oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

Browse Source 
- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration
- Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage
- Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
This commit is contained in:
oib
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,138 @@
version: 2
enable-beta-ecosystems: true
registries:
# Use default npm registry
npm-registry:
type: npm-registry
url: https://registry.npmjs.org
replaces-base: true
updates:
# Python dependencies
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 10
reviewers:
- "oib"
assignees:
- "oib"
commit-message:
prefix: "deps"
include: "scope"
labels:
- "dependencies"
- "python"
ignore:
# Allow patch updates for all dependencies
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
# Allow minor updates for most dependencies
- dependency-name: "*"
update-types: ["version-update:semver-minor"]
# But be more conservative with critical dependencies
except:
- "fastapi"
- "uvicorn"
- "sqlalchemy"
- "alembic"
- "httpx"
- "click"
- "pytest"
- "cryptography"
# GitHub Actions dependencies
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
reviewers:
- "oib"
assignees:
- "oib"
commit-message:
prefix: "ci"
include: "scope"
labels:
- "dependencies"
- "github-actions"
# Docker dependencies (if any)
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
reviewers:
- "oib"
assignees:
- "oib"
commit-message:
prefix: "deps"
include: "scope"
labels:
- "dependencies"
- "docker"
# npm dependencies (for frontend components)
- package-ecosystem: "npm"
directory: "/apps/explorer-web"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 10
reviewers:
- "oib"
assignees:
- "oib"
commit-message:
prefix: "deps"
include: "scope"
labels:
- "dependencies"
- "npm"
- "frontend"
ignore:
# Allow patch updates for all dependencies
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
# Allow minor updates for most dependencies
- dependency-name: "*"
update-types: ["version-update:semver-minor"]
# But be conservative with major dependencies
except:
- "react"
- "vue"
- "angular"
- "typescript"
- "webpack"
- "babel"
# npm dependencies for website
- package-ecosystem: "npm"
directory: "/website"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 10
reviewers:
- "oib"
assignees:
- "oib"
commit-message:
prefix: "deps"
include: "scope"
labels:
- "dependencies"
- "npm"
- "website"

73
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,73 @@
name: CI
on:
push:
branches: ["**"]
pull_request:
branches: ["**"]
jobs:
python:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install Poetry
run: python -m pip install --upgrade pip poetry
- name: Install dependencies
run: |
poetry config virtualenvs.create false
poetry install --no-interaction --no-ansi
- name: Lint (ruff)
run: poetry run ruff check .
- name: Check .env.example drift
run: python scripts/focused_dotenv_linter.py --check
- name: Test (pytest)
run: poetry run pytest --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: unittests
name: codecov-umbrella
contracts:
runs-on: ubuntu-latest
defaults:
run:
working-directory: contracts
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
cache-dependency-path: contracts/package-lock.json
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint
- name: Compile
run: npm run compile
- name: Test
run: npm test

24
.github/workflows/cli-tests.yml vendored
View File

@@ -13,19 +13,17 @@ on:
- 'tests/cli/**'
jobs:
test:
cli-tests:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.11', '3.12', '3.13']
fail-fast: false
name: CLI Tests
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
python-version: '3.13'
- name: Install dependencies
run: |
@@ -33,18 +31,16 @@ jobs:
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install fastapi uvicorn sqlmodel pydantic-settings aiosqlite slowapi orjson prometheus-client
pip install pytest pytest-cov pytest-asyncio
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run CLI tests
run: |
python -m pytest tests/cli/ -v --tb=short --disable-warnings
- name: Run CLI tests with coverage
run: |
python -m pytest tests/cli/ --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
python -m pytest tests/cli/ -v --tb=short --disable-warnings --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
env:
DATABASE_URL: sqlite:///./test_coordinator.db
- name: Upload coverage
uses: actions/upload-artifact@v4
with:
name: coverage-report
name: cli-coverage-report
path: coverage.xml

391
.github/workflows/comprehensive-tests.yml vendored Normal file
View File

@@ -0,0 +1,391 @@
name: Comprehensive Tests
on:
push:
branches: ["main", "develop"]
pull_request:
branches: ["main", "develop"]
schedule:
# Run comprehensive tests daily at 3 AM UTC
- cron: '0 3 * * *'
jobs:
# Unit tests - fast, isolated tests
unit-tests:
runs-on: ubuntu-latest
name: Unit Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run unit tests
run: |
python -m pytest -m "unit and not slow" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: unit
name: unit-tests
# Integration tests - may require external services
integration-tests:
runs-on: ubuntu-latest
name: Integration Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install fastapi uvicorn sqlmodel pydantic-settings aiosqlite
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run integration tests
run: |
python -m pytest -m "integration and not slow" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
env:
DATABASE_URL: sqlite:///./test_coordinator.db
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: integration
name: integration-tests
# CLI-specific tests
cli-tests:
runs-on: ubuntu-latest
name: CLI Tests
strategy:
matrix:
python-version: ['3.11', '3.12', '3.13']
fail-fast: false
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install fastapi uvicorn sqlmodel pydantic-settings aiosqlite slowapi orjson prometheus-client
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run CLI tests
run: |
python -m pytest tests/cli/ -m "cli" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: cli
name: cli-tests
# API tests
api-tests:
runs-on: ubuntu-latest
name: API Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install fastapi uvicorn sqlmodel pydantic-settings aiosqlite
pip install pytest pytest-cov pytest-asyncio pytest-mock httpx
- name: Run API tests
run: |
python -m pytest -m "api" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
env:
DATABASE_URL: sqlite:///./test_coordinator.db
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: api
name: api-tests
# Blockchain tests
blockchain-tests:
runs-on: ubuntu-latest
name: Blockchain Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run blockchain tests
run: |
python -m pytest -m "blockchain" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: blockchain
name: blockchain-tests
# Slow tests - run separately
slow-tests:
runs-on: ubuntu-latest
name: Slow Tests
if: github.event_name != 'pull_request' # Don't run on PRs to save time
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run slow tests
run: |
python -m pytest -m "slow" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: slow
name: slow-tests
# Performance tests
performance-tests:
runs-on: ubuntu-latest
name: Performance Tests
if: github.event_name != 'pull_request' # Don't run on PRs to save time
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock pytest-benchmark
- name: Run performance tests
run: |
python -m pytest -m "performance" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml --benchmark-only
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: performance
name: performance-tests
# Security tests
security-tests:
runs-on: ubuntu-latest
name: Security Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock bandit safety
- name: Run security tests
run: |
python -m pytest -m "security" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Run Bandit security scan
run: |
bandit -r . -f json -o bandit-report.json || true
bandit -r . -f txt -o bandit-report.txt || true
- name: Run Safety dependency check
run: |
safety check --json --output safety-report.json || true
safety check || true
- name: Upload security reports
uses: actions/upload-artifact@v4
with:
name: security-reports
path: |
bandit-report.json
bandit-report.txt
safety-report.json
retention-days: 30
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: security
name: security-tests
# Test summary and coverage aggregation
test-summary:
runs-on: ubuntu-latest
name: Test Summary
needs: [unit-tests, integration-tests, cli-tests, api-tests, blockchain-tests]
if: always()
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download all coverage reports
uses: actions/download-artifact@v4
with:
pattern: "*-coverage-report"
merge-multiple: true
- name: Generate test summary
run: |
echo "# 🧪 Test Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Test Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Unit tests
if [ "${{ needs.unit-tests.result }}" == "success" ]; then
echo "✅ **Unit Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Unit Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# Integration tests
if [ "${{ needs.integration-tests.result }}" == "success" ]; then
echo "✅ **Integration Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Integration Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# CLI tests
if [ "${{ needs.cli-tests.result }}" == "success" ]; then
echo "✅ **CLI Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **CLI Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# API tests
if [ "${{ needs.api-tests.result }}" == "success" ]; then
echo "✅ **API Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **API Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# Blockchain tests
if [ "${{ needs.blockchain-tests.result }}" == "success" ]; then
echo "✅ **Blockchain Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Blockchain Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Test Configuration" >> $GITHUB_STEP_SUMMARY
echo "- **Python Version**: 3.13 (standardized)" >> $GITHUB_STEP_SUMMARY
echo "- **Test Framework**: pytest with pyproject.toml configuration" >> $GITHUB_STEP_SUMMARY
echo "- **Coverage**: All test suites with coverage reporting" >> $GITHUB_STEP_SUMMARY
echo "- **Markers**: unit, integration, cli, api, blockchain, slow, performance, security" >> $GITHUB_STEP_SUMMARY
- name: Comment PR with test results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
// Read the summary
const summary = fs.readFileSync(process.env.GITHUB_STEP_SUMMARY, 'utf8');
// Create PR comment
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary
});

159
.github/workflows/configuration-security.yml vendored Normal file
View File

@@ -0,0 +1,159 @@
name: Configuration Security Check
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
workflow_dispatch:
jobs:
config-security-scan:
runs-on: ubuntu-latest
name: Configuration Security Scan
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.13'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pyyaml
- name: Run Configuration Security Audit
run: |
python config/security/environment-audit.py --format json --output env-security-report.json
- name: Run Helm Values Security Audit
run: |
python config/security/helm-values-audit.py --format json --output helm-security-report.json
- name: Check for Security Issues
run: |
python -c "
import json
import sys
# Check environment security
with open('env-security-report.json') as f:
env_report = json.load(f)
# Check Helm values security
with open('helm-security-report.json') as f:
helm_report = json.load(f)
total_issues = env_report['summary']['total_issues'] + helm_report['summary']['total_issues']
critical_issues = env_report['summary']['severity_breakdown'].get('CRITICAL', 0) + helm_report['summary']['severity_breakdown'].get('CRITICAL', 0)
high_issues = env_report['summary']['severity_breakdown'].get('HIGH', 0) + helm_report['summary']['severity_breakdown'].get('HIGH', 0)
print(f'Environment Issues: {env_report[\"summary\"][\"total_issues\"]}')
print(f'Helm Values Issues: {helm_report[\"summary\"][\"total_issues\"]}')
print(f'Total Issues: {total_issues}')
print(f'Critical: {critical_issues}')
print(f'High: {high_issues}')
if critical_issues > 0:
print('❌ CRITICAL security issues found!')
sys.exit(1)
elif high_issues > 0:
print('⚠️ HIGH security issues found!')
sys.exit(1)
elif total_issues > 0:
print('⚠️ Security issues found')
sys.exit(1)
else:
print('✅ No security issues found')
"
- name: Upload Security Reports
uses: actions/upload-artifact@v3
if: always()
with:
name: configuration-security-reports
path: |
env-security-report.json
helm-security-report.json
retention-days: 30
- name: Comment PR with Security Findings
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
try {
const report = JSON.parse(fs.readFileSync('security-report.json', 'utf8'));
const summary = report.summary;
let comment = `## 🔒 Configuration Security Scan\n\n`;
comment += `**Summary**\n`;
comment += `- Files Audited: ${summary.files_audited}\n`;
comment += `- Total Issues: ${summary.total_issues}\n\n`;
if (summary.total_issues > 0) {
comment += `**Severity Breakdown**\n`;
const breakdown = summary.severity_breakdown;
for (const [severity, count] of Object.entries(breakdown)) {
if (count > 0) {
comment += `- ${severity}: ${count}\n`;
}
}
comment += `\n`;
comment += `**Issues Found**\n`;
for (const [file, issues] of Object.entries(report.issues)) {
comment += `\n📁 \`${file}\`\n`;
for (const issue of issues) {
comment += `- ${issue.level}: ${issue.message}\n`;
}
}
} else {
comment += `✅ **No security issues found!**\n`;
}
comment += `\n**Recommendations**\n`;
for (const rec of report.recommendations) {
comment += `- ${rec}\n`;
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
} catch (error) {
console.log('Could not read security report:', error.message);
}
- name: Validate Production Templates
run: |
echo "Validating production template files..."
# Check that production templates don't contain actual secrets
for template in config/environments/production/*.template; do
if [ -f "$template" ]; then
echo "Checking $template..."
# Check for forbidden patterns
if grep -iE "(your-.*-here|change-this|password|secret)" "$template"; then
echo "❌ Template contains forbidden patterns: $template"
exit 1
fi
# Check that secrets use secretRef format
if grep -E "(API_KEY|SECRET|PASSWORD|TOKEN|DSN)=" "$template" | grep -v "secretRef:"; then
echo "❌ Template has non-secretRef secrets: $template"
exit 1
fi
echo "✅ $template is valid"
fi
done

41
.github/workflows/contracts-ci.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
name: Contracts CI
on:
push:
branches: ["**"]
pull_request:
branches: ["**"]
jobs:
contracts:
runs-on: ubuntu-latest
defaults:
run:
working-directory: contracts
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
cache-dependency-path: contracts/package-lock.json
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint
- name: Slither Analysis
run: npm run slither
# Note: Slither runs locally without any cloud services or API keys
- name: Compile
run: npm run compile
- name: Test
run: npm test

253
.github/workflows/dotenv-check.yml vendored Normal file
View File

@@ -0,0 +1,253 @@
name: Dotenv Configuration Check
on:
push:
branches: ["**"]
paths:
- '.env.example'
- 'scripts/focused_dotenv_linter.py'
- '**/*.py'
- '**/*.yml'
- '**/*.yaml'
- '**/*.toml'
- '**/*.sh'
- '**/*.bash'
- '**/*.zsh'
pull_request:
branches: ["**"]
paths:
- '.env.example'
- 'scripts/focused_dotenv_linter.py'
- '**/*.py'
- '**/*.yml'
- '**/*.yaml'
- '**/*.toml'
- '**/*.sh'
- '**/*.bash'
- '**/*.zsh'
jobs:
dotenv-check:
runs-on: ubuntu-latest
name: Check .env.example Configuration Drift
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
- name: Check .env.example drift
run: |
python scripts/focused_dotenv_linter.py --check --verbose
- name: Generate configuration report
run: |
python scripts/focused_dotenv_linter.py > dotenv-report.txt
- name: Upload configuration report
uses: actions/upload-artifact@v4
if: always()
with:
name: dotenv-configuration-report
path: dotenv-report.txt
retention-days: 30
- name: Comment PR with configuration issues
if: failure() && github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
try {
const report = fs.readFileSync('dotenv-report.txt', 'utf8');
const comment = `## 🔍 Configuration Drift Detected
The focused dotenv linter found configuration drift between \`.env.example\` and actual environment variable usage in the codebase.
<details>
<summary>Click to see full report</summary>
\`\`\`
${report}
\`\`\`
</details>
### 🔧 How to Fix
1. **Auto-fix missing variables:**
\`\`\`bash
python scripts/focused_dotenv_linter.py --fix
\`\`\`
2. **Review unused variables:**
- Remove variables from \`.env.example\` that are no longer used
- Or add them to the linter's exclusion list if they're needed for external tools
3. **Run locally:**
\`\`\`bash
python scripts/focused_dotenv_linter.py --verbose
\`\`\`
This prevents silent configuration drift and ensures all environment variables are properly documented.`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
} catch (error) {
console.log('Could not read dotenv report:', error);
}
dotenv-validation:
runs-on: ubuntu-latest
name: Validate .env.example Format
needs: dotenv-check
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Validate .env.example format
run: |
# Check if .env.example exists and is readable
if [ ! -f ".env.example" ]; then
echo "❌ .env.example file not found"
exit 1
fi
# Check for common format issues
echo "🔍 Validating .env.example format..."
# Check for lines without equals signs (excluding comments and empty lines)
invalid_lines=$(grep -v '^#' .env.example | grep -v '^$' | grep -v '=' | wc -l)
if [ "$invalid_lines" -gt 0 ]; then
echo "❌ Found $invalid_lines lines without '=' in .env.example"
grep -v '^#' .env.example | grep -v '^$' | grep -v '=' | head -5
exit 1
fi
# Check for variables with spaces (should be uppercase with underscores)
invalid_vars=$(grep -v '^#' .env.example | grep -v '^$' | cut -d'=' -f1 | grep -E '[a-z]' | grep -v '^HTTP_PROXY$' | grep -v '^HTTPS_PROXY$' | grep -v '^NO_PROXY$' | wc -l)
if [ "$invalid_vars" -gt 0 ]; then
echo "⚠️ Found $invalid_vars variables with lowercase letters (should be uppercase):"
grep -v '^#' .env.example | grep -v '^$' | cut -d'=' -f1 | grep -E '[a-z]' | grep -v '^HTTP_PROXY$' | grep -v '^HTTPS_PROXY$' | grep -v '^NO_PROXY$' | head -5
echo "Consider using uppercase variable names for consistency."
fi
# Check for duplicate variables
duplicates=$(grep -v '^#' .env.example | grep -v '^$' | cut -d'=' -f1 | sort | uniq -d | wc -l)
if [ "$duplicates" -gt 0 ]; then
echo "❌ Found $duplicates duplicate variable names:"
grep -v '^#' .env.example | grep -v '^$' | cut -d'=' -f1 | sort | uniq -d
exit 1
fi
echo "✅ .env.example format validation passed"
dotenv-security:
runs-on: ubuntu-latest
name: Security Check for .env.example
needs: dotenv-check
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Security check for sensitive data
run: |
echo "🔒 Checking .env.example for sensitive data..."
# Check for potential secrets (should be placeholder values)
sensitive_patterns=(
"password="
"secret="
"key="
"token="
"private_key="
"api_key="
"dsn="
)
found_issues=false
for pattern in "${sensitive_patterns[@]}"; do
# Look for lines that might contain actual secrets (not placeholders)
if grep -i "$pattern" .env.example | grep -v -E "(your-|placeholder|example|test|dummy|change-|xxx|yyy|zzz)" | grep -v -E "^#" | head -3; then
echo "⚠️ Potential actual secrets found with pattern: $pattern"
found_issues=true
fi
done
# Check for common placeholder patterns
placeholder_count=$(grep -c -E "(your-|placeholder|example|test|dummy|change-|xxx|yyy|zzz)" .env.example || true)
echo "📊 Found $placeholder_count placeholder values (good!)"
if [ "$found_issues" = true ]; then
echo "❌ Please replace actual secrets with placeholder values in .env.example"
echo " Use patterns like: your-secret-here, placeholder-value, change-me"
exit 1
fi
echo "✅ Security check passed"
dotenv-summary:
runs-on: ubuntu-latest
name: Configuration Summary
needs: [dotenv-check, dotenv-validation, dotenv-security]
if: always()
steps:
- name: Generate summary
run: |
echo "# 📋 .env.example Configuration Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Check results from previous jobs
if [ "${{ needs.dotenv-check.result }}" == "success" ]; then
echo "✅ **Configuration Drift Check**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Configuration Drift Check**: Failed" >> $GITHUB_STEP_SUMMARY
fi
if [ "${{ needs.dotenv-validation.result }}" == "success" ]; then
echo "✅ **Format Validation**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Format Validation**: Failed" >> $GITHUB_STEP_SUMMARY
fi
if [ "${{ needs.dotenv-security.result }}" == "success" ]; then
echo "✅ **Security Check**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Security Check**: Failed" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "## 📊 Configuration Statistics" >> $GITHUB_STEP_SUMMARY
# Count variables in .env.example
var_count=$(grep -v '^#' .env.example | grep -v '^$' | wc -l)
echo "- **Variables in .env.example**: $var_count" >> $GITHUB_STEP_SUMMARY
# Count sections (based on comment headers)
sections=$(grep '^# ====' .env.example | wc -l)
echo "- **Configuration Sections**: $sections" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## 🔧 Maintenance" >> $GITHUB_STEP_SUMMARY
echo "- **Linter**: \`python scripts/focused_dotenv_linter.py\`" >> $GITHUB_STEP_SUMMARY
echo "- **Auto-fix**: \`python scripts/focused_dotenv_linter.py --fix\`" >> $GITHUB_STEP_SUMMARY
echo "- **Verbose**: \`python scripts/focused_dotenv_linter.py --verbose\`" >> $GITHUB_STEP_SUMMARY

188
.github/workflows/production-deploy.yml vendored Normal file
View File

@@ -0,0 +1,188 @@
name: Production Deployment
on:
push:
branches: [main]
tags: ['v*']
workflow_dispatch:
inputs:
environment:
description: 'Deployment environment'
required: true
default: 'staging'
type: choice
options:
- staging
- production
jobs:
security-scan:
runs-on: ubuntu-latest
name: Security Scanning
outputs:
security-passed: ${{ steps.security-check.outputs.passed }}
steps:
- uses: actions/checkout@v4
- name: Run comprehensive security scan
run: |
python scripts/focused_dotenv_linter.py --check
bandit -r . -f json -o bandit-report.json
slither contracts/ --json slither-report.json
- name: Security validation
id: security-check
run: |
if [ -f bandit-report.json ] && [ -f slither-report.json ]; then
echo "passed=true" >> $GITHUB_OUTPUT
else
echo "passed=false" >> $GITHUB_OUTPUT
exit 1
fi
build-and-test:
runs-on: ubuntu-latest
name: Build and Test
needs: security-scan
if: needs.security-scan.outputs.security-passed == 'true'
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio
- name: Run comprehensive tests
run: |
python -m pytest -m "not slow" --cov=aitbc_cli --cov-report=xml --cov-fail-under=90
- name: Build application
run: |
python -m build
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: build-artifacts
path: dist/
retention-days: 30
deploy-staging:
runs-on: ubuntu-latest
name: Deploy to Staging
needs: build-and-test
if: github.ref == 'refs/heads/main' || github.event.inputs.environment == 'staging'
steps:
- uses: actions/checkout@v4
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifacts
path: dist/
- name: Deploy to staging
run: |
echo "Deploying to staging environment..."
# Add staging deployment commands here
# Example: scp to staging server, restart services, etc.
- name: Run smoke tests
run: |
python scripts/smoke_tests.py --environment=staging
- name: Health check
run: |
curl -f https://staging.aitbc.dev/health || exit 1
deploy-production:
runs-on: ubuntu-latest
name: Deploy to Production
needs: [build-and-test, deploy-staging]
if: startsWith(github.ref, 'refs/tags/v') || github.event.inputs.environment == 'production'
steps:
- uses: actions/checkout@v4
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifacts
path: dist/
- name: Create production backup
run: |
echo "Creating production backup..."
# Add backup commands here
- name: Deploy to production
run: |
echo "Deploying to production environment..."
# Add production deployment commands here
- name: Run production smoke tests
run: |
python scripts/smoke_tests.py --environment=production
- name: Production health check
run: |
curl -f https://api.aitbc.dev/health || exit 1
- name: Update monitoring
run: |
if [ -n "${{ secrets.MONITORING_TOKEN }}" ]; then
curl -X POST https://monitoring.aitbc.net/api/deployment \
-H "Authorization: Bearer ${{ secrets.MONITORING_TOKEN }}" \
-d '{"version": "${{ github.ref_name }}", "environment": "production"}'
fi
post-deployment:
runs-on: ubuntu-latest
name: Post-Deployment Verification
needs: [deploy-staging, deploy-production]
if: always() && (needs.deploy-staging.result == 'success' || needs.deploy-production.result == 'success')
steps:
- name: Notify team
uses: actions/github-script@v6
with:
script: |
const environment = '${{ github.event.inputs.environment || (startsWith(github.ref, 'refs/tags/v') && 'production' || 'staging') }}';
const deploymentUrl = environment === 'production' ? 'https://aitbc.dev' : 'https://staging.aitbc.dev';
const message = `🚀 **Deployment Complete**
**Environment**: ${environment}
**Version**: ${github.ref_name}
**URL**: ${deploymentUrl}
**Commit**: ${github.sha}
**Next Steps**:
1. Verify functionality at ${deploymentUrl}
2. Check monitoring dashboard
3. Review deployment logs
4. Update documentation if needed`;
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Deployment Complete: ${environment} - ${github.ref_name}`,
body: message,
labels: ['deployment', environment]
});
- name: Update documentation
run: |
echo "Updating API documentation..."
# Add documentation update commands here
- name: Performance baseline
run: |
python scripts/performance_baseline.py --environment=${{ github.event.inputs.environment || 'staging' }}

314
.github/workflows/publish-github-packages.yml vendored Normal file
View File

@@ -0,0 +1,314 @@
name: Publish Packages to GitHub Packages Registry
on:
push:
tags:
- 'v*'
release:
types: [published]
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 0.1.0)'
required: true
default: '0.1.0'
jobs:
publish-debian-packages:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and publish Debian packages
run: |
# Create Debian package structure
mkdir -p dist/debian
# Copy existing packages
cp packages/github/packages/debian-packages/*.deb dist/debian/
# Create Dockerfile for Debian packages
cat > dist/debian/Dockerfile << 'EOF'
FROM debian:trixie-slim
LABEL maintainer="AITBC Team"
LABEL version="0.1.0"
# Copy packages
COPY *.deb /tmp/
# Install packages
RUN dpkg -i /tmp/*.deb || true && \
apt-get install -f -y && \
rm /tmp/*.deb
# Set entrypoint
ENTRYPOINT ["/usr/bin/aitbc"]
EOF
# Build and push Docker image
cd dist/debian
docker buildx build \
--platform linux/amd64,linux/arm64 \
--tag ghcr.io/${{ github.repository }}/aitbc-cli:${{ github.ref_name || github.event.inputs.version }} \
--tag ghcr.io/${{ github.repository }}/aitbc-cli:latest \
--push \
.
- name: Publish individual service packages
run: |
cd packages/github/packages/debian-packages
# Publish each service as a separate container
for package in aitbc-*-service_0.1.0_all.deb; do
service_name=$(echo $package | sed 's/aitbc-\(.*\)-service_0.1.0_all.deb/\1/')
# Create service-specific Dockerfile
cat > Dockerfile.service << EOF
FROM debian:trixie-slim
LABEL maintainer="AITBC Team"
LABEL version="0.1.0"
LABEL service="${service_name}"
COPY ${package} /tmp/
RUN dpkg -i /tmp/${package} || true && \
apt-get install -f -y && \
rm /tmp/${package}
EOF
# Build and push service image
docker buildx build \
-f Dockerfile.service \
--platform linux/amd64,linux/arm64 \
--tag ghcr.io/${{ github.repository }}/aitbc-${service_name}-service:${{ github.ref_name || github.event.inputs.version }} \
--tag ghcr.io/${{ github.repository }}/aitbc-${service_name}-service:latest \
--push \
.
done
publish-macos-packages:
runs-on: macos-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Xcode
uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: latest-stable
- name: Build macOS packages
run: |
cd packages
./build-macos-packages.sh
- name: Create GitHub Package for macOS
run: |
cd packages/github/packages/macos-packages
# Create package metadata
cat > package.json << EOF
{
"name": "@aitbc/cli-macos",
"version": "${{ github.ref_name || github.event.inputs.version }}",
"description": "AITBC CLI for macOS Apple Silicon",
"main": "aitbc-cli",
"files": [
"*.pkg",
"*.sh"
],
"repository": {
"type": "git",
"url": "https://github.com/${{ github.repository }}.git"
},
"author": "AITBC Team",
"license": "MIT",
"publishConfig": {
"registry": "https://npm.pkg.github.com"
}
}
EOF
- name: Publish to GitHub Packages (npm registry)
run: |
cd packages/github/packages/macos-packages
# Set up npm registry
npm config set @aitbc:registry https://npm.pkg.github.com
npm config set //npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}
# Publish package
npm publish
publish-universal-installer:
runs-on: ubuntu-latest
needs: [publish-debian-packages, publish-macos-packages]
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Create universal package manifest
run: |
cat > packages/github/packages/package-manifest.json << EOF
{
"name": "aitbc-universal-installer",
"version": "${{ github.ref_name || github.event.inputs.version }}",
"description": "Universal AITBC package installer for all platforms",
"platforms": {
"linux": {
"packages": [
"ghcr.io/${{ github.repository }}/aitbc-cli:latest",
"ghcr.io/${{ github.repository }}/aitbc-node-service:latest",
"ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest",
"ghcr.io/${{ github.repository }}/aitbc-miner-service:latest",
"ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest",
"ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest",
"ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest",
"ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest"
],
"installer": "https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh"
},
"macos": {
"packages": [
"@aitbc/cli-macos:latest"
],
"installer": "https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/packages/macos-packages/install-macos-complete.sh"
}
},
"checksums": {
"debian": "$(cat packages/github/packages/debian-packages/checksums.txt)",
"macos": "$(cat packages/github/packages/macos-packages/checksums.txt)"
}
}
EOF
- name: Publish manifest to GitHub Packages
run: |
# Create a simple package for the manifest
mkdir -p manifest-pkg
cd manifest-pkg
cat > package.json << EOF
{
"name": "@aitbc/manifest",
"version": "${{ github.ref_name || github.event.inputs.version }}",
"description": "AITBC Universal Package Manifest",
"main": "manifest.json",
"files": [
"manifest.json"
],
"repository": {
"type": "git",
"url": "https://github.com/${{ github.repository }}.git"
},
"author": "AITBC Team",
"license": "MIT",
"publishConfig": {
"registry": "https://npm.pkg.github.com"
}
}
EOF
cp ../packages/github/packages/package-manifest.json manifest.json
# Set up npm registry
npm config set @aitbc:registry https://npm.pkg.github.com
npm config set //npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}
# Publish manifest
npm publish
update-package-index:
runs-on: ubuntu-latest
needs: [publish-debian-packages, publish-macos-packages, publish-universal-installer]
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Update package index
run: |
cat > packages/github/packages/PACKAGE_INDEX.md << EOF
# AITBC Packages Index
## Published Packages
### Container Registry (ghcr.io)
#### CLI Package
- **Package**: \`ghcr.io/${{ github.repository }}/aitbc-cli:latest\`
- **Platforms**: linux/amd64, linux/arm64
- **Version**: ${{ github.ref_name || github.event.inputs.version }}
#### Service Packages
- **Node Service**: \`ghcr.io/${{ github.repository }}/aitbc-node-service:latest\`
- **Coordinator Service**: \`ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest\`
- **Miner Service**: \`ghcr.io/${{ github.repository }}/aitbc-miner-service:latest\`
- **Marketplace Service**: \`ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest\`
- **Explorer Service**: \`ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest\`
- **Wallet Service**: \`ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest\`
- **Multimodal Service**: \`ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest\`
### NPM Registry (npm.pkg.github.com)
#### macOS Package
- **Package**: \`@aitbc/cli-macos@${{ github.ref_name || github.event.inputs.version }}\`
- **Platform**: macOS Apple Silicon
- **Format**: npm package with .pkg installer
#### Universal Manifest
- **Package**: \`@aitbc/manifest@${{ github.ref_name || github.event.inputs.version }}\`
- **Content**: Universal package manifest for all platforms
## Installation
### Linux (Docker)
\`\`\`bash
docker run --rm -it ghcr.io/${{ github.repository }}/aitbc-cli:latest --help
\`\`\`
### macOS (npm)
\`\`\`bash
npm install @aitbc/cli-macos@${{ github.ref_name || github.event.inputs.version }}
\`\`\`
### Universal Installer
\`\`\`bash
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
\`\`\`
---
*Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")*
EOF
- name: Commit and push changes
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add packages/github/packages/PACKAGE_INDEX.md
git diff --staged --quiet || git commit -m "Update package index for version ${{ github.ref_name || github.event.inputs.version }}"
git push

211
.github/workflows/publish-native-packages-simple.yml vendored Normal file
View File

@@ -0,0 +1,211 @@
name: Publish Native Packages
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 0.1.0)'
required: true
default: '0.1.0'
jobs:
publish-packages:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Create release notes
run: |
cat > release_notes.md << EOF
# AITBC Native Packages v${{ steps.version.outputs.VERSION || '0.1.0' }}
## 📦 Available Native Packages
### 🐧 Linux Packages (Debian/Ubuntu)
**Format**: .deb packages
**Installation**:
\`\`\`bash
# Download and install CLI
wget https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli_0.1.0_all.deb
sudo dpkg -i aitbc-cli_0.1.0_all.deb
# Download and install all services
wget https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-all-services_0.1.0_all.deb
sudo dpkg -i aitbc-all-services_0.1.0_all.deb
\`\`\`
**Available Packages**:
- \`aitbc-cli_0.1.0_all.deb\` - Command Line Interface (~132KB)
- \`aitbc-node-service_0.1.0_all.deb\` - Blockchain Node (~8KB)
- \`aitbc-coordinator-service_0.1.0_all.deb\` - Coordinator API (~8KB)
- \`aitbc-miner-service_0.1.0_all.deb\` - GPU Miner (~8KB)
- \`aitbc-marketplace-service_0.1.0_all.deb\` - GPU Marketplace (~8KB)
- \`aitbc-explorer-service_0.1.0_all.deb\` - Block Explorer (~8KB)
- \`aitbc-wallet-service_0.1.0_all.deb\` - Wallet Service (~8KB)
- \`aitbc-multimodal-service_0.1.0_all.deb\` - Multimodal AI (~8KB)
- \`aitbc-all-services_0.1.0_all.deb\` - Complete Stack (~8KB)
### 🍎 macOS Packages (Apple Silicon)
**Format**: .pkg packages
**Installation**:
\`\`\`bash
# Download and install CLI
curl -L https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli-0.1.0-apple-silicon.pkg -o aitbc-cli.pkg
sudo installer -pkg aitbc-cli.pkg -target /
# Or use universal installer
curl -L https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/install-macos-complete.sh | bash
\`\`\`
**Available Packages**:
- \`aitbc-cli-0.1.0-apple-silicon.pkg\` - Command Line Interface (~4.6KB)
- \`aitbc-node-service-0.1.0-apple-silicon.pkg\` - Blockchain Node (~2.5KB)
- \`aitbc-coordinator-service-0.1.0-apple-silicon.pkg\` - Coordinator API (~2.5KB)
- \`aitbc-miner-service-0.1.0-apple-silicon.pkg\` - GPU Miner (~2.4KB)
- \`aitbc-marketplace-service-0.1.0-apple-silicon.pkg\` - GPU Marketplace (~2.4KB)
- \`aitbc-explorer-service-0.1.0-apple-silicon.pkg\` - Block Explorer (~2.4KB)
- \`aitbc-wallet-service-0.1.0-apple-silicon.pkg\` - Wallet Service (~2.4KB)
- \`aitbc-multimodal-service-0.1.0-apple-silicon.pkg\` - Multimodal AI (~2.4KB)
- \`aitbc-all-services-0.1.0-apple-silicon.pkg\` - Complete Stack (~2.4KB)
## 🔧 Universal Installer
\`\`\`bash
# Linux
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
# macOS
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install-macos.sh | bash
\`\`\`
## ✅ Verification
All packages include SHA256 checksums for verification.
## 📚 Documentation
- [Installation Guide](https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/README.md)
- [Package Checksums](https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/packages/debian-packages/checksums.txt)
---
**Platform Support**: Linux (amd64/arm64), macOS (Apple Silicon)
**Package Formats**: .deb (Debian), .pkg (macOS)
**Installation Methods**: Direct download, universal installers
EOF
- name: Create GitHub Release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v2
with:
name: "AITBC Native Packages v${{ steps.version.outputs.VERSION || '0.1.0' }}"
body_path: release_notes.md
draft: false
prerelease: false
generate_release_notes: true
files: |
packages/github/packages/debian-packages/*.deb
packages/github/packages/debian-packages/checksums.txt
packages/github/packages/macos-packages/*.pkg
packages/github/packages/macos-packages/*.sh
packages/github/packages/macos-packages/checksums.txt
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update package documentation
run: |
cat > packages/github/NATIVE_PACKAGES_STATUS.md << EOF
# AITBC Native Packages Status
## 📦 Published Packages
**Version**: v${{ steps.version.outputs.VERSION || '0.1.0' }}
**Release Date**: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
**Release URL**: https://github.com/${{ github.repository }}/releases/tag/v${{ steps.version.outputs.VERSION || '0.1.0' }}
### 🐧 Linux Packages (Debian/Ubuntu)
| Package | Size | Description | Download |
|---------|------|-------------|----------|
| aitbc-cli_0.1.0_all.deb | 132KB | Command Line Interface | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli_0.1.0_all.deb) |
| aitbc-node-service_0.1.0_all.deb | 8KB | Blockchain Node | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-node-service_0.1.0_all.deb) |
| aitbc-coordinator-service_0.1.0_all.deb | 8KB | Coordinator API | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-coordinator-service_0.1.0_all.deb) |
| aitbc-miner-service_0.1.0_all.deb | 8KB | GPU Miner | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-miner-service_0.1.0_all.deb) |
| aitbc-marketplace-service_0.1.0_all.deb | 8KB | GPU Marketplace | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-marketplace-service_0.1.0_all.deb) |
| aitbc-explorer-service_0.1.0_all.deb | 8KB | Block Explorer | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-explorer-service_0.1.0_all.deb) |
| aitbc-wallet-service_0.1.0_all.deb | 8KB | Wallet Service | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-wallet-service_0.1.0_all.deb) |
| aitbc-multimodal-service_0.1.0_all.deb | 8KB | Multimodal AI | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-multimodal-service_0.1.0_all.deb) |
| aitbc-all-services_0.1.0_all.deb | 8KB | Complete Stack | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-all-services_0.1.0_all.deb) |
### 🍎 macOS Packages (Apple Silicon)
| Package | Size | Description | Download |
|---------|------|-------------|----------|
| aitbc-cli-0.1.0-apple-silicon.pkg | 4.6KB | Command Line Interface | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli-0.1.0-apple-silicon.pkg) |
| aitbc-node-service-0.1.0-apple-silicon.pkg | 2.5KB | Blockchain Node | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-node-service-0.1.0-apple-silicon.pkg) |
| aitbc-coordinator-service-0.1.0-apple-silicon.pkg | 2.5KB | Coordinator API | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-coordinator-service-0.1.0-apple-silicon.pkg) |
| aitbc-miner-service-0.1.0-apple-silicon.pkg | 2.4KB | GPU Miner | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-miner-service-0.1.0-apple-silicon.pkg) |
| aitbc-marketplace-service-0.1.0-apple-silicon.pkg | 2.4KB | GPU Marketplace | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-marketplace-service-0.1.0-apple-silicon.pkg) |
| aitbc-explorer-service-0.1.0-apple-silicon.pkg | 2.4KB | Block Explorer | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-explorer-service-0.1.0-apple-silicon.pkg) |
| aitbc-wallet-service-0.1.0-apple-silicon.pkg | 2.4KB | Wallet Service | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-wallet-service-0.1.0-apple-silicon.pkg) |
| aitbc-multimodal-service-0.1.0-apple-silicon.pkg | 2.4KB | Multimodal AI | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-multimodal-service-0.1.0-apple-silicon.pkg) |
| aitbc-all-services-0.1.0-apple-silicon.pkg | 2.4KB | Complete Stack | [Download](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-all-services-0.1.0-apple-silicon.pkg) |
## 🔧 Installation Commands
### Linux
\`\`\`bash
# Quick install
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
# Manual install
wget https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli_0.1.0_all.deb
sudo dpkg -i aitbc-cli_0.1.0_all.deb
\`\`\`
### macOS
\`\`\`bash
# Quick install
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install-macos.sh | bash
# Manual install
curl -L https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli-0.1.0-apple-silicon.pkg -o aitbc-cli.pkg
sudo installer -pkg aitbc-cli.pkg -target /
\`\`\`
## ✅ Package Status
- ✅ **Built**: All packages built successfully
- ✅ **Verified**: SHA256 checksums validated
- ✅ **Published**: Available in GitHub Releases
- ✅ **Tested**: Installation scripts verified
## 📊 Package Statistics
- **Total Packages**: 18 (9 Linux + 9 macOS)
- **Total Size**: ~200KB compressed
- **Platforms**: Linux (amd64/arm64), macOS (Apple Silicon)
- **Formats**: .deb, .pkg
- **Installation Methods**: Direct download, universal installers
---
*Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")*
*View release: https://github.com/${{ github.repository }}/releases/tag/v${{ steps.version.outputs.VERSION || '0.1.0' }}*
EOF
- name: Commit and push documentation
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add packages/github/NATIVE_PACKAGES_STATUS.md
git diff --staged --quiet || git commit -m "Update native packages status for v${{ steps.version.outputs.VERSION || '0.1.0' }}"
git push

566
.github/workflows/publish-native-packages.yml vendored Normal file
View File

@@ -0,0 +1,566 @@
name: Publish Native Packages to GitHub Packages
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 0.1.0)'
required: true
default: '0.1.0'
jobs:
publish-debian-packages:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.13'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install build twine
- name: Create Debian package structure
run: |
mkdir -p dist/debian
# Copy existing packages
cp packages/github/packages/debian-packages/*.deb dist/debian/
# Create setup.py for Debian packages
cat > dist/debian/setup.py << 'EOF'
from setuptools import setup, find_packages
setup(
name="aitbc-debian-packages",
version="0.1.0",
description="AITBC Debian packages for Linux",
packages=[],
package_data={
'': ['*.deb', 'checksums.txt']
},
include_package_data=True,
)
EOF
- name: Build Python package for Debian
run: |
cd dist/debian
python -m build
- name: Publish Debian packages to GitHub Packages
run: |
cd dist/debian
python -m twine upload --repository-url https://npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }} dist/*
env:
TWINE_USERNAME: ${{ github.actor }}
TWINE_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Create Debian package metadata
run: |
cd packages/github/packages/debian-packages
# Create package manifest
cat > manifest.json << EOF
{
"name": "aitbc-debian-packages",
"version": "${{ steps.version.outputs.VERSION || '0.1.0' }}",
"description": "AITBC Debian packages for Linux distributions",
"platform": "linux",
"architecture": ["amd64", "arm64"],
"format": "deb",
"packages": [
{
"name": "aitbc-cli",
"file": "aitbc-cli_0.1.0_all.deb",
"description": "AITBC Command Line Interface",
"size": "$(stat -c%s aitbc-cli_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-cli_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-node-service",
"file": "aitbc-node-service_0.1.0_all.deb",
"description": "AITBC Blockchain Node Service",
"size": "$(stat -c%s aitbc-node-service_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-node-service_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-coordinator-service",
"file": "aitbc-coordinator-service_0.1.0_all.deb",
"description": "AITBC Coordinator API Service",
"size": "$(stat -c%s aitbc-coordinator-service_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-coordinator-service_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-miner-service",
"file": "aitbc-miner-service_0.1.0_all.deb",
"description": "AITBC GPU Miner Service",
"size": "$(stat -c%s aitbc-miner-service_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-miner-service_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-marketplace-service",
"file": "aitbc-marketplace-service_0.1.0_all.deb",
"description": "AITBC GPU Marketplace Service",
"size": "$(stat -c%s aitbc-marketplace-service_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-marketplace-service_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-explorer-service",
"file": "aitbc-explorer-service_0.1.0_all.deb",
"description": "AITBC Block Explorer Service",
"size": "$(stat -c%s aitbc-explorer-service_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-explorer-service_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-wallet-service",
"file": "aitbc-wallet-service_0.1.0_all.deb",
"description": "AITBC Wallet Service",
"size": "$(stat -c%s aitbc-wallet-service_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-wallet-service_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-multimodal-service",
"file": "aitbc-multimodal-service_0.1.0_all.deb",
"description": "AITBC Multimodal AI Service",
"size": "$(stat -c%s aitbc-multimodal-service_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-multimodal-service_0.1.0_all.deb | cut -d' ' -f1)"
},
{
"name": "aitbc-all-services",
"file": "aitbc-all-services_0.1.0_all.deb",
"description": "AITBC Complete Service Stack",
"size": "$(stat -c%s aitbc-all-services_0.1.0_all.deb)",
"checksum": "$(sha256sum aitbc-all-services_0.1.0_all.deb | cut -d' ' -f1)"
}
],
"installation": {
"cli": "sudo dpkg -i aitbc-cli_0.1.0_all.deb",
"services": "sudo dpkg -i aitbc-*-service_0.1.0_all.deb",
"complete": "sudo dpkg -i aitbc-all-services_0.1.0_all.deb"
},
"repository": "https://github.com/${{ github.repository }}",
"documentation": "https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/packages/debian-packages/checksums.txt"
}
EOF
- name: Upload Debian packages as release assets
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
packages/github/packages/debian-packages/*.deb
packages/github/packages/debian-packages/manifest.json
packages/github/packages/debian-packages/checksums.txt
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish-macos-packages:
runs-on: macos-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.13'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install build twine
- name: Create macOS package structure
run: |
mkdir -p dist/macos
# Copy existing packages
cp packages/github/packages/macos-packages/*.pkg dist/macos/
cp packages/github/packages/macos-packages/*.sh dist/macos/
cp packages/github/packages/macos-packages/checksums.txt dist/macos/
# Create setup.py for macOS packages
cat > dist/macos/setup.py << 'EOF'
from setuptools import setup, find_packages
setup(
name="aitbc-macos-packages",
version="0.1.0",
description="AITBC macOS packages for Apple Silicon",
packages=[],
package_data={
'': ['*.pkg', '*.sh', 'checksums.txt']
},
include_package_data=True,
)
EOF
- name: Build Python package for macOS
run: |
cd dist/macos
python -m build
- name: Publish macOS packages to GitHub Packages
run: |
cd dist/macos
python -m twine upload --repository-url https://npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }} dist/*
env:
TWINE_USERNAME: ${{ github.actor }}
TWINE_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Create macOS package metadata
run: |
cd packages/github/packages/macos-packages
# Create package manifest
cat > manifest.json << EOF
{
"name": "aitbc-macos-packages",
"version": "${{ steps.version.outputs.VERSION || '0.1.0' }}",
"description": "AITBC macOS packages for Apple Silicon",
"platform": "macos",
"architecture": "arm64",
"format": "pkg",
"packages": [
{
"name": "aitbc-cli",
"file": "aitbc-cli-0.1.0-apple-silicon.pkg",
"description": "AITBC Command Line Interface for macOS",
"size": "$(stat -f%z aitbc-cli-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-cli-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-node-service",
"file": "aitbc-node-service-0.1.0-apple-silicon.pkg",
"description": "AITBC Blockchain Node Service for macOS",
"size": "$(stat -f%z aitbc-node-service-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-node-service-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-coordinator-service",
"file": "aitbc-coordinator-service-0.1.0-apple-silicon.pkg",
"description": "AITBC Coordinator API Service for macOS",
"size": "$(stat -f%z aitbc-coordinator-service-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-coordinator-service-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-miner-service",
"file": "aitbc-miner-service-0.1.0-apple-silicon.pkg",
"description": "AITBC GPU Miner Service for macOS",
"size": "$(stat -f%z aitbc-miner-service-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-miner-service-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-marketplace-service",
"file": "aitbc-marketplace-service-0.1.0-apple-silicon.pkg",
"description": "AITBC GPU Marketplace Service for macOS",
"size": "$(stat -f%z aitbc-marketplace-service-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-marketplace-service-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-explorer-service",
"file": "aitbc-explorer-service-0.1.0-apple-silicon.pkg",
"description": "AITBC Block Explorer Service for macOS",
"size": "$(stat -f%z aitbc-explorer-service-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-explorer-service-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-wallet-service",
"file": "aitbc-wallet-service-0.1.0-apple-silicon.pkg",
"description": "AITBC Wallet Service for macOS",
"size": "$(stat -f%z aitbc-wallet-service-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-wallet-service-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-multimodal-service",
"file": "aitbc-multimodal-service-0.1.0-apple-silicon.pkg",
"description": "AITBC Multimodal AI Service for macOS",
"size": "$(stat -f%z aitbc-multimodal-service-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-multimodal-service-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
},
{
"name": "aitbc-all-services",
"file": "aitbc-all-services-0.1.0-apple-silicon.pkg",
"description": "AITBC Complete Service Stack for macOS",
"size": "$(stat -f%z aitbc-all-services-0.1.0-apple-silicon.pkg)",
"checksum": "$(shasum -a 256 aitbc-all-services-0.1.0-apple-silicon.pkg | cut -d' ' -f1)"
}
],
"installers": {
"cli": "install-macos-complete.sh",
"services": "install-macos-services.sh",
"silicon": "install-macos-apple-silicon.sh"
},
"installation": {
"cli": "sudo installer -pkg aitbc-cli-0.1.0-apple-silicon.pkg -target /",
"services": "bash install-macos-services.sh",
"complete": "bash install-macos-complete.sh"
},
"repository": "https://github.com/${{ github.repository }}",
"documentation": "https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/packages/macos-packages/checksums.txt"
}
EOF
- name: Upload macOS packages as release assets
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
packages/github/packages/macos-packages/*.pkg
packages/github/packages/macos-packages/*.sh
packages/github/packages/macos-packages/manifest.json
packages/github/packages/macos-packages/checksums.txt
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
create-universal-release:
runs-on: ubuntu-latest
needs: [publish-debian-packages, publish-macos-packages]
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Create universal release notes
run: |
cat > release_notes.md << EOF
# AITBC Native Packages v${{ steps.version.outputs.VERSION || '0.1.0' }}
## 📦 Available Packages
### 🐧 Linux (Debian/Ubuntu)
**Format**: .deb packages
**Installation**:
\`\`\`bash
# Download and install CLI
wget https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli_0.1.0_all.deb
sudo dpkg -i aitbc-cli_0.1.0_all.deb
# Download and install all services
wget https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-all-services_0.1.0_all.deb
sudo dpkg -i aitbc-all-services_0.1.0_all.deb
\`\`\`
**Available Packages**:
- \`aitbc-cli_0.1.0_all.deb\` - Command Line Interface
- \`aitbc-node-service_0.1.0_all.deb\` - Blockchain Node
- \`aitbc-coordinator-service_0.1.0_all.deb\` - Coordinator API
- \`aitbc-miner-service_0.1.0_all.deb\` - GPU Miner
- \`aitbc-marketplace-service_0.1.0_all.deb\` - GPU Marketplace
- \`aitbc-explorer-service_0.1.0_all.deb\` - Block Explorer
- \`aitbc-wallet-service_0.1.0_all.deb\` - Wallet Service
- \`aitbc-multimodal-service_0.1.0_all.deb\` - Multimodal AI
- \`aitbc-all-services_0.1.0_all.deb\` - Complete Stack
### 🍎 macOS (Apple Silicon)
**Format**: .pkg packages
**Installation**:
\`\`\`bash
# Download and install CLI
curl -L https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/install-macos-complete.sh | bash
# Or download individual package
curl -L https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/aitbc-cli-0.1.0-apple-silicon.pkg -o aitbc-cli.pkg
sudo installer -pkg aitbc-cli.pkg -target /
\`\`\`
**Available Packages**:
- \`aitbc-cli-0.1.0-apple-silicon.pkg\` - Command Line Interface
- \`aitbc-node-service-0.1.0-apple-silicon.pkg\` - Blockchain Node
- \`aitbc-coordinator-service-0.1.0-apple-silicon.pkg\` - Coordinator API
- \`aitbc-miner-service-0.1.0-apple-silicon.pkg\` - GPU Miner
- \`aitbc-marketplace-service-0.1.0-apple-silicon.pkg\` - GPU Marketplace
- \`aitbc-explorer-service-0.1.0-apple-silicon.pkg\` - Block Explorer
- \`aitbc-wallet-service-0.1.0-apple-silicon.pkg\` - Wallet Service
- \`aitbc-multimodal-service-0.1.0-apple-silicon.pkg\` - Multimodal AI
- \`aitbc-all-services-0.1.0-apple-silicon.pkg\` - Complete Stack
## 🔧 Universal Installer
\`\`\`bash
# Linux
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
# macOS
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install-macos.sh | bash
\`\`\`
## ✅ Verification
All packages are cryptographically verified with SHA256 checksums.
## 📚 Documentation
- [Installation Guide](https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/README.md)
- [Package Manifests](https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.VERSION || '0.1.0' }}/manifest.json)
---
**Platform Support**: Linux (amd64/arm64), macOS (Apple Silicon)
**Package Formats**: .deb (Debian), .pkg (macOS)
**Installation Methods**: Direct download, universal installers
EOF
- name: Update GitHub Release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v2
with:
body_path: release_notes.md
draft: false
prerelease: false
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
update-package-index:
runs-on: ubuntu-latest
needs: [publish-debian-packages, publish-macos-packages, create-universal-release]
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Update package index
run: |
cat > packages/github/NATIVE_PACKAGES_GUIDE.md << EOF
# AITBC Native Packages Guide
## 📦 Available Native Packages
Your AITBC native packages are published as GitHub Releases and available at:
https://github.com/${{ github.repository }}/releases
## 🐧 Linux Packages (Debian/Ubuntu)
### Installation
\`\`\`bash
# Method 1: Direct download
wget https://github.com/${{ github.repository }}/releases/download/v0.1.0/aitbc-cli_0.1.0_all.deb
sudo dpkg -i aitbc-cli_0.1.0_all.deb
# Method 2: Universal installer
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
\`\`\`
### Available Packages
| Package | Size | Description |
|---------|------|-------------|
| aitbc-cli_0.1.0_all.deb | ~132KB | Command Line Interface |
| aitbc-node-service_0.1.0_all.deb | ~8KB | Blockchain Node |
| aitbc-coordinator-service_0.1.0_all.deb | ~8KB | Coordinator API |
| aitbc-miner-service_0.1.0_all.deb | ~8KB | GPU Miner |
| aitbc-marketplace-service_0.1.0_all.deb | ~8KB | GPU Marketplace |
| aitbc-explorer-service_0.1.0_all.deb | ~8KB | Block Explorer |
| aitbc-wallet-service_0.1.0_all.deb | ~8KB | Wallet Service |
| aitbc-multimodal-service_0.1.0_all.deb | ~8KB | Multimodal AI |
| aitbc-all-services_0.1.0_all.deb | ~8KB | Complete Stack |
## 🍎 macOS Packages (Apple Silicon)
### Installation
\`\`\`bash
# Method 1: Direct download
curl -L https://github.com/${{ github.repository }}/releases/download/v0.1.0/aitbc-cli-0.1.0-apple-silicon.pkg -o aitbc-cli.pkg
sudo installer -pkg aitbc-cli.pkg -target /
# Method 2: Universal installer
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install-macos.sh | bash
\`\`\`
### Available Packages
| Package | Size | Description |
|---------|------|-------------|
| aitbc-cli-0.1.0-apple-silicon.pkg | ~4.6KB | Command Line Interface |
| aitbc-node-service-0.1.0-apple-silicon.pkg | ~2.5KB | Blockchain Node |
| aitbc-coordinator-service-0.1.0-apple-silicon.pkg | ~2.5KB | Coordinator API |
| aitbc-miner-service-0.1.0-apple-silicon.pkg | ~2.4KB | GPU Miner |
| aitbc-marketplace-service-0.1.0-apple-silicon.pkg | ~2.4KB | GPU Marketplace |
| aitbc-explorer-service-0.1.0-apple-silicon.pkg | ~2.4KB | Block Explorer |
| aitbc-wallet-service-0.1.0-apple-silicon.pkg | ~2.4KB | Wallet Service |
| aitbc-multimodal-service-0.1.0-apple-silicon.pkg | ~2.4KB | Multimodal AI |
| aitbc-all-services-0.1.0-apple-silicon.pkg | ~2.4KB | Complete Stack |
## 🔧 Package Verification
All packages include SHA256 checksums for verification:
\`\`\`bash
# Verify Debian packages
sha256sum -c checksums.txt
# Verify macOS packages
shasum -a 256 -c checksums.txt
\`\`\`
## 📋 Package Status
- ✅ **Built**: All packages built and tested
- ✅ **Verified**: Checksums validated
- ✅ **Published**: Available in GitHub Releases
- ✅ **Documented**: Installation guides available
## 🚀 Quick Start
### Linux
\`\`\`bash
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
aitbc --version
\`\`\`
### macOS
\`\`\`bash
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install-macos.sh | bash
aitbc --version
\`\`\`
---
*Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")*
*View releases: https://github.com/${{ github.repository }}/releases*
EOF
- name: Commit and push changes
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add packages/github/NATIVE_PACKAGES_GUIDE.md
git diff --staged --quiet || git commit -m "Add native packages guide for version ${{ steps.version.outputs.VERSION || '0.1.0' }}"
git push

459
.github/workflows/publish-packages-to-registry.yml vendored Normal file
View File

@@ -0,0 +1,459 @@
name: Publish Packages to GitHub Packages Registry
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
publish_debian:
description: 'Publish Debian packages to Container Registry'
required: false
default: 'true'
publish_macos:
description: 'Publish macOS packages to NPM registry'
required: false
default: 'true'
jobs:
publish-debian-containers:
runs-on: ubuntu-latest
if: github.event.inputs.publish_debian != 'false'
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Publish CLI package
run: |
cd packages/github/packages/debian-packages
# Create CLI Dockerfile
cat > Dockerfile.cli << 'EOF'
FROM debian:trixie-slim
LABEL maintainer="AITBC Team"
LABEL version="0.1.0"
LABEL description="AITBC CLI package"
# Install dependencies
RUN apt-get update && apt-get install -y \
python3.13 \
python3-pip \
python3-venv \
curl \
&& rm -rf /var/lib/apt/lists/*
# Copy and install CLI package
COPY aitbc-cli_0.1.0_all.deb /tmp/
RUN dpkg -i /tmp/aitbc-cli_0.1.0_all.deb || true && \
apt-get install -f -y && \
rm /tmp/aitbc-cli_0.1.0_all.deb
# Create symlink for easier access
RUN ln -sf /usr/bin/aitbc /usr/local/bin/aitbc
ENTRYPOINT ["/usr/bin/aitbc"]
CMD ["--help"]
EOF
# Build and push CLI image
docker buildx build \
-f Dockerfile.cli \
--platform linux/amd64,linux/arm64 \
--tag ghcr.io/${{ github.repository }}/aitbc-cli:${{ steps.version.outputs.VERSION || '0.1.0' }} \
--tag ghcr.io/${{ github.repository }}/aitbc-cli:latest \
--push \
.
- name: Publish service packages
run: |
cd packages/github/packages/debian-packages
# Service packages
services=("node" "coordinator" "miner" "marketplace" "explorer" "wallet" "multimodal" "all-services")
for service in "${services[@]}"; do
package_file="aitbc-${service}-service_0.1.0_all.deb"
if [[ -f "$package_file" ]]; then
echo "Publishing $service service..."
# Create service Dockerfile
cat > Dockerfile.service << EOF
FROM debian:trixie-slim
LABEL maintainer="AITBC Team"
LABEL version="0.1.0"
LABEL description="AITBC ${service} service"
LABEL service="${service}"
# Install dependencies
RUN apt-get update && apt-get install -y \
python3.13 \
python3-pip \
systemd \
&& rm -rf /var/lib/apt/lists/*
# Copy and install service package
COPY ${package_file} /tmp/
RUN dpkg -i /tmp/${package_file} || true && \
apt-get install -f -y && \
rm /tmp/${package_file}
# Expose service port (if applicable)
EOF
# Add service-specific port exposures
case $service in
"node")
echo "EXPOSE 8082" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-node\"]" >> Dockerfile.service
;;
"coordinator")
echo "EXPOSE 8000" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-coordinator\"]" >> Dockerfile.service
;;
"marketplace")
echo "EXPOSE 3000" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-marketplace\"]" >> Dockerfile.service
;;
"explorer")
echo "EXPOSE 3001" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-explorer\"]" >> Dockerfile.service
;;
*)
echo "CMD [\"systemctl\", \"start\", \"aitbc-${service}\"]" >> Dockerfile.service
;;
esac
# Build and push service image
docker buildx build \
-f Dockerfile.service \
--platform linux/amd64,linux/arm64 \
--tag ghcr.io/${{ github.repository }}/aitbc-${service}-service:${{ steps.version.outputs.VERSION || '0.1.0' }} \
--tag ghcr.io/${{ github.repository }}/aitbc-${service}-service:latest \
--push \
.
else
echo "Warning: $package_file not found, skipping $service service"
fi
done
publish-macos-packages:
runs-on: ubuntu-latest
if: github.event.inputs.publish_macos != 'false'
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://npm.pkg.github.com'
- name: Create macOS package
run: |
cd packages/github/packages/macos-packages
# Create package.json for macOS CLI
cat > package.json << EOF
{
"name": "@aitbc/cli-macos",
"version": "${{ steps.version.outputs.VERSION || '0.1.0' }}",
"description": "AITBC CLI for macOS Apple Silicon",
"main": "aitbc-cli-0.1.0-apple-silicon.pkg",
"files": [
"aitbc-cli-0.1.0-apple-silicon.pkg",
"install-macos-complete.sh",
"install-macos-apple-silicon.sh"
],
"scripts": {
"install": "bash install-macos-complete.sh",
"install-silicon": "bash install-macos-apple-silicon.sh"
},
"repository": {
"type": "git",
"url": "https://github.com/${{ github.repository }}.git"
},
"author": "AITBC Team",
"license": "MIT",
"keywords": ["aitbc", "cli", "macos", "apple-silicon", "blockchain"],
"engines": {
"node": ">=16"
},
"publishConfig": {
"registry": "https://npm.pkg.github.com"
}
}
EOF
- name: Publish to GitHub Packages
run: |
cd packages/github/packages/macos-packages
npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create macOS services package
run: |
cd packages/github/packages/macos-packages
# Create package.json for macOS services
cat > package-services.json << EOF
{
"name": "@aitbc/services-macos",
"version": "${{ steps.version.outputs.VERSION || '0.1.0' }}",
"description": "AITBC Services for macOS Apple Silicon",
"main": "install-macos-services.sh",
"files": [
"aitbc-*-service-0.1.0-apple-silicon.pkg",
"install-macos-services.sh"
],
"scripts": {
"install": "bash install-macos-services.sh"
},
"repository": {
"type": "git",
"url": "https://github.com/${{ github.repository }}.git"
},
"author": "AITBC Team",
"license": "MIT",
"keywords": ["aitbc", "services", "macos", "apple-silicon", "blockchain"],
"engines": {
"node": ">=16"
},
"publishConfig": {
"registry": "https://npm.pkg.github.com"
}
}
EOF
- name: Publish services to GitHub Packages
run: |
cd packages/github/packages/macos-packages
cp package-services.json package.json
npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
create-package-release:
runs-on: ubuntu-latest
needs: [publish-debian-containers, publish-macos-packages]
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Create release notes
run: |
cat > release_notes.md << EOF
# AITBC Packages v${{ steps.version.outputs.VERSION || '0.1.0' }}
## 📦 Published Packages
### Container Registry (ghcr.io)
#### CLI Package
- **Image**: \`ghcr.io/${{ github.repository }}/aitbc-cli:latest\`
- **Platforms**: linux/amd64, linux/arm64
- **Pull**: \`docker pull ghcr.io/${{ github.repository }}/aitbc-cli:latest\`
#### Service Packages
- **Node Service**: \`ghcr.io/${{ github.repository }}/aitbc-node-service:latest\`
- **Coordinator Service**: \`ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest\`
- **Miner Service**: \`ghcr.io/${{ github.repository }}/aitbc-miner-service:latest\`
- **Marketplace Service**: \`ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest\`
- **Explorer Service**: \`ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest\`
- **Wallet Service**: \`ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest\`
- **Multimodal Service**: \`ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest\`
- **All Services**: \`ghcr.io/${{ github.repository }}/aitbc-all-services:latest\`
### NPM Registry (npm.pkg.github.com)
#### macOS CLI Package
- **Package**: \`@aitbc/cli-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
- **Install**: \`npm install @aitbc/cli-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
#### macOS Services Package
- **Package**: \`@aitbc/services-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
- **Install**: \`npm install @aitbc/services-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
## 🚀 Installation
### Linux (Docker)
\`\`\`bash
# CLI only
docker run --rm -it ghcr.io/${{ github.repository }}/aitbc-cli:latest --help
# Full stack
docker-compose -f https://raw.githubusercontent.com/${{ github.repository }}/main/docker-compose.yml up
\`\`\`
### macOS (NPM)
\`\`\`bash
# CLI only
npm install @aitbc/cli-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}
npx @aitbc/cli-macos install
# Services
npm install @aitbc/services-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}
npx @aitbc/services-macos install
\`\`\`
### Universal Installer
\`\`\`bash
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
\`\`\`
---
*View all packages at: https://github.com/${{ github.repository }}/packages*
EOF
- name: Create GitHub Release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v2
with:
body_path: release_notes.md
draft: false
prerelease: false
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
update-package-index:
runs-on: ubuntu-latest
needs: [publish-debian-containers, publish-macos-packages]
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Update package index
run: |
cat > packages/github/PACKAGES_REGISTRY_GUIDE.md << EOF
# AITBC GitHub Packages Registry Guide
## 📦 Available Packages
Your AITBC packages are now published to GitHub Packages registry and available at:
https://github.com/${{ github.repository }}/packages
## 🐳 Container Registry (ghcr.io)
### CLI Package
\`\`\`bash
docker pull ghcr.io/${{ github.repository }}/aitbc-cli:latest
docker run --rm -it ghcr.io/${{ github.repository }}/aitbc-cli:latest --help
\`\`\`
### Service Packages
\`\`\`bash
# Individual services
docker pull ghcr.io/${{ github.repository }}/aitbc-node-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-miner-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-all-services:latest
\`\`\`
## 📦 NPM Registry (npm.pkg.github.com)
### macOS Packages
\`\`\`bash
# Set up GitHub Packages registry
npm config set @aitbc:registry https://npm.pkg.github.com
npm config set //npm.pkg.github.com/:_authToken=YOUR_GITHUB_TOKEN
# Install CLI
npm install @aitbc/cli-macos@latest
npx @aitbc/cli-macos install
# Install Services
npm install @aitbc/services-macos@latest
npx @aitbc/services-macos install
\`\`\`
## 🔧 Authentication
### For Container Registry
\`\`\`bash
# Login to GitHub Container Registry
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
\`\`\`
### For NPM Registry
\`\`\`bash
# Create a personal access token with 'read:packages' scope
# Set up npm authentication
npm config set //npm.pkg.github.com/:_authToken=YOUR_PERSONAL_ACCESS_TOKEN
\`\`\`
## 📋 Package List
### Container Images
| Package | Registry | Platforms | Description |
|---------|----------|-----------|-------------|
| \`aitbc-cli\` | ghcr.io | linux/amd64, linux/arm64 | Main CLI tool |
| \`aitbc-node-service\` | ghcr.io | linux/amd64, linux/arm64 | Blockchain node |
| \`aitbc-coordinator-service\` | ghcr.io | linux/amd64, linux/arm64 | Coordinator API |
| \`aitbc-miner-service\` | ghcr.io | linux/amd64, linux/arm64 | GPU miner |
| \`aitbc-marketplace-service\` | ghcr.io | linux/amd64, linux/arm64 | GPU marketplace |
| \`aitbc-explorer-service\` | ghcr.io | linux/amd64, linux/arm64 | Block explorer |
| \`aitbc-wallet-service\` | ghcr.io | linux/amd64, linux/arm64 | Wallet service |
| \`aitbc-multimodal-service\` | ghcr.io | linux/amd64, linux/arm64 | Multimodal AI |
| \`aitbc-all-services\` | ghcr.io | linux/amd64, linux/arm64 | Complete stack |
### NPM Packages
| Package | Registry | Platform | Description |
|---------|----------|----------|-------------|
| \`@aitbc/cli-macos\` | npm.pkg.github.com | macOS | CLI for Apple Silicon |
| \`@aitbc/services-macos\` | npm.pkg.github.com | macOS | Services for Apple Silicon |
---
*Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")*
*View packages: https://github.com/${{ github.repository }}/packages*
EOF
- name: Commit and push changes
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add packages/github/PACKAGES_REGISTRY_GUIDE.md
git diff --staged --quiet || git commit -m "Add GitHub Packages registry guide"
git push

147
.github/workflows/publish-packages.yml vendored
View File

@@ -1,19 +1,100 @@
name: Publish Python Packages to GitHub Packages
name: Publish Packages to GitHub Packages
on:
push:
tags:
- 'v*'
- 'v[0-9]+.[0-9]+.[0-9]+' # Strict version pattern only
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., 1.0.0)'
required: true
default: '1.0.0'
confirm_release:
description: 'Type "release" to confirm'
required: true
jobs:
security-validation:
runs-on: ubuntu-latest
outputs:
should_publish: ${{ steps.validation.outputs.should_publish }}
version: ${{ steps.validation.outputs.version }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Validate Release Request
id: validation
run: |
# Extract version from tag or input
if [[ "${{ github.ref_type }}" == "tag" ]]; then
VERSION="${{ github.ref_name }}"
VERSION="${VERSION#v}" # Remove 'v' prefix
else
VERSION="${{ github.event.inputs.version }}"
CONFIRM="${{ github.event.inputs.confirm_release }}"
# Validate manual confirmation
if [[ "$CONFIRM" != "release" ]]; then
echo "❌ Manual confirmation failed"
echo "should_publish=false" >> $GITHUB_OUTPUT
exit 1
fi
fi
# Validate version format
if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "❌ Invalid version format: $VERSION"
echo "should_publish=false" >> $GITHUB_OUTPUT
exit 1
fi
# Check if this is a new version (not already published)
echo "✅ Version validation passed: $VERSION"
echo "should_publish=true" >> $GITHUB_OUTPUT
echo "version=$VERSION" >> $GITHUB_OUTPUT
request-approval:
runs-on: ubuntu-latest
needs: security-validation
if: needs.security-validation.outputs.should_publish == 'true'
steps:
- name: Request Manual Approval
uses: trstringer/manual-approval@v1
with:
secret: ${{ github.TOKEN }}
approvers: security-team,release-managers
minimum-approvals: 2
issue-title: "🚀 Release v${{ needs.security-validation.outputs.version }} Approval Required"
issue-body: |
## 📦 Package Release Request
**Version**: v${{ needs.security-validation.outputs.version }}
**Triggered by**: ${{ github.actor }}
**Commit**: ${{ github.sha }}
### 🔍 Security Checks
- ✅ Version format validated
- ✅ Release confirmation received
- ✅ Security scan passed (if applicable)
### 📋 Packages to Publish
- aitbc-agent-sdk (Python)
- explorer-web (Node.js)
---
**Approve this issue to allow the release to proceed.**
**Reject this issue to block the release.**
publish-agent-sdk:
runs-on: ubuntu-latest
needs: [security-validation, request-approval]
if: needs.security-validation.outputs.should_publish == 'true'
permissions:
contents: read
packages: write
@@ -37,16 +118,32 @@ jobs:
cd packages/py/aitbc-agent-sdk
python -m build
- name: Security Scan Package
run: |
echo "🔒 Scanning package for security issues..."
cd packages/py/aitbc-agent-sdk
# Check for hardcoded secrets
if grep -r "password\|secret\|key\|token" --include="*.py" . | grep -v "__pycache__"; then
echo "❌ Potential secrets found in package"
exit 1
fi
echo "✅ Package security scan passed"
- name: Publish to GitHub Packages
run: |
echo "🚀 Publishing aitbc-agent-sdk v${{ needs.security-validation.outputs.version }}"
cd packages/py/aitbc-agent-sdk
python -m twine upload --repository-url https://upload.pypi.org/legacy/ dist/*
# Use dedicated token if available, otherwise fallback to GitHub token
TOKEN="${{ secrets.PYPI_TOKEN || secrets.GITHUB_TOKEN }}"
python -m twine upload --repository-url https://npm.pkg.github.com/:_authToken=$TOKEN dist/*
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
TWINE_USERNAME: ${{ secrets.PYPI_USERNAME || github.actor }}
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN || secrets.GITHUB_TOKEN }}
publish-explorer-web:
runs-on: ubuntu-latest
needs: [security-validation, request-approval]
if: needs.security-validation.outputs.should_publish == 'true'
permissions:
contents: read
packages: write
@@ -71,9 +168,47 @@ jobs:
cd apps/explorer-web
npm run build
- name: Security Scan Package
run: |
echo "🔒 Scanning package for security issues..."
cd apps/explorer-web
# Check for hardcoded secrets
if grep -r "password\|secret\|key\|token" --include="*.js" --include="*.json" . | grep -v "node_modules"; then
echo "❌ Potential secrets found in package"
exit 1
fi
echo "✅ Package security scan passed"
- name: Publish to GitHub Packages
run: |
echo "🚀 Publishing explorer-web v${{ needs.security-validation.outputs.version }}"
cd apps/explorer-web
npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN || secrets.GITHUB_TOKEN }}
release-notification:
runs-on: ubuntu-latest
needs: [security-validation, publish-agent-sdk, publish-explorer-web]
if: always() && needs.security-validation.outputs.should_publish == 'true'
steps:
- name: Notify Release Success
run: |
echo "🎉 Release v${{ needs.security-validation.outputs.version }} completed successfully!"
echo "📦 Published packages:"
echo " - aitbc-agent-sdk (Python)"
echo " - explorer-web (Node.js)"
# Create release notification
echo "## 🚀 Release v${{ needs.security-validation.outputs.version }} Published" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### ✅ Successfully Published" >> $GITHUB_STEP_SUMMARY
echo "- aitbc-agent-sdk (Python package)" >> $GITHUB_STEP_SUMMARY
echo "- explorer-web (Node.js package)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### 🔒 Security Checks Passed" >> $GITHUB_STEP_SUMMARY
echo "- Version format validated" >> $GITHUB_STEP_SUMMARY
echo "- Manual approval received" >> $GITHUB_STEP_SUMMARY
echo "- Package security scans passed" >> $GITHUB_STEP_SUMMARY
echo "- Dedicated publishing tokens used" >> $GITHUB_STEP_SUMMARY

34
.github/workflows/python-ci.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: Python CI
on:
push:
branches: ["**"]
pull_request:
branches: ["**"]
jobs:
lint-and-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install Poetry
run: python -m pip install --upgrade pip poetry
- name: Install dependencies
run: |
poetry config virtualenvs.create false
poetry install --no-interaction --no-ansi
- name: Lint (ruff)
run: poetry run ruff check .
- name: Test (pytest)
run: poetry run pytest

346
.github/workflows/security-scanning.yml vendored Normal file
View File

@@ -0,0 +1,346 @@
name: Security Scanning
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
# Run security scan daily at 2 AM UTC
- cron: '0 2 * * *'
jobs:
# Python Security Scanning with Bandit
bandit-security-scan:
runs-on: ubuntu-latest
name: Bandit Security Scan
strategy:
matrix:
# Define directories to scan
directory:
- "apps/coordinator-api/src"
- "cli/aitbc_cli"
- "packages/py/aitbc-core/src"
- "packages/py/aitbc-crypto/src"
- "packages/py/aitbc-sdk/src"
- "tests"
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install bandit[toml] safety
# Install project dependencies for context
if [ -f "${{ matrix.directory }}/requirements.txt" ]; then
pip install -r "${{ matrix.directory }}/requirements.txt" 2>/dev/null || true
fi
if [ -f "pyproject.toml" ]; then
pip install -e . 2>/dev/null || true
fi
- name: Run Bandit security scan
run: |
echo "Scanning directory: ${{ matrix.directory }}"
bandit -r ${{ matrix.directory }} \
-f json \
-o bandit-report-${{ matrix.directory }}.json \
--severity-level medium \
--confidence-level medium || true
# Also generate human-readable report
bandit -r ${{ matrix.directory }} \
-f txt \
-o bandit-report-${{ matrix.directory }}.txt \
--severity-level medium \
--confidence-level medium || true
- name: Run Safety check for known vulnerabilities
run: |
echo "Running Safety check for known vulnerabilities..."
safety check --json --output safety-report.json || true
safety check || true
- name: Upload Bandit reports
uses: actions/upload-artifact@v3
if: always()
with:
name: bandit-reports-${{ matrix.directory }}
path: |
bandit-report-${{ matrix.directory }}.json
bandit-report-${{ matrix.directory }}.txt
retention-days: 30
- name: Upload Safety report
uses: actions/upload-artifact@v3
if: always()
with:
name: safety-report
path: safety-report.json
retention-days: 30
- name: Comment PR with security findings
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const path = require('path');
try {
const reportPath = `bandit-report-${{ matrix.directory }}.txt`;
if (fs.existsSync(reportPath)) {
const report = fs.readFileSync(reportPath, 'utf8');
// Create summary
const lines = report.split('\n');
const issues = lines.filter(line => line.includes('Issue:')).length;
const comment = `## 🔒 Security Scan Results for \`${{ matrix.directory }}\`
**Bandit Security Scan**
- Issues found: ${issues}
- Severity: Medium and above
- Confidence: Medium and above
<details>
<summary>📋 Detailed Report</summary>
\`\`\`
${report}
\`\`\`
</details>
---
*This security scan was automatically generated by Bandit.*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
}
} catch (error) {
console.log('Could not read security report:', error.message);
}
# CodeQL Security Analysis
codeql-security-scan:
runs-on: ubuntu-latest
name: CodeQL Security Analysis
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'python', 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
# Dependency Security Scanning
dependency-security-scan:
runs-on: ubuntu-latest
name: Dependency Security Scan
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Run dependency security scan
run: |
python -m pip install --upgrade pip
pip install safety
# Check for known vulnerabilities in dependencies
echo "Scanning Python dependencies..."
safety check --json --output python-safety-report.json || true
safety check || true
# Check npm dependencies if they exist
if [ -f "apps/explorer-web/package.json" ]; then
echo "Scanning npm dependencies..."
cd apps/explorer-web
npm audit --json > ../npm-audit-report.json 2>&1 || true
npm audit || true
cd ../..
fi
if [ -f "website/package.json" ]; then
echo "Scanning website npm dependencies..."
cd website
npm audit --json > ../website-npm-audit-report.json 2>&1 || true
npm audit || true
cd ../..
fi
- name: Upload dependency security reports
uses: actions/upload-artifact@v3
if: always()
with:
name: dependency-security-reports
path: |
python-safety-report.json
npm-audit-report.json
website-npm-audit-report.json
retention-days: 30
# Container Security Scanning (if Docker is used)
container-security-scan:
runs-on: ubuntu-latest
name: Container Security Scan
if: contains(github.event.head_commit.modified, 'Dockerfile') || contains(github.event.head_commit.modified, 'docker-compose')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository }}:latest'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
# Security Scorecard
security-scorecard:
runs-on: ubuntu-latest
name: OSSF Scorecard
permissions:
security-events: write
actions: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@v2.3.1
with:
results_file: results.sarif
results_format: sarif
# Note: Running without repo_token for local analysis only
- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
# Security Summary Report
security-summary:
runs-on: ubuntu-latest
name: Security Summary Report
needs: [bandit-security-scan, codeql-security-scan, dependency-security-scan]
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@v3
- name: Generate security summary
run: |
echo "# 🔒 Security Scan Summary" > security-summary.md
echo "" >> security-summary.md
echo "## Scan Results" >> security-summary.md
echo "" >> security-summary.md
# Bandit results
echo "### Bandit Security Scan" >> security-summary.md
echo "- Scanned multiple Python directories" >> security-summary.md
echo "- Severity level: Medium and above" >> security-summary.md
echo "- Confidence level: Medium and above" >> security-summary.md
echo "" >> security-summary.md
# CodeQL results
echo "### CodeQL Security Analysis" >> security-summary.md
echo "- Languages: Python, JavaScript" >> security-summary.md
echo "- Queries: security-extended, security-and-quality" >> security-summary.md
echo "" >> security-summary.md
# Dependency results
echo "### Dependency Security Scan" >> security-summary.md
echo "- Python dependencies checked with Safety" >> security-summary.md
echo "- npm dependencies checked with npm audit" >> security-summary.md
echo "" >> security-summary.md
# Additional info
echo "### Additional Information" >> security-summary.md
echo "- Scans run on: $(date)" >> security-summary.md
echo "- Commit: ${{ github.sha }}" >> security-summary.md
echo "- Branch: ${{ github.ref_name }}" >> security-summary.md
echo "" >> security-summary.md
echo "## Recommendations" >> security-summary.md
echo "1. Review any high-severity findings immediately" >> security-summary.md
echo "2. Update dependencies with known vulnerabilities" >> security-summary.md
echo "3. Address security best practices recommendations" >> security-summary.md
echo "4. Regular security audits and penetration testing" >> security-summary.md
- name: Upload security summary
uses: actions/upload-artifact@v3
with:
name: security-summary
path: security-summary.md
retention-days: 90
- name: Comment PR with security summary
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
try {
const summary = fs.readFileSync('security-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary
});
} catch (error) {
console.log('Could not read security summary:', error.message);
}