This action makes Minisign available to you in your github actions.
Optional
Contents of this input should be a plaintext minisign key. At the start of the
run the contents are written to disk at ~/.minisign/minisign.key
(by default).
You can also provide a signing key via some other mechanism. This input exists to provide a convenient mechanism to get a key from a github repo secret onto disk.
If you want to change the path where this writes, you can set the environment
variable MINISIGN_KEY_PATH
to another value via your action's env
field. If
you do this, make sure to remember to set -p
correctly in your args.
Optional
If your minisign key has a password attached, put the contents of that password in here.
None
steps:
- name: Fetch "third-party" artifact
run: |
wget \
https://github.com/jedisct1/minisign/releases/download/0.8/minisign-0.8.tar.gz \
https://github.com/jedisct1/minisign/releases/download/0.8/minisign-0.8.tar.gz.minisig
- name: Verify artifact's integrity with their published key
uses: thomasdesr/minisign-action@v1
with:
args: -Vm "minisign-0.8.tar.gz" -P "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"
steps:
- name: Sign our test file
uses: thomasdesr/minisign-action@v1
with:
args: -Sm path/to/artifact
minisign_key: ${{ secrets.minisign_key }}
password: ${{ secrets.minisign_password }}
- name: Upload the signature
uses: actions/upload-artifact@v1
with:
name: my-signature
path: path/to/artifact.minisig
I feel like maybe this should be more than a thin wrapper around the CLI but it has been good enough for me solve my immediate needs so I've stopped here for now.
If you want to add features just open an issue and I'd be happy to work on it with you!
- Investigate if it is worth it to switch from using docker to JS via the wasm impl so we can spend less time installing c++ toolchains.
- Maybe publish a copy of this container to a registry somewhere so we can swap compile for download times?