97 lines
3.5 KiB
YAML
97 lines
3.5 KiB
YAML
name: signals-evidence-locker
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
out_dir:
|
|
description: "Output directory containing signed artifacts"
|
|
required: false
|
|
default: "evidence-locker/signals/2025-12-05"
|
|
allow_dev_key:
|
|
description: "Allow dev key fallback (1=yes, 0=no)"
|
|
required: false
|
|
default: "0"
|
|
retention_target:
|
|
description: "Retention days target"
|
|
required: false
|
|
default: "180"
|
|
|
|
jobs:
|
|
prepare-signals-evidence:
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
MODULE_ROOT: docs/modules/signals
|
|
OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-05' }}
|
|
COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
|
|
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
|
|
CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Task Pack offline bundle fixtures
|
|
run: python3 scripts/packs/run-fixtures-check.sh
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
with:
|
|
cosign-release: 'v2.2.4'
|
|
|
|
- name: Verify artifacts exist
|
|
run: |
|
|
cd "$MODULE_ROOT"
|
|
sha256sum -c SHA256SUMS
|
|
|
|
- name: Sign signals artifacts
|
|
run: |
|
|
chmod +x tools/cosign/sign-signals.sh
|
|
OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
|
|
|
|
- name: Build deterministic signals evidence tar
|
|
run: |
|
|
set -euo pipefail
|
|
test -d "$MODULE_ROOT" || { echo "missing $MODULE_ROOT" >&2; exit 1; }
|
|
|
|
tmpdir=$(mktemp -d)
|
|
rsync -a --relative \
|
|
"$OUT_DIR/SHA256SUMS" \
|
|
"$OUT_DIR/confidence_decay_config.sigstore.json" \
|
|
"$OUT_DIR/unknowns_scoring_manifest.sigstore.json" \
|
|
"$OUT_DIR/heuristics_catalog.sigstore.json" \
|
|
"$MODULE_ROOT/decay/confidence_decay_config.yaml" \
|
|
"$MODULE_ROOT/unknowns/unknowns_scoring_manifest.json" \
|
|
"$MODULE_ROOT/heuristics/heuristics.catalog.json" \
|
|
"$tmpdir/"
|
|
|
|
(cd "$tmpdir/$OUT_DIR" && sha256sum --check SHA256SUMS)
|
|
|
|
tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
|
|
-cf /tmp/signals-evidence.tar -C "$tmpdir" .
|
|
|
|
sha256sum /tmp/signals-evidence.tar > /tmp/signals-evidence.tar.sha256
|
|
|
|
- name: Upload artifact (fallback)
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: signals-evidence-2025-12-05
|
|
path: |
|
|
/tmp/signals-evidence.tar
|
|
/tmp/signals-evidence.tar.sha256
|
|
|
|
- name: Push to Evidence Locker
|
|
if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
|
|
env:
|
|
TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
|
|
URL: ${{ env.EVIDENCE_LOCKER_URL }}
|
|
run: |
|
|
upload_path="${OUT_DIR#evidence-locker/}"
|
|
curl -f -X PUT "$URL/${upload_path}/signals-evidence.tar" \
|
|
-H "Authorization: Bearer $TOKEN" \
|
|
--data-binary @/tmp/signals-evidence.tar
|
|
|
|
- name: Skip push (missing secret or URL)
|
|
if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
|
|
run: |
|
|
echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2
|