oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

Browse Source 
- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration
- Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage
- Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
This commit is contained in:
oib
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
Download Patch File Download Diff File Expand all files Collapse all files

459
.github/workflows/publish-packages-to-registry.yml vendored Normal file
View File

@@ -0,0 +1,459 @@
name: Publish Packages to GitHub Packages Registry
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
publish_debian:
description: 'Publish Debian packages to Container Registry'
required: false
default: 'true'
publish_macos:
description: 'Publish macOS packages to NPM registry'
required: false
default: 'true'
jobs:
publish-debian-containers:
runs-on: ubuntu-latest
if: github.event.inputs.publish_debian != 'false'
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Publish CLI package
run: |
cd packages/github/packages/debian-packages
# Create CLI Dockerfile
cat > Dockerfile.cli << 'EOF'
FROM debian:trixie-slim
LABEL maintainer="AITBC Team"
LABEL version="0.1.0"
LABEL description="AITBC CLI package"
# Install dependencies
RUN apt-get update && apt-get install -y \
python3.13 \
python3-pip \
python3-venv \
curl \
&& rm -rf /var/lib/apt/lists/*
# Copy and install CLI package
COPY aitbc-cli_0.1.0_all.deb /tmp/
RUN dpkg -i /tmp/aitbc-cli_0.1.0_all.deb || true && \
apt-get install -f -y && \
rm /tmp/aitbc-cli_0.1.0_all.deb
# Create symlink for easier access
RUN ln -sf /usr/bin/aitbc /usr/local/bin/aitbc
ENTRYPOINT ["/usr/bin/aitbc"]
CMD ["--help"]
EOF
# Build and push CLI image
docker buildx build \
-f Dockerfile.cli \
--platform linux/amd64,linux/arm64 \
--tag ghcr.io/${{ github.repository }}/aitbc-cli:${{ steps.version.outputs.VERSION || '0.1.0' }} \
--tag ghcr.io/${{ github.repository }}/aitbc-cli:latest \
--push \
.
- name: Publish service packages
run: |
cd packages/github/packages/debian-packages
# Service packages
services=("node" "coordinator" "miner" "marketplace" "explorer" "wallet" "multimodal" "all-services")
for service in "${services[@]}"; do
package_file="aitbc-${service}-service_0.1.0_all.deb"
if [[ -f "$package_file" ]]; then
echo "Publishing $service service..."
# Create service Dockerfile
cat > Dockerfile.service << EOF
FROM debian:trixie-slim
LABEL maintainer="AITBC Team"
LABEL version="0.1.0"
LABEL description="AITBC ${service} service"
LABEL service="${service}"
# Install dependencies
RUN apt-get update && apt-get install -y \
python3.13 \
python3-pip \
systemd \
&& rm -rf /var/lib/apt/lists/*
# Copy and install service package
COPY ${package_file} /tmp/
RUN dpkg -i /tmp/${package_file} || true && \
apt-get install -f -y && \
rm /tmp/${package_file}
# Expose service port (if applicable)
EOF
# Add service-specific port exposures
case $service in
"node")
echo "EXPOSE 8082" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-node\"]" >> Dockerfile.service
;;
"coordinator")
echo "EXPOSE 8000" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-coordinator\"]" >> Dockerfile.service
;;
"marketplace")
echo "EXPOSE 3000" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-marketplace\"]" >> Dockerfile.service
;;
"explorer")
echo "EXPOSE 3001" >> Dockerfile.service
echo "CMD [\"systemctl\", \"start\", \"aitbc-explorer\"]" >> Dockerfile.service
;;
*)
echo "CMD [\"systemctl\", \"start\", \"aitbc-${service}\"]" >> Dockerfile.service
;;
esac
# Build and push service image
docker buildx build \
-f Dockerfile.service \
--platform linux/amd64,linux/arm64 \
--tag ghcr.io/${{ github.repository }}/aitbc-${service}-service:${{ steps.version.outputs.VERSION || '0.1.0' }} \
--tag ghcr.io/${{ github.repository }}/aitbc-${service}-service:latest \
--push \
.
else
echo "Warning: $package_file not found, skipping $service service"
fi
done
publish-macos-packages:
runs-on: ubuntu-latest
if: github.event.inputs.publish_macos != 'false'
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://npm.pkg.github.com'
- name: Create macOS package
run: |
cd packages/github/packages/macos-packages
# Create package.json for macOS CLI
cat > package.json << EOF
{
"name": "@aitbc/cli-macos",
"version": "${{ steps.version.outputs.VERSION || '0.1.0' }}",
"description": "AITBC CLI for macOS Apple Silicon",
"main": "aitbc-cli-0.1.0-apple-silicon.pkg",
"files": [
"aitbc-cli-0.1.0-apple-silicon.pkg",
"install-macos-complete.sh",
"install-macos-apple-silicon.sh"
],
"scripts": {
"install": "bash install-macos-complete.sh",
"install-silicon": "bash install-macos-apple-silicon.sh"
},
"repository": {
"type": "git",
"url": "https://github.com/${{ github.repository }}.git"
},
"author": "AITBC Team",
"license": "MIT",
"keywords": ["aitbc", "cli", "macos", "apple-silicon", "blockchain"],
"engines": {
"node": ">=16"
},
"publishConfig": {
"registry": "https://npm.pkg.github.com"
}
}
EOF
- name: Publish to GitHub Packages
run: |
cd packages/github/packages/macos-packages
npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create macOS services package
run: |
cd packages/github/packages/macos-packages
# Create package.json for macOS services
cat > package-services.json << EOF
{
"name": "@aitbc/services-macos",
"version": "${{ steps.version.outputs.VERSION || '0.1.0' }}",
"description": "AITBC Services for macOS Apple Silicon",
"main": "install-macos-services.sh",
"files": [
"aitbc-*-service-0.1.0-apple-silicon.pkg",
"install-macos-services.sh"
],
"scripts": {
"install": "bash install-macos-services.sh"
},
"repository": {
"type": "git",
"url": "https://github.com/${{ github.repository }}.git"
},
"author": "AITBC Team",
"license": "MIT",
"keywords": ["aitbc", "services", "macos", "apple-silicon", "blockchain"],
"engines": {
"node": ">=16"
},
"publishConfig": {
"registry": "https://npm.pkg.github.com"
}
}
EOF
- name: Publish services to GitHub Packages
run: |
cd packages/github/packages/macos-packages
cp package-services.json package.json
npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
create-package-release:
runs-on: ubuntu-latest
needs: [publish-debian-containers, publish-macos-packages]
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Create release notes
run: |
cat > release_notes.md << EOF
# AITBC Packages v${{ steps.version.outputs.VERSION || '0.1.0' }}
## 📦 Published Packages
### Container Registry (ghcr.io)
#### CLI Package
- **Image**: \`ghcr.io/${{ github.repository }}/aitbc-cli:latest\`
- **Platforms**: linux/amd64, linux/arm64
- **Pull**: \`docker pull ghcr.io/${{ github.repository }}/aitbc-cli:latest\`
#### Service Packages
- **Node Service**: \`ghcr.io/${{ github.repository }}/aitbc-node-service:latest\`
- **Coordinator Service**: \`ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest\`
- **Miner Service**: \`ghcr.io/${{ github.repository }}/aitbc-miner-service:latest\`
- **Marketplace Service**: \`ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest\`
- **Explorer Service**: \`ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest\`
- **Wallet Service**: \`ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest\`
- **Multimodal Service**: \`ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest\`
- **All Services**: \`ghcr.io/${{ github.repository }}/aitbc-all-services:latest\`
### NPM Registry (npm.pkg.github.com)
#### macOS CLI Package
- **Package**: \`@aitbc/cli-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
- **Install**: \`npm install @aitbc/cli-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
#### macOS Services Package
- **Package**: \`@aitbc/services-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
- **Install**: \`npm install @aitbc/services-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}\`
## 🚀 Installation
### Linux (Docker)
\`\`\`bash
# CLI only
docker run --rm -it ghcr.io/${{ github.repository }}/aitbc-cli:latest --help
# Full stack
docker-compose -f https://raw.githubusercontent.com/${{ github.repository }}/main/docker-compose.yml up
\`\`\`
### macOS (NPM)
\`\`\`bash
# CLI only
npm install @aitbc/cli-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}
npx @aitbc/cli-macos install
# Services
npm install @aitbc/services-macos@${{ steps.version.outputs.VERSION || '0.1.0' }}
npx @aitbc/services-macos install
\`\`\`
### Universal Installer
\`\`\`bash
curl -fsSL https://raw.githubusercontent.com/${{ github.repository }}/main/packages/github/install.sh | bash
\`\`\`
---
*View all packages at: https://github.com/${{ github.repository }}/packages*
EOF
- name: Create GitHub Release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v2
with:
body_path: release_notes.md
draft: false
prerelease: false
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
update-package-index:
runs-on: ubuntu-latest
needs: [publish-debian-containers, publish-macos-packages]
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Update package index
run: |
cat > packages/github/PACKAGES_REGISTRY_GUIDE.md << EOF
# AITBC GitHub Packages Registry Guide
## 📦 Available Packages
Your AITBC packages are now published to GitHub Packages registry and available at:
https://github.com/${{ github.repository }}/packages
## 🐳 Container Registry (ghcr.io)
### CLI Package
\`\`\`bash
docker pull ghcr.io/${{ github.repository }}/aitbc-cli:latest
docker run --rm -it ghcr.io/${{ github.repository }}/aitbc-cli:latest --help
\`\`\`
### Service Packages
\`\`\`bash
# Individual services
docker pull ghcr.io/${{ github.repository }}/aitbc-node-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-coordinator-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-miner-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-marketplace-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-explorer-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-wallet-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-multimodal-service:latest
docker pull ghcr.io/${{ github.repository }}/aitbc-all-services:latest
\`\`\`
## 📦 NPM Registry (npm.pkg.github.com)
### macOS Packages
\`\`\`bash
# Set up GitHub Packages registry
npm config set @aitbc:registry https://npm.pkg.github.com
npm config set //npm.pkg.github.com/:_authToken=YOUR_GITHUB_TOKEN
# Install CLI
npm install @aitbc/cli-macos@latest
npx @aitbc/cli-macos install
# Install Services
npm install @aitbc/services-macos@latest
npx @aitbc/services-macos install
\`\`\`
## 🔧 Authentication
### For Container Registry
\`\`\`bash
# Login to GitHub Container Registry
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
\`\`\`
### For NPM Registry
\`\`\`bash
# Create a personal access token with 'read:packages' scope
# Set up npm authentication
npm config set //npm.pkg.github.com/:_authToken=YOUR_PERSONAL_ACCESS_TOKEN
\`\`\`
## 📋 Package List
### Container Images
| Package | Registry | Platforms | Description |
|---------|----------|-----------|-------------|
| \`aitbc-cli\` | ghcr.io | linux/amd64, linux/arm64 | Main CLI tool |
| \`aitbc-node-service\` | ghcr.io | linux/amd64, linux/arm64 | Blockchain node |
| \`aitbc-coordinator-service\` | ghcr.io | linux/amd64, linux/arm64 | Coordinator API |
| \`aitbc-miner-service\` | ghcr.io | linux/amd64, linux/arm64 | GPU miner |
| \`aitbc-marketplace-service\` | ghcr.io | linux/amd64, linux/arm64 | GPU marketplace |
| \`aitbc-explorer-service\` | ghcr.io | linux/amd64, linux/arm64 | Block explorer |
| \`aitbc-wallet-service\` | ghcr.io | linux/amd64, linux/arm64 | Wallet service |
| \`aitbc-multimodal-service\` | ghcr.io | linux/amd64, linux/arm64 | Multimodal AI |
| \`aitbc-all-services\` | ghcr.io | linux/amd64, linux/arm64 | Complete stack |
### NPM Packages
| Package | Registry | Platform | Description |
|---------|----------|----------|-------------|
| \`@aitbc/cli-macos\` | npm.pkg.github.com | macOS | CLI for Apple Silicon |
| \`@aitbc/services-macos\` | npm.pkg.github.com | macOS | Services for Apple Silicon |
---
*Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")*
*View packages: https://github.com/${{ github.repository }}/packages*
EOF
- name: Commit and push changes
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add packages/github/PACKAGES_REGISTRY_GUIDE.md
git diff --staged --quiet || git commit -m "Add GitHub Packages registry guide"
git push