CycloneDX
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 147 additions & 0 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 147 additions & 0 deletions
diff --git a/‎.github/workflows/ingest-deps.yaml‎
Lines changed: 41 additions & 0 deletions b/‎.github/workflows/ingest-deps.yaml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 171 additions & 0 deletions b/‎.github/workflows/release.yaml‎
Lines changed: 171 additions & 0 deletions
@@ -0,0 +1,147 @@
+# TEA Server CI Pipeline
+#
+# Runs on all PRs and pushes to main. Validates:
+# - Build (cargo check)
+# - Tests (cargo test)
+# - Linting (cargo clippy)
+# - Security audit (cargo audit)
+
+name: CI
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'tea-server/**'
+      - 'proto/**'
+      - '.github/workflows/ci.yaml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'tea-server/**'
+      - 'proto/**'
+      - '.github/workflows/ci.yaml'
+
+permissions:
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+
+jobs:
+  # ─────────────────────────────────────────────────────────────────────────────
+  # Build and Test
+  # ─────────────────────────────────────────────────────────────────────────────
+  build:
+    name: Build & Test
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: tea-server
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy, rustfmt
+
+      - name: Cache cargo artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: tea-server -> target
+          key: ${{ runner.os }}-rust-${{ hashFiles('tea-server/Cargo.lock') }}
+
+      - name: Check formatting
+        run: cargo fmt -- --check
+
+      - name: Build
+        run: cargo check --locked
+
+      - name: Run clippy
+        run: cargo clippy -- -D warnings
+
+      - name: Run tests
+        run: cargo test --locked
+        env:
+          # Disable integration tests that need Docker
+          RUST_TEST_SKIP_INTEGRATION: 1
+
+  # ─────────────────────────────────────────────────────────────────────────────
+  # Security Audit
+  # ─────────────────────────────────────────────────────────────────────────────
+  audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: tea-server
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run security audit
+        run: cargo audit
+
+  # ─────────────────────────────────────────────────────────────────────────────
+  # Integration Tests (with testcontainers)
+  # ─────────────────────────────────────────────────────────────────────────────
+  integration:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: build
+    defaults:
+      run:
+        working-directory: tea-server
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: tea-server -> target
+
+      - name: Run integration tests
+        run: cargo test --test integration
+        # testcontainers will spin up Postgres automatically
+
+  # ─────────────────────────────────────────────────────────────────────────────
+  # E2E Conformance Tests
+  # ─────────────────────────────────────────────────────────────────────────────
+  e2e:
+    name: E2E Conformance Tests
+    runs-on: ubuntu-latest
+    needs: build
+    defaults:
+      run:
+        working-directory: tea-server
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: tea-server -> target
+
+      - name: Run E2E conformance tests
+        run: cargo test --test e2e_conformance
@@ -0,0 +1,41 @@
+name: Ingest Dependencies
+
+on:
+    schedule:
+        - cron: "0 0 * * 0" # Weekly on Sunday
+    workflow_dispatch:
+
+permissions:
+    contents: read
+    packages: write # For pushing to GHCR
+
+jobs:
+    ingest:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Setup Go
+              uses: actions/setup-go@v5
+              with:
+                  go-version: 1.22
+
+            - name: Install Dagger
+              run: |
+                  curl -L https://dl.dagger.io/dagger/install.sh | sh
+                  export PATH=$PATH:$HOME/.dagger/bin
+
+            - name: Login to GHCR
+              uses: docker/login-action@v3
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Run IngestDeps and Push Snapshot
+              run: |
+                  # Run Dagger to ingest deps
+                  dagger call ingest-deps --source . export --path snapshot
+                  # Push the snapshot directory as OCI artifact using oras
+                  oras push ghcr.io/${{ github.repository }}/deps-snapshot:latest snapshot/ --annotation org.opencontainers.image.source=https://github.com/${{ github.repository }}
@@ -0,0 +1,171 @@
+# TEA Server Release Pipeline
+#
+# Builds and publishes container images on tag push.
+# Integrates with SLSA provenance workflow for supply chain security.
+
+name: Release
+
+on:
+    push:
+        tags:
+            - "v*"
+
+permissions:
+    contents: read
+    packages: write
+    id-token: write # Required for Sigstore signing
+
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}/tea-server
+
+jobs:
+    # ─────────────────────────────────────────────────────────────────────────────
+    # Build and push container image
+    # ─────────────────────────────────────────────────────────────────────────────
+    build:
+        runs-on: ubuntu-latest
+        outputs:
+            digest: ${{ steps.build.outputs.digest }}
+            version: ${{ steps.meta.outputs.version }}
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Log in to Container Registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Extract metadata
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+                  tags: |
+                      type=semver,pattern={{version}}
+                      type=semver,pattern={{major}}.{{minor}}
+                      type=sha,prefix=sha-
+
+            - name: Build and push
+              id: build
+              uses: docker/build-push-action@v5
+              with:
+                  context: ./tea-server
+                  push: true
+                  tags: ${{ steps.meta.outputs.tags }}
+                  labels: ${{ steps.meta.outputs.labels }}
+                  provenance: true
+                  sbom: true
+                  outputs: type=registry,oci-mediatypes=true
+
+    # ─────────────────────────────────────────────────────────────────────────────
+    # Generate SLSA provenance
+    # ─────────────────────────────────────────────────────────────────────────────
+    provenance:
+        needs: build
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+            actions: read
+        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
+        with:
+            image: ghcr.io/${{ github.repository }}/tea-server
+            digest: ${{ needs.build.outputs.digest }}
+            registry-username: ${{ github.actor }}
+        secrets:
+            registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+    # ─────────────────────────────────────────────────────────────────────────────
+    # Generate and sign SBOM
+    # ─────────────────────────────────────────────────────────────────────────────
+    sbom:
+        needs: [build, provenance]
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Log in to Container Registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              uses: sigstore/cosign-installer@v3
+
+            - name: Install Syft
+              uses: anchore/sbom-action/download-syft@v0
+
+            - name: Generate SBOM
+              run: |
+                  syft \
+                    ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }} \
+                    -o spdx-json=sbom.spdx.json \
+                    -o cyclonedx-json=sbom.cdx.json
+
+            - name: Sign SBOM
+              run: |
+                  cosign sign-blob \
+                    --yes \
+                    --output-signature sbom.spdx.json.sig \
+                    --output-certificate sbom.spdx.json.crt \
+                    sbom.spdx.json
+
+            - name: Attach SBOM to image
+              run: |
+                  cosign attach sbom \
+                    --sbom sbom.spdx.json \
+                    ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}
+
+            - name: Upload SBOM artifacts
+              uses: actions/upload-artifact@v4
+              with:
+                  name: sbom
+                  path: |
+                      sbom.spdx.json
+                      sbom.cdx.json
+                      sbom.spdx.json.sig
+                  retention-days: 90
+
+    # ─────────────────────────────────────────────────────────────────────────────
+    # Create GitHub Release
+    # ─────────────────────────────────────────────────────────────────────────────
+    release:
+        needs: [build, sbom]
+        runs-on: ubuntu-latest
+        permissions:
+            contents: write
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Download SBOM
+              uses: actions/download-artifact@v4
+              with:
+                  name: sbom
+                  path: sbom
+
+            - name: Create Release
+              uses: softprops/action-gh-release@v1
+              with:
+                  generate_release_notes: true
+                  files: |
+                      sbom/sbom.spdx.json
+                      sbom/sbom.cdx.json
+                      sbom/sbom.spdx.json.sig