feat(pipeline): add artifact signing and verification step (#496)#512
Open
Favourejiro wants to merge 1 commit intoStellerCraft:mainfrom
Open
feat(pipeline): add artifact signing and verification step (#496)#512Favourejiro wants to merge 1 commit intoStellerCraft:mainfrom
Favourejiro wants to merge 1 commit intoStellerCraft:mainfrom
Conversation
- Add ArtifactSigningService with signArtifact (SHA-256 + HMAC-SHA256) and verifyArtifact (timingSafeEqual) — secret from env, never hardcoded - Add 'signing' stage to DeploymentStatusType - Update DeploymentPipelineService: sign artifact after validation, verify before push, abort with error on mismatch, log checksum in deployment_logs metadata - Add ARTIFACT_SIGNING_SECRET to .env.example with generation instructions - Add vitest env var for test environment - Add 6 pipeline tests covering valid/tampered/missing-signature cases and checksum presence in deployment_logs metadata Closes StellerCraft#496
|
@Favourejiro Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #496
Integrates artifact signing and verification into the deployment pipeline (issue #496).
Changes
New:
ArtifactSigningServicesignArtifact(artifact)— computes SHA-256 checksum and HMAC-SHA256 signature usingprocess.env.ARTIFACT_SIGNING_SECRETverifyArtifact(artifact, checksum, signature)— recomputes both values and compares usingcrypto.timingSafeEqualto prevent timing attacksUpdated:
DeploymentPipelineServicesigning, logs the checksumpushGeneratedCode: verifies the artifact; aborts the pipeline with a descriptive error if verification failsdeployment_logsmetadata for audit:{ checksum: "sha256:...", timestamp: "...", deploymentId: "..." }Updated:
DeploymentStatusType'signing'stage between'validating'and'creating_repo'Updated:
.env.exampleARTIFACT_SIGNING_SECRET=your-signing-secret-here
Used to sign and verify generated artifacts before deployment.
Generate with: openssl rand -hex 32
Updated:
vitest.config.tsARTIFACT_SIGNING_SECRETtest env value so all existing pipeline tests continue to passTests
deployment_logsmetadatasigningstage appears in correct position in status sequenceverifyArtifactreceives same content and credentials assignArtifactAll 66 tests pass.
Security
timingSafeEqualused for all comparisons