feat(ci): add artifact receipt source contract

This commit is contained in:
ogt
2026-07-10 12:06:30 +08:00
parent aa2a1727cc
commit 0ff83bf5fd
5 changed files with 528 additions and 18 deletions

View File

@@ -170,6 +170,9 @@ def build_gitea_workflow_source_inventory(repo_root: Path) -> dict[str, Any]:
"uses_artifact_transfer": (
"upload-artifact" in lowered_text
or "download-artifact" in lowered_text
or "cicd-artifact-receipts" in lowered_text
or "artifact-retention-manifest" in lowered_text
or "artifact_retention_manifest" in lowered_text
),
"uses_cache_volume_or_action": (
"actions/cache" in lowered_text
@@ -179,7 +182,14 @@ def build_gitea_workflow_source_inventory(repo_root: Path) -> dict[str, Any]:
),
"uses_sbom_or_provenance": any(
marker in lowered_text
for marker in ("sbom", "provenance", "cosign", "syft", "trivy")
for marker in (
"sbom",
"provenance",
"cicd-artifact-receipts",
"cosign",
"syft",
"trivy",
)
),
"uses_registry_or_package_channel": (
"registry.wooo.work" in text
@@ -842,25 +852,92 @@ def build_gitea_capability_ci_cd_optimization_readback(
),
_optimization(
"dependency_sbom_and_cache_strategy",
"action_required",
"source_ready"
if _int(
professional_feature_rollups.get("sbom_or_provenance_workflow_count")
)
> 0
and _int(professional_feature_rollups.get("cache_workflow_count")) > 0
else "action_required",
"Add dependency cache, SBOM, vulnerability and license receipt lanes",
"dependency governance exists but is not yet tied to every Gitea workflow",
"workflow source emits SBOM/provenance receipts and keeps cache-key inputs explicit"
if _int(
professional_feature_rollups.get("sbom_or_provenance_workflow_count")
)
> 0
and _int(professional_feature_rollups.get("cache_workflow_count")) > 0
else "dependency governance exists but is not yet tied to every Gitea workflow",
[
"GET /api/v1/agents/dependency-supply-chain-drift-monitor",
"GET /api/v1/agents/package-supply-chain-inventory",
"scripts/ci/generate-cicd-artifact-receipts.py",
],
"wire cache keys, SBOM output, and drift evidence into CI artifacts",
"bind vulnerability/license drift receipts after SBOM/provenance source receipts"
if _int(
professional_feature_rollups.get("sbom_or_provenance_workflow_count")
)
> 0
and _int(professional_feature_rollups.get("cache_workflow_count")) > 0
else "wire cache keys, SBOM output, and drift evidence into CI artifacts",
{
"cache_workflow_count": _int(
professional_feature_rollups.get("cache_workflow_count")
),
"sbom_or_provenance_workflow_count": _int(
professional_feature_rollups.get(
"sbom_or_provenance_workflow_count"
)
),
},
),
_optimization(
"artifact_receipt_retention",
"action_required",
"source_ready"
if _int(
professional_feature_rollups.get("artifact_transfer_workflow_count")
)
> 0
and _int(
professional_feature_rollups.get("sbom_or_provenance_workflow_count")
)
> 0
else "action_required",
"Retain test, build, deploy, backup, and alert receipts per run",
"receipt endpoints exist but retention is not yet unified across all workflows",
"workflow source emits artifact retention, SBOM, and provenance receipts"
if _int(
professional_feature_rollups.get("artifact_transfer_workflow_count")
)
> 0
and _int(
professional_feature_rollups.get("sbom_or_provenance_workflow_count")
)
> 0
else "receipt endpoints exist but retention is not yet unified across all workflows",
[
"GET /api/v1/agents/gitea-workflow-runner-health",
"GET /api/v1/agents/backup-dr-readiness-matrix",
"scripts/ci/generate-cicd-artifact-receipts.py",
],
"standardize artifact naming and retention windows for Gitea Actions",
"promote source receipts to live retained artifacts when Gitea artifact or package storage is enabled"
if _int(
professional_feature_rollups.get("artifact_transfer_workflow_count")
)
> 0
and _int(
professional_feature_rollups.get("sbom_or_provenance_workflow_count")
)
> 0
else "standardize artifact naming and retention windows for Gitea Actions",
{
"artifact_transfer_workflow_count": _int(
professional_feature_rollups.get("artifact_transfer_workflow_count")
),
"sbom_or_provenance_workflow_count": _int(
professional_feature_rollups.get(
"sbom_or_provenance_workflow_count"
)
),
},
),
_optimization(
"dedupe_cancel_stale_run_guard",

View File

@@ -159,8 +159,8 @@ def test_gitea_capability_readback_rolls_up_complete_feature_surface() -> None:
assert (
professional_feature_rollups["registry_or_package_channel_workflow_count"] == 4
)
assert professional_feature_rollups["sbom_or_provenance_workflow_count"] == 0
assert professional_feature_rollups["artifact_transfer_workflow_count"] == 0
assert professional_feature_rollups["sbom_or_provenance_workflow_count"] == 1
assert professional_feature_rollups["artifact_transfer_workflow_count"] == 1
assert (
payload["workflow_source_inventory"]["secret_variable_rollups"][
"secret_values_collected"
@@ -259,6 +259,11 @@ def test_gitea_capability_readback_prioritizes_professional_cicd_gaps() -> None:
optimization_by_id["full_gitea_server_offsite_dr_receipts"]["status"]
== "source_ready"
)
assert (
optimization_by_id["dependency_sbom_and_cache_strategy"]["status"]
== "source_ready"
)
assert optimization_by_id["artifact_receipt_retention"]["status"] == "source_ready"
assert payload["rollups"]["ci_cd_optimization_count"] == len(
payload["ci_cd_optimization_rows"]
)
@@ -267,12 +272,10 @@ def test_gitea_capability_readback_prioritizes_professional_cicd_gaps() -> None:
payload["professional_ci_cd_practice_rows"]
)
assert payload["rollups"]["p0_professional_ci_cd_practice_gap_count"] == 0
assert payload["rollups"]["market_professional_ci_cd_gap_count"] == 3
assert payload["rollups"]["market_professional_ci_cd_gap_count"] == 1
assert payload["rollups"]["all_gitea_features_fully_utilized"] is False
assert payload["rollups"]["professional_ci_cd_practice_gap_ids"] == [
"gitea_125_packages_release_registry",
"slsa_build_provenance_isolation",
"artifact_cache_sbom_retention",
]
practice_by_id = {
@@ -329,12 +332,8 @@ def test_gitea_capability_readback_prioritizes_professional_cicd_gaps() -> None:
]
is False
)
assert (
practice_by_id["slsa_build_provenance_isolation"]["status"] == "action_required"
)
assert (
practice_by_id["artifact_cache_sbom_retention"]["status"] == "action_required"
)
assert practice_by_id["slsa_build_provenance_isolation"]["status"] == "source_ready"
assert practice_by_id["artifact_cache_sbom_retention"]["status"] == "source_ready"
assert (
"https://dora.dev/guides/dora-metrics/"
in payload["readback"]["market_practice_basis_refs"]