Marco Allegretti
fd7313a318
fix CI: skip prereq check for mock backend, add bash to opensuse
...
- Add KARAPACE_SKIP_PREREQS=1 env var check to skip runtime prerequisite
checks (user namespaces, fuse-overlayfs) when testing with mock backend
- Set KARAPACE_SKIP_PREREQS=1 in CLI integration test helper
- Add bash to opensuse/tumbleweed container deps (required by
dtolnay/rust-toolchain action)
2026-02-22 19:56:47 +01:00
Marco Allegretti
3e4f2597c5
fix CI: bump Rust 1.82→1.88 (MSRV), fix lockfile check, add xz to opensuse
...
- Bump RUST_TOOLCHAIN from 1.82 to 1.88 in ci.yml, release.yml,
supply-chain-test.yml (darling/time crates require 1.88)
- Replace fragile cargo-update+diff lockfile check with cargo check --locked
- Add xz package to opensuse container deps (needed by rustup)
2026-02-22 19:41:31 +01:00
Marco Allegretti
bb03d3adad
ci: GitHub Actions CI/CD, supply chain hardening, reproducible builds
...
- .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve,
build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl),
cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract
- .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish
- .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign,
verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal,
adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script,
adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable
- .github/actions/karapace-build/action.yml — reusable build action
- .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility
- CI_CONTRACT.md — required jobs list enforced by ci-contract gate job
- scripts/generate-sbom.sh — CycloneDX SBOM generation
- CARGO_INCREMENTAL=0 globally, cargo clean before all release builds
- Cosign keyless signing with GitHub Actions OIDC
- 32 total CI jobs across 3 workflows
2026-02-22 18:39:00 +01:00
