stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
9f6e6f7fb314b06d08ae115c0e0a7e9776f74185
git.stella-ops.org/ops/devops/sdk/README.md
StellaOps Bot 9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
up
2025-11-25 22:09:44 +02:00

1.8 KiB
Raw Blame History

SDK Publishing Pipeline (DEVOPS-SDK-63-001)

Scope: registry credentials, signing keys, and secure storage for SDK publishing.

Artifacts

  • Scripts: scripts/sdk/generate-cert.sh, scripts/sdk/sign-packages.sh, scripts/sdk/publish.sh.
  • CI: .gitea/workflows/sdk-publish.yml (build/test if present, sign, publish, and export offline kit).
  • Local feed: defaults to local-nugets/packages for offline/file-based distribution.

Secrets / env

  • SDK_SIGNING_CERT_B64 — base64 PKCS#12 (PFX) code-signing cert (generate with generate-cert.sh).
  • SDK_SIGNING_CERT_PASSWORD — PFX password (empty allowed for dev).
  • SDK_NUGET_SOURCE — NuGet feed (HTTP URL or local path; default local-nugets/packages).
  • SDK_NUGET_API_KEY — API key for HTTP feeds (not used for file feeds).

Usage

  1. Generate signing cert (dev/stage):
scripts/sdk/generate-cert.sh
# read base64 from out/sdk-signing/README.txt and load into secrets
  1. Build/pack SDK (upstream generator publishes .nupkg into out/sdk/ or local-nugets/packages/).
  2. Sign packages:
SDK_SIGNING_CERT_B64=... SDK_SIGNING_CERT_PASSWORD=... scripts/sdk/sign-packages.sh
  1. Publish:
SDK_NUGET_SOURCE=https://nuget.example.com/v3/index.json SDK_NUGET_API_KEY=... scripts/sdk/publish.sh
# or to file feed (default): scripts/sdk/publish.sh

CI behavior

  • Restores, (optionally) builds/tests if SDK solution present, signs any .nupkg under out/sdk or local-nugets/packages, then publishes to SDK_NUGET_SOURCE, and uploads out/sdk as artifact.
  • No-op if no packages present (keeps pipeline green for config-only updates).

Secure storage

  • Do not commit keys. Store certs in the CI secret store; for manual ops, keep encrypted blobs outside the repo (e.g., vault entry with SDK_SIGNING_CERT_B64 + password).