Harden the TEA reference implementation#234
Closed
MChorfa wants to merge 2 commits intoCycloneDX:mainfrom
Closed
Conversation
added 2 commits
March 29, 2026 15:30
…curity Add comprehensive CI/CD pipeline with security-first approach: - CI workflow: build, test, lint, clippy, security audit, integration and E2E tests - Release workflow: container build/push with SLSA provenance, SBOM generation and signing via Sigstore/cosign, GitHub release creation - SLSA provenance workflow: SLSA Level 3+ attestation generation using slsa-github-generator - Dependency ingestion workflow: weekly schedule Signed-off-by: Mohamed Chorfa <mohamed.chorfa@thalesgroup.com>
- align the Rust server with the spec across auth, gRPC, persistence, and collection/product release flows - generate and validate publisher OpenAPI, conformance, and sbom-tools integration artifacts - add publishable release-doc bundles plus CI checks for spec, docs, and reference-profile behavior Signed-off-by: Mohamed Chorfa <mohamed.chorfa@thalesgroup.com>
Collaborator
|
This repo is for specification and not for implementation. Implementations belong in another repository. Create your own repo and we can look into that. |
Author
|
Thanks for clarifying the repo boundary. I’ve moved the implementation work into a separate repository and kept the spec-facing material in a dedicated PR here. The implementation repo is available for reference if useful: https://github.com/MChorfa/transparency-exchange-reference-implementation |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
This PR turns the repo into a stronger spec-first TEA reference implementation.
It:
sbom-toolsintegration docs/snippets, and a publishable release-doc bundleReview order
proto/,spec/,tools/tea-server/src/domain, persistence, and migrationstea-server/src/infrastructure/grpcandtea-server/src/main.rsVerification
Ran successfully:
cargo fmt --manifest-path tea-server/Cargo.toml -- --checkcargo clippy --manifest-path tea-server/Cargo.toml -- -D warningsmake -C proto verifycargo check --manifest-path dagger/Cargo.tomlcargo test --manifest-path tea-server/Cargo.toml --locked --doccargo test --manifest-path tea-server/Cargo.toml --lockedIntentional remaining gaps
These publisher capabilities remain explicit fail-closed /
UNIMPLEMENTEDin the current reference profile:UploadArtifactBatchUploadArtifactsImportCollectionSignCollectionLocal note
Full local integration coverage requires a working Docker-compatible daemon. If your environment exposes Docker on a non-default socket, set
DOCKER_HOSTto the appropriate value before running the integration suite.