Marco Allegretti
|
bb03d3adad
|
ci: GitHub Actions CI/CD, supply chain hardening, reproducible builds
- .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve,
build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl),
cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract
- .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish
- .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign,
verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal,
adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script,
adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable
- .github/actions/karapace-build/action.yml — reusable build action
- .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility
- CI_CONTRACT.md — required jobs list enforced by ci-contract gate job
- scripts/generate-sbom.sh — CycloneDX SBOM generation
- CARGO_INCREMENTAL=0 globally, cargo clean before all release builds
- Cosign keyless signing with GitHub Actions OIDC
- 32 total CI jobs across 3 workflows
|
2026-02-22 18:39:00 +01:00 |
|