This repository contains the Github Actions that can be used to submit a signing request to SignPath.io.
Warning
These actions are currently in development and only available in preview mode for selected customers. Contact support@signpath.io if you are interested in using them.
Currently, there is only one action available, submit-signing-request.
This action allows you to sign the build artifact using SignPath signing services.
For a definition of the parameters, see action.yml
connector-url(optional): The URL of the SignPath connector. Defaults tohttps://githubactions.connectors.signpath.ioapi-token(required): The SignPath REST API access token. Read more in the SignPath documentationorganization-id(required): SignPath organization IDproject-slug(required): SignPath project slugsigning-policy-slug(required): SignPath signing policy slugartifact-configuration-slug(required): SignPath artifact configuration sluggithub-artifact-name(required): Name of the Github Actions artifactgithub-token(optional): GitHub access token used to read job details and download the artifact. Defaults to thesecrets.GITHUB_TOKEN. Requires theaction:readandcontent:readpermissions. Note: This token will be stored (encrypted) on SignPath.io.github-extended-verification-token(optional): Token used to query the runners API. Only required if larger runners are used. Requires theorganization_self_hosted_runners:readpermission.wait-for-completion-timeout-in-seconds(optional): Maximum time in seconds that the action will wait for the signing request to complete. Defaults to 10 minutes.service-unavailable-timeout-in-seconds(optional): Total time in seconds that the action will wait for a single service call to succeed (across several retries). Defaults to 10 minutes.download-signed-artifact-timeout-in-seconds(optional): HTTP timeout when downloading the signed artifact. Defaults to 5 minutes.wait-for-completion(optional): If true, the action will wait for the signing request to complete. Defaults totrue.output-artifact-directory(optional): Path where the signed artifact will be saved. If not specified, the task will not download the signed artifact from SignPath.
- The Github Actions Trusted Build System must be enabled in the organization and linked to the respective project.
- The artifact must be uploaded to the Github Actions workflow using the actions/upload-artifact action before it can be signed.
- The
secrets.SIGNPATH_API_TOKENvariable must belong to a user who has a submitter role in the referenced signing policy
steps:
- id: optional_step_id
uses: signpath/github-actions/actions/submit-signing-request@v0.1
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
organization-id: '<SignPath organization id>'
project-slug: '<SignPath project slug>'
signing-policy-slug: '<SignPath signing policy slug>'
artifact-configuration-slug: '<SignPath artifact configuration slug>'
github-artifact-name: '<Name of the Github Actions artifact>'
wait-for-completion: true
output-artifact-directory: '<Destination path for the signed artifact>'steps:
- id: optional_step_id
uses: signpath/github-actions/actions/submit-signing-request@v0.1
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
organization-id: '<SignPath organization id>'
project-slug: '<SignPath project slug>'
signing-policy-slug: '<SignPath policy slug>'
artifact-configuration-slug: '<SignPath artifact configuration slug>'
github-artifact-name: '<Name of the artifact to sign>'
wait-for-completion: falseThe submit-signing-request action supports the following output parameters:
signing-request-id: The id of the newly created signing requestsigning-request-web-url: The url of the signing request in SignPathsignpath-api-url: The base API url of the SignPath APIsigned-artifact-download-url: The url of the signed artifact in SignPath
You can use the output parameters in the following way:
steps:
- name: Print the signing request id
run: echo "Output [${{steps.<submit_signing_request_step_id>.outputs.signing-request-id }}]"