feat: add collapsable list on skips

Author: bordumb

.github/workflows/release.yml

@@ -30,13 +30,11 @@ jobs:
       - name: Check dist is up to date
         run: git diff --exit-code -- dist/ ':!dist/**/*.d.ts.map'
 
-      # Dogfood: sign dist/index.js using ourselves
-      - name: Sign and verify dist/index.js
+      # Dogfood: sign dist/index.js using ourselves (ephemeral, no secrets)
+      - name: Sign dist/index.js
         uses: ./
         with:
-          token: ${{ secrets.AUTHS_CI_TOKEN }}
           files: 'dist/index.js'
-          verify: true
           note: 'GitHub Actions release — ${{ github.ref_name }}'
 
       - name: Generate SHA256 checksums
@@ -59,16 +57,14 @@ jobs:
           body: |
             ## Auths Sign GitHub Action
 
-            Sign build artifacts in CI using [Auths](https://github.com/auths-dev/auths) identity keys.
+            Sign build artifacts in CI using ephemeral keys. No secrets needed.
 
             ### Usage
 
             ```yaml
             - uses: auths-dev/sign@v1
               with:
-                token: $\{{ secrets.AUTHS_CI_TOKEN }}
                 files: 'dist/index.js'
-                verify: true
             ```
 
             See the [README](https://github.com/auths-dev/sign#readme) for full configuration options.

.github/workflows/sign-commits.yml

@@ -21,5 +21,4 @@ jobs:
 
       - uses: ./
         with:
-          token: ${{ secrets.AUTHS_CI_TOKEN }}
           commits: 'HEAD~1..HEAD'

README.md

@@ -1,172 +1,67 @@
 # auths-dev/sign
 
 [![Verified with Auths](https://img.shields.io/badge/Verified%20with-Auths-4B9CD3?logo=github&logoColor=white)](https://github.com/auths-dev/verify)
-[![Verify Commits](https://github.com/auths-dev/sign/actions/workflows/verify-commits.yml/badge.svg)](https://github.com/auths-dev/sign/actions/workflows/verify-commits.yml?query=branch%3Amain+event%3Apush)
-[![Sign Commits](https://github.com/auths-dev/sign/actions/workflows/sign-commits.yml/badge.svg)](https://github.com/auths-dev/sign/actions/workflows/sign-commits.yml?query=branch%3Amain)
 
-Sign build artifacts in CI with [Auths](https://github.com/auths-dev/auths) identity keys. Produces `.auths.json` attestation files that anyone can verify.
+Sign build artifacts and commits in CI using ephemeral keys. **No secrets needed.**
 
-## Quick start
+## Quick Start
 
 ```yaml
 - uses: auths-dev/sign@v1
   with:
-    token: ${{ secrets.AUTHS_CI_TOKEN }}
-    files: 'dist/index.js'
-    verify: true
+    files: |
+      dist/*.tar.gz
+      dist/*.zip
 ```
 
-This signs `dist/index.js`, creates `dist/index.js.auths.json`, and verifies the signature in one step.
+No tokens. No secrets. The action generates a throwaway key per run, signs your artifacts, and discards the key. Trust is anchored to the commit, not to a CI credential.
 
-## Setup
+## How It Works
 
-### 1. Install the Auths CLI
+1. Installs the `auths` CLI
+2. Runs `auths artifact sign --ci --commit $GITHUB_SHA` for each matched file
+3. Produces `.auths.json` attestation files alongside your artifacts
+4. Verifiers trace: artifact ← ephemeral key ← commit SHA ← maintainer signature
 
-```bash
-brew tap auths-dev/auths-cli
-brew install auths          # macOS
-# or download from https://github.com/auths-dev/auths/releases
-```
-
-### 2. Initialize your identity (if you haven't already)
-
-```bash
-auths init
-```
-
-### 3. Set up CI secrets
+## Usage
 
-From the repo you want to sign artifacts in:
+### Sign release artifacts
 
-```bash
-auths ci setup
+```yaml
+- name: Sign artifacts
+  uses: auths-dev/sign@v1
+  with:
+    files: |
+      dist/*.tar.gz
+      dist/*.zip
+    note: "Release ${{ github.ref_name }}"
 ```
 
-This creates a limited-capability CI device key and sets a single `AUTHS_CI_TOKEN` GitHub secret automatically.
-
-### 4. Add the action to your release workflow
+### Sign commits
 
 ```yaml
-name: Release
-
-on:
-  push:
-    tags: ['v*.*.*']
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Build
-        run: npm run build  # or your build command
-
-      - name: Sign artifacts
-        uses: auths-dev/sign@v1
-        with:
-          token: ${{ secrets.AUTHS_CI_TOKEN }}
-          files: 'dist/*.js'
-          verify: true
-          note: 'Release ${{ github.ref_name }}'
-
-      - name: Create release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            dist/*.auths.json
+- name: Sign commits
+  uses: auths-dev/sign@v1
+  with:
+    commits: HEAD~1..HEAD
 ```
 
 ## Inputs
 
 | Input | Required | Default | Description |
 |-------|----------|---------|-------------|
-| `token` | No* | | `AUTHS_CI_TOKEN` JSON containing all credentials |
-| `files` | **Yes** | | Glob patterns for files to sign (one per line) |
-| `verify` | No | `false` | Verify each file immediately after signing |
-| `device-key` | No | `ci-release-device` | Device key alias to sign with |
+| `files` | No | | Glob patterns for files to sign, one per line |
+| `commits` | No | | Git revision range to sign |
+| `commit-sha` | No | `$GITHUB_SHA` | Commit SHA to anchor attestation to |
 | `note` | No | | Note to include in the attestation |
-| `auths-version` | No | latest | Pin a specific Auths CLI version |
+| `auths-version` | No | latest | Auths CLI version to use |
 
-*`token` is the `AUTHS_CI_TOKEN` secret generated by `auths ci setup`.
+At least one of `files` or `commits` must be provided.
 
 ## Outputs
 
 | Output | Description |
 |--------|-------------|
 | `signed-files` | JSON array of signed file paths |
-| `attestation-files` | JSON array of `.auths.json` attestation file paths |
-| `verified` | `true`/`false` when `verify: true`, empty otherwise |
-
-### Using outputs in subsequent steps
-
-```yaml
-- uses: auths-dev/sign@v1
-  id: sign
-  with:
-    token: ${{ secrets.AUTHS_CI_TOKEN }}
-    files: 'dist/**/*.tar.gz'
-
-- name: Upload attestations
-  uses: actions/upload-artifact@v4
-  with:
-    name: attestations
-    path: ${{ fromJSON(steps.sign.outputs.attestation-files) }}
-```
-
-## Glob patterns
-
-The `files` input supports glob patterns, one per line:
-
-```yaml
-files: |
-  dist/*.tar.gz
-  dist/*.zip
-  build/output/**/*.whl
-```
-
-Patterns follow [@actions/glob](https://github.com/actions/toolkit/tree/master/packages/glob) syntax. Symlinks are not followed. Paths outside the workspace are rejected.
-
-## Verification
-
-When `verify: true`, the action runs `auths artifact verify` on each signed file immediately after signing. This proves the full round-trip works and catches signing misconfigurations before they reach consumers.
-
-Consumers can verify your artifacts independently:
-
-```bash
-auths artifact verify dist/index.js --identity-bundle bundle.json
-```
-
-Or using the [auths-dev/verify](https://github.com/auths-dev/verify) action:
-
-```yaml
-- uses: auths-dev/verify@v1
-  with:
-    identity: ${{ secrets.AUTHS_CI_TOKEN }}
-    artifact-paths: 'dist/index.js'
-```
-
-## Security model
-
-- The CI device key has **limited capabilities** (`sign_release` only) -- it cannot impersonate your root identity, link devices, or perform other privileged operations
-- Credentials are extracted to temp files that are **always cleaned up**, even on failure
-- The passphrase is **masked** from all GitHub Actions logs via `core.setSecret`
-- Glob results are **contained to the workspace** -- paths outside `$GITHUB_WORKSPACE` are rejected
-- You can **revoke CI access** at any time: `auths device revoke --device-did <DID> --key <ALIAS>`
-
-## Revoking CI access
-
-If the CI device key is compromised:
-
-```bash
-auths device revoke --device-did <DEVICE_DID> --key <KEY_ALIAS>
-```
-
-The device DID and key alias are printed by `auths ci setup` during initial setup. After revocation, existing attestations remain valid (they were legitimate when signed), but the device can no longer produce new ones.
-
-## License
-
-Apache-2.0
+| `attestation-files` | JSON array of `.auths.json` paths |
+| `signed-commits` | JSON array of signed commit SHAs |

action.yml

@@ -1,28 +1,8 @@
 name: 'Sign with Auths'
-description: 'Sign build artifacts and/or commits using Auths identity keys in CI'
+description: 'Sign build artifacts using ephemeral Auths keys in CI — no secrets needed'
 author: 'auths'
 
 inputs:
-  token:
-    description: 'AUTHS_CI_TOKEN JSON (preferred) — contains passphrase, keychain, identity repo, and verify bundle'
-    required: false
-    default: ''
-  passphrase:
-    description: 'Auths device key passphrase (fallback when token is not provided)'
-    required: false
-    default: ''
-  keychain:
-    description: 'Base64-encoded encrypted keychain file (fallback when token is not provided)'
-    required: false
-    default: ''
-  identity-repo:
-    description: 'Base64-encoded tar.gz of ~/.auths identity repo (fallback when token is not provided)'
-    required: false
-    default: ''
-  verify-bundle:
-    description: 'Identity bundle JSON for post-sign verification (fallback when token is not provided)'
-    required: false
-    default: ''
   files:
     description: 'Glob patterns for files to sign, one per line'
     required: false
@@ -31,14 +11,10 @@ inputs:
     description: 'Git revision range to sign (e.g., HEAD~1..HEAD). Merge commits are skipped.'
     required: false
     default: ''
-  verify:
-    description: 'Verify each file after signing using the verify bundle from the token'
-    required: false
-    default: 'false'
-  device-key:
-    description: 'Alias of the device key to sign with'
+  commit-sha:
+    description: 'Commit SHA to anchor ephemeral attestation to (default: GITHUB_SHA)'
     required: false
-    default: 'ci-release-device'
+    default: ''
   note:
     description: 'Optional note to include in the attestation'
     required: false
@@ -55,8 +31,6 @@ outputs:
     description: 'JSON array of attestation file paths (.auths.json)'
   signed-commits:
     description: 'JSON array of signed commit SHAs'
-  verified:
-    description: 'Whether all signed artifacts/commits passed verification (empty string if verify was not requested)'
 
 runs:
   using: 'node20'

dist/__tests__/main.test.d.ts

@@ -1,5 +1,5 @@
 /**
- * Integration tests for the sign action's run() flow.
+ * Integration tests for the sign action's ephemeral signing flow.
  * Since run() executes at import time, we use jest.isolateModulesAsync.
  */
 declare let mockInputs: Record<string, string>;
@@ -14,7 +14,5 @@ declare let mockExecOutputResult: {
     stdout: string;
     stderr: string;
 };
-declare const mockResolveCredentials: jest.Mock<any, any, any>;
-declare const mockCleanupPaths: jest.Mock<any, any, any>;
 declare function resetMockState(): void;
 declare function runMain(): Promise<void>;