feat: initial sign action

Author: bordumb

.github/workflows/ci.yml

@@ -0,0 +1,46 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Test
+        run: npm test
+
+      - name: Build
+        run: npm run build
+
+      - name: Check dist is committed
+        run: |
+          git diff --exit-code -- dist/ ':!dist/**/*.d.ts.map' || {
+            echo "::error::dist/ is out of date. Run 'just build' (or 'npm run build') and commit the result."
+            exit 1
+          }
+
+  verify-commits:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Verify commit signatures
+        uses: auths-dev/auths-verify-github-action@v1
+        with:
+          fail-on-unsigned: true

.github/workflows/release.yml

@@ -0,0 +1,84 @@
+# Triggered by: python scripts/release.py --push
+
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - run: npm ci
+      - run: npm test
+      - run: npm run build
+
+      - name: Check dist is up to date
+        run: git diff --exit-code -- dist/ ':!dist/**/*.d.ts.map'
+
+      # Dogfood: sign dist/index.js using ourselves
+      - name: Sign and verify dist/index.js
+        uses: ./
+        with:
+          passphrase: ${{ secrets.AUTHS_CI_PASSPHRASE }}
+          keychain: ${{ secrets.AUTHS_CI_KEYCHAIN }}
+          identity-repo: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
+          verify-bundle: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
+          files: 'dist/index.js'
+          verify: true
+          note: 'GitHub Actions release — ${{ github.ref_name }}'
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist
+          sha256sum index.js > index.js.sha256
+          if [ -f index.js.auths.json ]; then
+            sha256sum index.js.auths.json >> index.js.sha256
+          fi
+          cat index.js.sha256
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          make_latest: true
+          files: |
+            dist/index.js.auths.json
+            dist/index.js.sha256
+          body: |
+            ## Auths Sign GitHub Action
+
+            Sign build artifacts in CI using [Auths](https://github.com/auths-dev/auths) identity keys.
+
+            ### Usage
+
+            ```yaml
+            - uses: auths-dev/sign@${{ github.ref_name }}
+              with:
+                token: ${{ secrets.AUTHS_CI_TOKEN }}
+                files: 'dist/index.js'
+                verify: true
+            ```
+
+            See the [README](https://github.com/auths-dev/sign#readme) for full configuration options.
+
+      - name: Update floating major tag
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          MAJOR="${TAG%%.*}"
+          git tag -f "$MAJOR" "$TAG"
+          git push origin "$MAJOR" --force

.gitignore

@@ -0,0 +1,11 @@
+# Dependencies
+node_modules/
+
+# TypeScript build info
+*.tsbuildinfo
+
+# TypeScript declaration sourcemaps (contain local build paths)
+dist/**/*.d.ts.map
+
+# Local tool directories
+.flow/

action.yml

@@ -0,0 +1,60 @@
+name: 'Sign Artifacts with Auths'
+description: 'Sign build artifacts using Auths identity keys in CI'
+author: 'auths'
+
+inputs:
+  token:
+    description: 'AUTHS_CI_TOKEN JSON (preferred) — contains passphrase, keychain, identity repo, and verify bundle'
+    required: false
+    default: ''
+  passphrase:
+    description: 'Auths device key passphrase (fallback when token is not provided)'
+    required: false
+    default: ''
+  keychain:
+    description: 'Base64-encoded encrypted keychain file (fallback when token is not provided)'
+    required: false
+    default: ''
+  identity-repo:
+    description: 'Base64-encoded tar.gz of ~/.auths identity repo (fallback when token is not provided)'
+    required: false
+    default: ''
+  verify-bundle:
+    description: 'Identity bundle JSON for post-sign verification (fallback when token is not provided)'
+    required: false
+    default: ''
+  files:
+    description: 'Glob patterns for files to sign, one per line'
+    required: true
+  verify:
+    description: 'Verify each file after signing using the verify bundle from the token'
+    required: false
+    default: 'false'
+  device-key:
+    description: 'Alias of the device key to sign with'
+    required: false
+    default: 'ci-release-device'
+  note:
+    description: 'Optional note to include in the attestation'
+    required: false
+    default: ''
+  auths-version:
+    description: 'Auths CLI version to use (leave empty for latest)'
+    required: false
+    default: ''
+
+outputs:
+  signed-files:
+    description: 'JSON array of file paths that were signed'
+  attestation-files:
+    description: 'JSON array of attestation file paths (.auths.json)'
+  verified:
+    description: 'Whether all signed files passed verification (empty string if verify was not requested)'
+
+runs:
+  using: 'node20'
+  main: 'dist/index.js'
+
+branding:
+  icon: 'edit-3'
+  color: 'blue'

dist/__tests__/installer.test.d.ts

@@ -0,0 +1 @@
+export {};

dist/__tests__/main.test.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Integration tests for the sign action's run() flow.
+ * Since run() executes at import time, we use jest.isolateModulesAsync.
+ */
+declare let mockInputs: Record<string, string>;
+declare let mockMultilineInputs: Record<string, string[]>;
+declare let mockOutputs: Record<string, string>;
+declare let mockFailed: string[];
+declare let mockWarnings: string[];
+declare let mockGlobFiles: string[];
+declare let mockExecExitCode: number;
+declare let mockExecOutputResult: {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+};
+declare const mockResolveCredentials: jest.Mock<any, any, any>;
+declare const mockCleanupPaths: jest.Mock<any, any, any>;
+declare function resetMockState(): void;
+declare function runMain(): Promise<void>;

dist/__tests__/token.test.d.ts

@@ -0,0 +1 @@
+export {};