sign/action.yml at 1207f1fcb2a1d52cadcf9f7497828ec6339df104 · auths-dev/sign · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: 'Sign with Auths'
description: 'Sign build artifacts and/or commits using Auths identity keys in CI'
author: 'auths'

inputs:
  token:
    description: 'AUTHS_CI_TOKEN JSON (preferred) — contains passphrase, keychain, identity repo, and verify bundle'
    required: false
    default: ''
  passphrase:
    description: 'Auths device key passphrase (fallback when token is not provided)'
    required: false
    default: ''
  keychain:
    description: 'Base64-encoded encrypted keychain file (fallback when token is not provided)'
    required: false
    default: ''
  identity-repo:
    description: 'Base64-encoded tar.gz of ~/.auths identity repo (fallback when token is not provided)'
    required: false
    default: ''
  verify-bundle:
    description: 'Identity bundle JSON for post-sign verification (fallback when token is not provided)'
    required: false
    default: ''
  files:
    description: 'Glob patterns for files to sign, one per line'
    required: false
    default: ''
  commits:
    description: 'Git revision range to sign (e.g., HEAD~1..HEAD). Merge commits are skipped.'
    required: false
    default: ''
  verify:
    description: 'Verify each file after signing using the verify bundle from the token'
    required: false
    default: 'false'
  device-key:
    description: 'Alias of the device key to sign with'
    required: false
    default: 'ci-release-device'
  note:
    description: 'Optional note to include in the attestation'
    required: false
    default: ''
  auths-version:
    description: 'Auths CLI version to use (leave empty for latest)'
    required: false
    default: ''

outputs:
  signed-files:
    description: 'JSON array of file paths that were signed'
  attestation-files:
    description: 'JSON array of attestation file paths (.auths.json)'
  signed-commits:
    description: 'JSON array of signed commit SHAs'
  verified:
    description: 'Whether all signed artifacts/commits passed verification (empty string if verify was not requested)'

runs:
  using: 'node20'
  main: 'dist/index.js'

branding:
  icon: 'edit-3'
  color: 'blue'