chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration - Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage - Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
--- a/.github/workflows/publish-github-packages.yml
+++ b/.github/workflows/publish-github-packages.yml
@@ -0,0 +1,314 @@
+name: Publish Packages to GitHub Packages Registry
+
+on:
+  push:
+    tags:
+      - 'v*'
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to publish (e.g., 0.1.0)'
+        required: true
+        default: '0.1.0'
+
+jobs:
+  publish-debian-packages:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and publish Debian packages
+      run: |
+        # Create Debian package structure
+        mkdir -p dist/debian
+        
+        # Copy existing packages
+        cp packages/github/packages/debian-packages/*.deb dist/debian/
+        
+        # Create Dockerfile for Debian packages
+        cat > dist/debian/Dockerfile << 'EOF'
+        FROM debian:trixie-slim
+        LABEL maintainer="AITBC Team"
+        LABEL version="0.1.0"
+        
+        # Copy packages
+        COPY *.deb /tmp/
+        
+        # Install packages
+        RUN dpkg -i /tmp/*.deb || true && \
+            apt-get install -f -y && \
+            rm /tmp/*.deb
+        
+        # Set entrypoint
+        ENTRYPOINT ["/usr/bin/aitbc"]
+        EOF
+        
+        # Build and push Docker image
+        cd dist/debian
+        docker buildx build \
+          --platform linux/amd64,linux/arm64 \
+          --tag ghcr.io/${{ github.repository }}/aitbc-cli:${{ github.ref_name || github.event.inputs.version }} \
+          --tag ghcr.io/${{ github.repository }}/aitbc-cli:latest \
+          --push \
+          .
+
+    - name: Publish individual service packages
+      run: |
+        cd packages/github/packages/debian-packages
+        
+        # Publish each service as a separate container
+        for package in aitbc-*-service_0.1.0_all.deb; do
+          service_name=$(echo $package | sed 's/aitbc-\(.*\)-service_0.1.0_all.deb/\1/')
+          
+          # Create service-specific Dockerfile
+          cat > Dockerfile.service << EOF
+        FROM debian:trixie-slim
+        LABEL maintainer="AITBC Team"
+        LABEL version="0.1.0"
+        LABEL service="${service_name}"
+        
+        COPY ${package} /tmp/
+        RUN dpkg -i /tmp/${package} || true && \
+            apt-get install -f -y && \
+            rm /tmp/${package}
+          EOF
+          
+          # Build and push service image
+          docker buildx build \
+            -f Dockerfile.service \
+            --platform linux/amd64,linux/arm64 \
+            --tag ghcr.io/${{ github.repository }}/aitbc-${service_name}-service:${{ github.ref_name || github.event.inputs.version }} \
+            --tag ghcr.io/${{ github.repository }}/aitbc-${service_name}-service:latest \
+            --push \
+            .
+        done
+
+  publish-macos-packages:
+    runs-on: macos-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Xcode
+      uses: maxim-lobanov/setup-xcode@v1
+      with:
+        xcode-version: latest-stable
+
+    - name: Build macOS packages
+      run: |
+        cd packages
+        ./build-macos-packages.sh
+
+    - name: Create GitHub Package for macOS
+      run: |
+        cd packages/github/packages/macos-packages
+        
+        # Create package metadata
+        cat > package.json << EOF
+        {
+          "name": "@aitbc/cli-macos",
+          "version": "${{ github.ref_name || github.event.inputs.version }}",
+          "description": "AITBC CLI for macOS Apple Silicon",
+          "main": "aitbc-cli",
+          "files": [
+            "*.pkg",
+            "*.sh"
+          ],
+          "repository": {
+            "type": "git",
+            "url": "https://github.com/${{ github.repository }}.git"
+          },
+          "author": "AITBC Team",
+          "license": "MIT",
+          "publishConfig": {
+            "registry": "https://npm.pkg.github.com"
+          }
+        }
+        EOF
+
+    - name: Publish to GitHub Packages (npm registry)
+      run: |
+        cd packages/github/packages/macos-packages
+        
+        # Set up npm registry
+        npm config set @aitbc:registry https://npm.pkg.github.com
+        npm config set //npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}
+        
+        # Publish package
+        npm publish
+
+  publish-universal-installer:
+    runs-on: ubuntu-latest
+    needs: [publish-debian-packages, publish-macos-packages]
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Create universal package manifest
+      run: |
+        cat > packages/github/packages/package-manifest.json << EOF
+        {
+          "name": "aitbc-universal-installer",
+          "version": "${{ github.ref_name || github.event.inputs.version }}",
+          "description": "Universal AITBC package installer for all platforms",
+          "platforms": {
+            "linux": {
+              "packages": [
+                "ghcr.io/${{ github.repository }}/aitbc-cli:latest",
+                "ghcr.io/${{ github.repository }}/aitbc-node-service:latest",
+                "ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest",
+                "ghcr.io/${{ github.repository }}/aitbc-miner-service:latest",
+                "ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest",
+                "ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest",
+                "ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest",
+                "ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest"
+              ],
+              "installer": "https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh"
+            },
+            "macos": {
+              "packages": [
+                "@aitbc/cli-macos:latest"
+              ],
+              "installer": "https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/packages/macos-packages/install-macos-complete.sh"
+            }
+          },
+          "checksums": {
+            "debian": "$(cat packages/github/packages/debian-packages/checksums.txt)",
+            "macos": "$(cat packages/github/packages/macos-packages/checksums.txt)"
+          }
+        }
+        EOF
+
+    - name: Publish manifest to GitHub Packages
+      run: |
+        # Create a simple package for the manifest
+        mkdir -p manifest-pkg
+        cd manifest-pkg
+        
+        cat > package.json << EOF
+        {
+          "name": "@aitbc/manifest",
+          "version": "${{ github.ref_name || github.event.inputs.version }}",
+          "description": "AITBC Universal Package Manifest",
+          "main": "manifest.json",
+          "files": [
+            "manifest.json"
+          ],
+          "repository": {
+            "type": "git",
+            "url": "https://github.com/${{ github.repository }}.git"
+          },
+          "author": "AITBC Team",
+          "license": "MIT",
+          "publishConfig": {
+            "registry": "https://npm.pkg.github.com"
+          }
+        }
+        EOF
+        
+        cp ../packages/github/packages/package-manifest.json manifest.json
+        
+        # Set up npm registry
+        npm config set @aitbc:registry https://npm.pkg.github.com
+        npm config set //npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}
+        
+        # Publish manifest
+        npm publish
+
+  update-package-index:
+    runs-on: ubuntu-latest
+    needs: [publish-debian-packages, publish-macos-packages, publish-universal-installer]
+    permissions:
+      contents: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Update package index
+      run: |
+        cat > packages/github/packages/PACKAGE_INDEX.md << EOF
+        # AITBC Packages Index
+        
+        ## Published Packages
+        
+        ### Container Registry (ghcr.io)
+        
+        #### CLI Package
+        - **Package**: \`ghcr.io/${{ github.repository }}/aitbc-cli:latest\`
+        - **Platforms**: linux/amd64, linux/arm64
+        - **Version**: ${{ github.ref_name || github.event.inputs.version }}
+        
+        #### Service Packages
+        - **Node Service**: \`ghcr.io/${{ github.repository }}/aitbc-node-service:latest\`
+        - **Coordinator Service**: \`ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest\`
+        - **Miner Service**: \`ghcr.io/${{ github.repository }}/aitbc-miner-service:latest\`
+        - **Marketplace Service**: \`ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest\`
+        - **Explorer Service**: \`ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest\`
+        - **Wallet Service**: \`ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest\`
+        - **Multimodal Service**: \`ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest\`
+        
+        ### NPM Registry (npm.pkg.github.com)
+        
+        #### macOS Package
+        - **Package**: \`@aitbc/cli-macos@${{ github.ref_name || github.event.inputs.version }}\`
+        - **Platform**: macOS Apple Silicon
+        - **Format**: npm package with .pkg installer
+        
+        #### Universal Manifest
+        - **Package**: \`@aitbc/manifest@${{ github.ref_name || github.event.inputs.version }}\`
+        - **Content**: Universal package manifest for all platforms
+        
+        ## Installation
+        
+        ### Linux (Docker)
+        \`\`\`bash
+        docker run --rm -it ghcr.io/${{ github.repository }}/aitbc-cli:latest --help
+        \`\`\`
+        
+        ### macOS (npm)
+        \`\`\`bash
+        npm install @aitbc/cli-macos@${{ github.ref_name || github.event.inputs.version }}
+        \`\`\`
+        
+        ### Universal Installer
+        \`\`\`bash
+        curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
+        \`\`\`
+        
+        ---
+        *Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")*
+        EOF
+
+    - name: Commit and push changes
+      run: |
+        git config --local user.email "action@github.com"
+        git config --local user.name "GitHub Action"
+        git add packages/github/packages/PACKAGE_INDEX.md
+        git diff --staged --quiet || git commit -m "Update package index for version ${{ github.ref_name || github.event.inputs.version }}"
+        git push