compute file digests
RULES_DIGEST=$(sha256sum "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl" | cut -d' ' -f1)
RULES_SIZE=$(stat -f%z "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl" 2>/dev/null || stat -c%s "${BUNDLE_DIR}/${BUNDLE_ID}.rules.jsonl")
# Generate manifest
cat > "${BUNDLE_DIR}/${BUNDLE_ID}.manifest.json" << EOF
{
"bundleId": "${BUNDLE_ID}",
"bundleType": "secrets",
"version": "${VERSION}",
"ruleCount": ${RULE_COUNT},
"createdAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"gitSha": "${{ github.sha }}",
"gitRef": "${{ github.ref }}",
"files": [
{
"name": "${BUNDLE_ID}.rules.jsonl",
"digest": "sha256:${RULES_DIGEST}",
"sizeBytes": ${RULES_SIZE}
}
]
}
EOF
echo "=== Bundle Manifest ==="
cat "${BUNDLE_DIR}/${BUNDLE_ID}.manifest.json"
- name: Upload unsigned bundle
uses: actions/upload-artifact@v4
with:
name: secrets-bundle-unsigned-${{ needs.validate.outputs.version }}
path: out/bundles/secrets/${{ needs.validate.outputs.version }}
retention-days: 30
# ===========================================================================
# SIGN BUNDLE
# ===========================================================================
sign-bundle:
name: Sign Secrets Bundle
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-bundle]
if: needs.validate.outputs.sign_bundle == 'true'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download unsigned bundle
uses: actions/download-artifact@v4
with:
name: secrets-bundle-unsigned-${{ needs.validate.outputs.version }}
path: bundle
- name: Sign bundle with DSSE
env:
SECRETS_SIGNER_KEY: ${{ secrets.SECRETS_SIGNER_KEY }}
SECRETS_SIGNER_KEY_ID: ${{ secrets.SECRETS_SIGNER_KEY_ID }}
run: |
VERSION="${{ needs.validate.outputs.version }}"
BUNDLE_ID="${{ env.BUNDLE_ID }}"
MANIFEST_PATH="bundle/${BUNDLE_ID}.manifest.json"
if [[ -z "${SECRETS_SIGNER_KEY}" ]]; then
echo "::warning::SECRETS_SIGNER_KEY not configured, generating test signature"
# Generate a test DSSE envelope (not cryptographically valid)
PAYLOAD_B64=$(base64 -w0 "${MANIFEST_PATH}")
cat > "bundle/${BUNDLE_ID}.dsse.json" << EOF
{
"payloadType": "application/vnd.stellaops.rulebundle.manifest+json",
"payload": "${PAYLOAD_B64}",
"signatures": [
{
"keyid": "test-key-unsigned",
"sig": "$(echo 'unsigned-test-signature' | base64 -w0)"
}
]
}
EOF
# Update manifest to indicate test signing
jq '.signerKeyId = "test-key-unsigned" | .signedAt = "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"' \
"${MANIFEST_PATH}" > "${MANIFEST_PATH}.tmp" && mv "${MANIFEST_PATH}.tmp" "${MANIFEST_PATH}"
else
# Real DSSE signing
echo "Signing bundle with key: ${SECRETS_SIGNER_KEY_ID}"
# Create PAE (Pre-Authentication Encoding)
PAYLOAD_TYPE="application/vnd.stellaops.rulebundle.manifest+json"
PAYLOAD=$(cat "${MANIFEST_PATH}")
PAYLOAD_B64=$(echo -n "$PAYLOAD" | base64 -w0)
PAE="DSSEv1 ${#PAYLOAD_TYPE} ${PAYLOAD_TYPE} ${#PAYLOAD} ${PAYLOAD}"
# Sign using openssl (ES256)
echo "${SECRETS_SIGNER_KEY}" | base64 -d > /tmp/signing-key.pem
SIG=$(echo -n "$PAE" | openssl dgst -sha256 -sign /tmp/signing-key.pem | base64 -w0)
rm -f /tmp/signing-key.pem
cat > "bundle/${BUNDLE_ID}.dsse.json" << EOF
{
"payloadType": "${PAYLOAD_TYPE}",
"payload": "${PAYLOAD_B64}",
"signatures": [
{
"keyid": "${SECRETS_SIGNER_KEY_ID}",
"sig": "${SIG}"
}
]
}
EOF
# Update manifest with signing info
jq '.signerKeyId = "'"${SECRETS_SIGNER_KEY_ID}"'" | .signedAt = "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"' \
"${MANIFEST_PATH}" > "${MANIFEST_PATH}.tmp" && mv "${MANIFEST_PATH}.tmp" "${MANIFEST_PATH}"
fi
echo "=== DSSE Envelope ==="
jq '.' "bundle/${BUNDLE_ID}.dsse.json"
- name: Verify signature structure
run: |
BUNDLE_ID="${{ env.BUNDLE_ID }}"
# Verify DSSE structure
jq -e '.payloadType and .payload and .signatures[0].keyid and .signatures[0].sig' \
"bundle/${BUNDLE_ID}.dsse.json" > /dev/null
echo "Signature structure verified"
- name: Upload signed bundle
uses: actions/upload-artifact@v4
with:
name: secrets-bundle-signed-${{ needs.validate.outputs.version }}
path: bundle
retention-days: 90
# ===========================================================================
# PACKAGE FOR OFFLINE KIT
# ===========================================================================
package-offline-kit:
name: Package for Offline Kit
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-bundle, sign-bundle]
if: always() && needs.build-bundle.result == 'success' && needs.validate.outputs.include_in_kit == 'true'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download bundle
uses: actions/download-artifact@v4
with:
name: ${{ needs.sign-bundle.result == 'success' && format('secrets-bundle-signed-{0}', needs.validate.outputs.version) || format('secrets-bundle-unsigned-{0}', needs.validate.outputs.version) }}
path: bundle
- name: Package bundle
run: |
VERSION="${{ needs.validate.outputs.version }}"
BUNDLE_ID="${{ env.BUNDLE_ID }}"
# Create offline kit structure
mkdir -p "offline-kit/rules/secrets/${VERSION}"
cp bundle/* "offline-kit/rules/secrets/${VERSION}/"
# Create symlink for latest
cd "offline-kit/rules/secrets"
ln -sf "${VERSION}" latest
# Generate checksums
cd "${VERSION}"
sha256sum ${BUNDLE_ID}.* > SHA256SUMS
echo "=== Offline Kit Contents ==="
find ../.. -type f | head -20
- name: Create tarball
run: |
VERSION="${{ needs.validate.outputs.version }}"
cd offline-kit
tar -czvf "../secrets-bundle-kit-${VERSION}.tar.gz" .
- name: Upload offline kit package
uses: actions/upload-artifact@v4
with:
name: secrets-bundle-kit-${{ needs.validate.outputs.version }}
path: secrets-bundle-kit-*.tar.gz
retention-days: 90
# ===========================================================================
# PUBLISH
# ===========================================================================
publish:
name: Publish Bundle
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, sign-bundle, package-offline-kit]
if: needs.validate.outputs.dry_run != 'true' && needs.sign-bundle.result == 'success'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download signed bundle
uses: actions/download-artifact@v4
with:
name: secrets-bundle-signed-${{ needs.validate.outputs.version }}
path: bundle
- name: Download offline kit package
uses: actions/download-artifact@v4
with:
name: secrets-bundle-kit-${{ needs.validate.outputs.version }}
path: kit
continue-on-error: true
- name: Commit bundle to repository
run: |
VERSION="${{ needs.validate.outputs.version }}"
BUNDLE_ID="${{ env.BUNDLE_ID }}"
TARGET_DIR="offline/rules/secrets/${VERSION}"
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
mkdir -p "${TARGET_DIR}"
cp bundle/* "${TARGET_DIR}/"
# Update latest symlink
cd offline/rules/secrets
rm -f latest
ln -sf "${VERSION}" latest
cd -
git add "offline/rules/secrets/${VERSION}"
git add "offline/rules/secrets/latest"
if git diff --cached --quiet; then
echo "No changes to commit"
else
git commit -m "release: secrets rule bundle ${VERSION}
Bundle ID: ${BUNDLE_ID}
Version: ${VERSION}
Git SHA: ${{ github.sha }}
🤖 Generated with [Claude Code](https://claude.ai/claude-code)
Co-Authored-By: github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
git push
fi
- name: Create release tag
env:
GITHUB_TOKEN: ${{ secrets.GITEA_TOKEN }}
run: |
VERSION="${{ needs.validate.outputs.version }}"
BUNDLE_ID="${{ env.BUNDLE_ID }}"
# Get rule count from manifest
RULE_COUNT=$(jq -r '.ruleCount // 0' "bundle/${BUNDLE_ID}.manifest.json")
SIGNER_KEY_ID=$(jq -r '.signerKeyId // "unknown"' "bundle/${BUNDLE_ID}.manifest.json")
# Create release notes
cat > release-notes.md << EOF
## Secrets Rule Bundle ${VERSION}
### Bundle Information
- **Bundle ID:** ${BUNDLE_ID}
- **Version:** ${VERSION}
- **Rule Count:** ${RULE_COUNT}
- **Signer Key ID:** ${SIGNER_KEY_ID}
- **Git SHA:** ${{ github.sha }}
### Installation
#### For Online Environments
\`\`\`bash
stella secrets bundle update --version ${VERSION}
\`\`\`
#### For Offline/Air-Gapped Environments
1. Download the offline kit package
2. Transfer to air-gapped environment
3. Run the installation script:
\`\`\`bash
./devops/offline/scripts/install-secrets-bundle.sh /path/to/rules/secrets/${VERSION}
\`\`\`
### Files
| File | Description |
|------|-------------|
| \`${BUNDLE_ID}.manifest.json\` | Bundle manifest with metadata |
| \`${BUNDLE_ID}.rules.jsonl\` | Rule definitions (JSONL format) |
| \`${BUNDLE_ID}.dsse.json\` | DSSE signature envelope |
EOF
# Prepare assets
mkdir -p release-assets
cp bundle/* release-assets/
if [[ -f "kit/secrets-bundle-kit-${VERSION}.tar.gz" ]]; then
cp "kit/secrets-bundle-kit-${VERSION}.tar.gz" release-assets/
fi
# Create release
gh release create "secrets-bundle-${VERSION}" \
--title "Secrets Rule Bundle ${VERSION}" \
--notes-file release-notes.md \
release-assets/*
# ===========================================================================
# SUMMARY
# ===========================================================================
summary:
name: Build Summary
runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
needs: [validate, build-bundle, sign-bundle, package-offline-kit, publish]
if: always()
steps:
- name: Generate Summary
run: |
echo "## Secrets Bundle Release Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Configuration" >> $GITHUB_STEP_SUMMARY
echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY
echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
echo "| Version | ${{ needs.validate.outputs.version }} |" >> $GITHUB_STEP_SUMMARY
echo "| Sign Bundle | ${{ needs.validate.outputs.sign_bundle }} |" >> $GITHUB_STEP_SUMMARY
echo "| Dry Run | ${{ needs.validate.outputs.dry_run }} |" >> $GITHUB_STEP_SUMMARY
echo "| Include in Kit | ${{ needs.validate.outputs.include_in_kit }} |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Job Results" >> $GITHUB_STEP_SUMMARY
echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY
echo "| Build Bundle | ${{ needs.build-bundle.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Sign Bundle | ${{ needs.sign-bundle.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Package Offline Kit | ${{ needs.package-offline-kit.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Publish | ${{ needs.publish.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
Reference in New Issue View Git Blame Copy Permalink