SecAI_OS/docs/release-artifacts.json at main · SecAI-Hub/SecAI_OS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
{
  "schema_version": 1,
  "description": "Machine-readable source of truth for expected release artifacts. Used by CI docs-validation and test_release_artifacts.py.",
  "canonical_image_ref": "ghcr.io/secai-hub/secai_os",
  "go_services": [
    "airlock",
    "registry",
    "tool-firewall",
    "gpu-integrity-watch",
    "mcp-firewall",
    "policy-engine",
    "runtime-attestor",
    "integrity-monitor",
    "incident-recorder"
  ],
  "architectures": ["linux-amd64", "linux-arm64"],
  "python_services": [
    "agent",
    "ui",
    "quarantine",
    "common",
    "diffusion-worker",
    "search-mediator"
  ],
  "artifacts": {
    "required": {
      "go_binaries": {
        "pattern": "{service}-{arch}",
        "description": "Static Go binaries for each service and architecture"
      },
      "go_sboms": {
        "pattern": "{service}-sbom.cdx.json",
        "description": "CycloneDX SBOM per Go service"
      },
      "python_sboms": {
        "pattern": "{service}-sbom.cdx.json",
        "description": "CycloneDX SBOM per Python service"
      },
      "checksums": {
        "files": ["SHA256SUMS", "SHA256SUMS.sig"],
        "description": "Checksums and cosign detached signature"
      },
      "manifest": {
        "files": ["RELEASE_MANIFEST.json"],
        "description": "Machine-readable release manifest"
      },
      "openvex": {
        "files": ["custom-python.vex.json"],
        "description": "OpenVEX document covering the patched sandbox Python runtimes"
      },
      "image_digest": {
        "files": ["IMAGE_DIGEST"],
        "description": "OCI image digest for this release"
      },
      "release_scripts": {
        "files": [
          "secai-os-build-iso.sh",
          "secai-os-build-usb.sh",
          "secai-os-run-docker.sh",
          "secai-os-run-docker.ps1"
        ],
        "description": "Standalone helper scripts for building ISO/USB media and launching the Docker sandbox from a release"
      }
    },
    "optional": {
      "iso": {
        "pattern": "secai-os-{version}-x86_64.iso",
        "signature": "secai-os-{version}-x86_64.iso.sig",
        "description": "Bootable ISO (requires isogenerator)",
        "required_when": "always (standard runner)"
      },
      "portable_usb": {
        "pattern": "secai-os-{version}-x86_64-usb.raw.xz",
        "signature": "secai-os-{version}-x86_64-usb.raw.xz.sig",
        "description": "Direct-flash portable USB image built from bootc-image-builder raw output",
        "required_when": "always (standard runner)"
      },
      "qcow2": {
        "pattern": "secai-os-{version}.qcow2",
        "signature": "secai-os-{version}.qcow2.sig",
        "description": "QCOW2 disk image for KVM/QEMU/Proxmox",
        "required_when": "vars.HAS_KVM_RUNNER == 'true'"
      },
      "ova": {
        "pattern": "secai-os-{version}.ova",
        "signature": "secai-os-{version}.ova.sig",
        "description": "OVA appliance for VirtualBox/VMware",
        "required_when": "vars.HAS_KVM_RUNNER == 'true'"
      },
      "bootc_iso": {
        "pattern": "secai-os-{version}-x86_64-bootc.iso",
        "signature": "secai-os-{version}-x86_64-bootc.iso.sig",
        "description": "Experimental bootc-image-builder ISO",
        "required_when": "vars.ENABLE_BOOTC_ISO == 'true'"
      }
    }
  }
}