9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
87 lines
2.5 KiB
YAML
87 lines
2.5 KiB
YAML
name: Policy Simulation
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'docs/policy/**'
|
|
- 'docs/examples/policies/**'
|
|
- 'scripts/policy/**'
|
|
- '.gitea/workflows/policy-simulate.yml'
|
|
push:
|
|
branches: [ main ]
|
|
paths:
|
|
- 'docs/policy/**'
|
|
- 'docs/examples/policies/**'
|
|
- 'scripts/policy/**'
|
|
- '.gitea/workflows/policy-simulate.yml'
|
|
|
|
jobs:
|
|
policy-simulate:
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
DOTNET_NOLOGO: 1
|
|
DOTNET_CLI_TELEMETRY_OPTOUT: 1
|
|
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
|
|
TZ: UTC
|
|
THRESHOLD: 0
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Setup .NET 10 RC
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: 10.0.100-rc.2.25502.107
|
|
include-prerelease: true
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@v3.4.0
|
|
|
|
- name: Cache NuGet packages
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.nuget/packages
|
|
local-nugets/packages
|
|
key: policy-sim-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
|
|
|
- name: Restore CLI
|
|
run: |
|
|
dotnet restore src/Cli/StellaOps.Cli/StellaOps.Cli.csproj --configfile nuget.config
|
|
|
|
- name: Generate policy signing key (ephemeral)
|
|
run: |
|
|
OUT_DIR=out/policy-sign/keys PREFIX=ci-policy COSIGN_PASSWORD= scripts/policy/rotate-key.sh
|
|
|
|
- name: Sign sample policy blob
|
|
run: |
|
|
export COSIGN_KEY_B64=$(base64 -w0 out/policy-sign/keys/ci-policy-cosign.key)
|
|
COSIGN_PASSWORD= \
|
|
scripts/policy/sign-policy.sh --file docs/examples/policies/baseline.stella --out-dir out/policy-sign
|
|
|
|
- name: Attest and verify sample policy blob
|
|
run: |
|
|
export COSIGN_KEY_B64=$(base64 -w0 out/policy-sign/keys/ci-policy-cosign.key)
|
|
COSIGN_PASSWORD= \
|
|
scripts/policy/attest-verify.sh --file docs/examples/policies/baseline.stella --out-dir out/policy-sign
|
|
|
|
- name: Run batch policy simulation
|
|
run: |
|
|
scripts/policy/batch-simulate.sh
|
|
|
|
- name: Upload simulation artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: policy-simulation
|
|
path: out/policy-sim
|
|
retention-days: 7
|
|
|
|
- name: Upload signing artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: policy-signing
|
|
path: out/policy-sign
|
|
retention-days: 7
|