Skip to content

SignPath/github-actions-extended-demo-fqa

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
.github/workflows
.github/workflows
 
 
.signpath/artifact-configurations
.signpath/artifact-configurations
 
 
sbom
sbom
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Using SignPath with GitHub Actions

This project demonstrates signing artifacts using SignPath from GitHub Actions workflows.

Signing is invoked in the sign step of .github/workflows/build-and-sign.yml.

See github.com/SignPath/github-actions for a full documentation of SignPath actions.

Policy demonstrations

This project demonstrates the following attempts to violate SignPath policies and how they are averted on the control plane:

  • This step selects the appropriate signing policy depending on the branch name. The actual branch must match the branch condition of the selected signing policy. The attempt-signing-release branch demonstrates how SignPath will detect incorrect attempts.
  • The release/malicious-dll branch demonstrates how SignPath will detect content-level violations of the artifact configuration.
  • The [release/no-branch-rulesets] branch demonstrates how SignPath can be configured to require certain branch ruleset rules.

Configuration

To use this demo with your own SignPath subscription, you need to get access to SignPath's GitHub Actions integration and have the branch ruleset restriction enabled and configured. Please contact support@signpath.io.

  • Fork this repository
    • Uncheck Copy the main branch only
  • In your SignPath organization, create a project with
    • Slug: Demo_Application
    • Repository URLs: Your forked GitHub repository, e.g. https://github.com/my/github-actions-extended-demo
    • Trusted Build Systems: Link GitHub.com
    • Add the following artifact configuration as default: .signpath/artifact-configurations/default.xml
    • Add a test-signing signing policy
    • Add a release-signing signing policy with origin verification enabled and restricted to main and release/* branches
  • Create an API token in SignPath and add it as a GitHub Actions secret SIGNPATH_API_TOKEN (make sure the user is a submitter in your signing policies)
  • Add your SignPath Organization ID as a GitHub Actions variable SIGNPATH_ORGANIZATION_ID (click your organization's name at the upper right corner)
  • For now, create an access token with metadata:read permissions on your repository and pass it as the extended-verification-token. (Note: this will be replaced by GitHub App access soon.)
  • Enable Actions for your GitHub repository

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 43.2%
  • HTML 37.3%
  • C# 9.4%
  • CSS 5.2%
  • JavaScript 4.9%