stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a866eb62772e4afb649923cf3b1f97c86566d2ae
git.stella-ops.org/.github/workflows/examples/example-verification-gate.yml
StellaOps Bot 907783f625 Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism 
- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency.
- Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling.
- Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies.
- Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification.
- Create validation script for CI/CD templates ensuring all required files and structures are present.
2025-12-26 15:17:58 +02:00

176 lines
5.6 KiB
YAML
Raw Blame History

# .github/workflows/examples/example-verification-gate.yml
# Example: Verification gate before deployment
#
# This example shows how to:
# 1. Verify all required attestations exist
# 2. Validate identity constraints
# 3. Block deployment on verification failure
#
# Use this pattern for:
# - Production deployment gates
# - Promotion between environments
# - Audit compliance checkpoints
name: Deployment Verification Gate
on:
workflow_dispatch:
inputs:
image:
description: 'Container image to deploy (with digest)'
required: true
type: string
environment:
description: 'Target environment'
required: true
type: choice
options:
- staging
- production
require-sbom:
description: 'Require SBOM attestation'
required: false
default: true
type: boolean
require-verdict:
description: 'Require passing policy verdict'
required: false
default: true
type: boolean
env:
# Identity patterns for trusted signers
TRUSTED_IDENTITY_STAGING: 'repo:${{ github.repository }}:ref:refs/heads/.*'
TRUSTED_IDENTITY_PRODUCTION: 'repo:${{ github.repository }}:ref:refs/heads/main|repo:${{ github.repository }}:ref:refs/tags/v.*'
TRUSTED_ISSUER: 'https://token.actions.githubusercontent.com'
jobs:
pre-flight:
runs-on: ubuntu-latest
outputs:
identity-pattern: ${{ steps.config.outputs.identity-pattern }}
steps:
- name: Configure Identity Constraints
id: config
run: |
ENV="${{ github.event.inputs.environment }}"
if [[ "$ENV" == "production" ]]; then
echo "identity-pattern=${TRUSTED_IDENTITY_PRODUCTION}" >> $GITHUB_OUTPUT
echo "Using production identity constraints"
else
echo "identity-pattern=${TRUSTED_IDENTITY_STAGING}" >> $GITHUB_OUTPUT
echo "Using staging identity constraints"
fi
verify-signature:
needs: pre-flight
uses: ./.github/workflows/examples/stellaops-verify.yml
with:
artifact-digest: ${{ github.event.inputs.image }}
certificate-identity: ${{ needs.pre-flight.outputs.identity-pattern }}
certificate-oidc-issuer: 'https://token.actions.githubusercontent.com'
require-rekor: true
require-sbom: ${{ github.event.inputs.require-sbom == 'true' }}
require-verdict: ${{ github.event.inputs.require-verdict == 'true' }}
strict: true
permissions:
contents: read
packages: read
verify-provenance:
needs: pre-flight
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
outputs:
provenance-valid: ${{ steps.verify.outputs.valid }}
steps:
- name: Install StellaOps CLI
uses: stella-ops/setup-cli@v1
- name: Verify Build Provenance
id: verify
env:
STELLAOPS_URL: 'https://api.stella-ops.org'
run: |
set -euo pipefail
IMAGE="${{ github.event.inputs.image }}"
echo "::group::Verifying build provenance"
RESULT=$(stella provenance verify \
--artifact "${IMAGE}" \
--require-source-repo "${{ github.repository }}" \
--output json)
echo "$RESULT" | jq .
echo "::endgroup::"
VALID=$(echo "$RESULT" | jq -r '.valid')
echo "valid=${VALID}" >> $GITHUB_OUTPUT
if [[ "$VALID" != "true" ]]; then
echo "::error::Provenance verification failed"
exit 1
fi
audit-log:
needs: [verify-signature, verify-provenance]
runs-on: ubuntu-latest
steps:
- name: Install StellaOps CLI
uses: stella-ops/setup-cli@v1
- name: Create Audit Entry
env:
STELLAOPS_URL: 'https://api.stella-ops.org'
run: |
stella audit log \
--event "deployment-gate" \
--artifact "${{ github.event.inputs.image }}" \
--environment "${{ github.event.inputs.environment }}" \
--verified true \
--attestations "${{ needs.verify-signature.outputs.attestation-count }}" \
--actor "${{ github.actor }}" \
--workflow "${{ github.workflow }}" \
--run-id "${{ github.run_id }}"
deploy:
needs: [verify-signature, verify-provenance, audit-log]
runs-on: ubuntu-latest
environment: ${{ github.event.inputs.environment }}
steps:
- name: Deployment Approved
run: |
echo "All verifications passed"
echo "Image: ${{ github.event.inputs.image }}"
echo "Environment: ${{ github.event.inputs.environment }}"
echo ""
echo "Proceeding with deployment..."
# Add your deployment steps here
# - name: Deploy to Kubernetes
# run: kubectl set image deployment/app app=${{ github.event.inputs.image }}
- name: Summary
run: |
cat >> $GITHUB_STEP_SUMMARY << EOF
## Deployment Completed
| Field | Value |
|-------|-------|
| **Image** | \`${{ github.event.inputs.image }}\` |
| **Environment** | \`${{ github.event.inputs.environment }}\` |
| **Signature Verified** | ${{ needs.verify-signature.outputs.verified }} |
| **Provenance Verified** | ${{ needs.verify-provenance.outputs.provenance-valid }} |
| **Attestations** | ${{ needs.verify-signature.outputs.attestation-count }} |
| **Deployed By** | @${{ github.actor }} |
| **Workflow Run** | [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |
EOF
Reference in New Issue View Git Blame Copy Permalink