Sign build artifacts in CI with Auths identity keys. Produces .auths.json attestation files that anyone can verify.
- uses: auths-dev/sign@v1
with:
token: ${{ secrets.AUTHS_CI_TOKEN }}
files: 'dist/index.js'
verify: trueThis signs dist/index.js, creates dist/index.js.auths.json, and verifies the signature in one step.
brew tap auths-dev/auths-cli
brew install auths # macOS
# or download from https://github.com/auths-dev/auths/releasesauths initFrom the repo you want to sign artifacts in:
auths ci setupThis creates a limited-capability CI device key and sets a single AUTHS_CI_TOKEN GitHub secret automatically.
name: Release
on:
push:
tags: ['v*.*.*']
permissions:
contents: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build
run: npm run build # or your build command
- name: Sign artifacts
uses: auths-dev/sign@v1
with:
token: ${{ secrets.AUTHS_CI_TOKEN }}
files: 'dist/*.js'
verify: true
note: 'Release ${{ github.ref_name }}'
- name: Create release
uses: softprops/action-gh-release@v2
with:
files: |
dist/*.auths.json| Input | Required | Default | Description |
|---|---|---|---|
token |
No* | AUTHS_CI_TOKEN JSON containing all credentials |
|
files |
Yes | Glob patterns for files to sign (one per line) | |
verify |
No | false |
Verify each file immediately after signing |
device-key |
No | ci-release-device |
Device key alias to sign with |
note |
No | Note to include in the attestation | |
auths-version |
No | latest | Pin a specific Auths CLI version |
*token is the AUTHS_CI_TOKEN secret generated by auths ci setup.
| Output | Description |
|---|---|
signed-files |
JSON array of signed file paths |
attestation-files |
JSON array of .auths.json attestation file paths |
verified |
true/false when verify: true, empty otherwise |
- uses: auths-dev/sign@v1
id: sign
with:
token: ${{ secrets.AUTHS_CI_TOKEN }}
files: 'dist/**/*.tar.gz'
- name: Upload attestations
uses: actions/upload-artifact@v4
with:
name: attestations
path: ${{ fromJSON(steps.sign.outputs.attestation-files) }}The files input supports glob patterns, one per line:
files: |
dist/*.tar.gz
dist/*.zip
build/output/**/*.whlPatterns follow @actions/glob syntax. Symlinks are not followed. Paths outside the workspace are rejected.
When verify: true, the action runs auths artifact verify on each signed file immediately after signing. This proves the full round-trip works and catches signing misconfigurations before they reach consumers.
Consumers can verify your artifacts independently:
auths artifact verify dist/index.js --identity-bundle bundle.jsonOr using the auths-dev/verify action:
- uses: auths-dev/verify@v1
with:
identity: ${{ secrets.AUTHS_CI_TOKEN }}
artifact-paths: 'dist/index.js'- The CI device key has limited capabilities (
sign_releaseonly) -- it cannot impersonate your root identity, link devices, or perform other privileged operations - Credentials are extracted to temp files that are always cleaned up, even on failure
- The passphrase is masked from all GitHub Actions logs via
core.setSecret - Glob results are contained to the workspace -- paths outside
$GITHUB_WORKSPACEare rejected - You can revoke CI access at any time:
auths device revoke --device-did <DID> --key <ALIAS>
If the CI device key is compromised:
auths device revoke --device-did <DEVICE_DID> --key <KEY_ALIAS>The device DID and key alias are printed by auths ci setup during initial setup. After revocation, existing attestations remain valid (they were legitimate when signed), but the device can no longer produce new ones.
Apache-2.0