Merge pull request #1 from auths-dev/dev-cliCiSetup

bordumb · web-flow · commit 464e8188f735 · 2026-04-05T07:23:03.000+01:00
refactor: replace old 3-secret ci-setup with single AUTHS_CI_TOKEN across workflows, docs, justfiles, and templates
diff --git a/.auths/allowed_signers b/.auths/allowed_signers
@@ -0,0 +1,5 @@
+# auths:managed — do not edit manually
+# auths:attestation
+z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuPK6OfYp7ngZp40Q+Dsrahhks472v6gPIMD0upCRnM
+z6MkhfnUUc2UJJ5C9sQQ7GvXmSbQJsdtNKV6HNYcQtTjc7xE@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/Ib83sxXogDnEVzLjFBkyC+DhP+cssbPzZAmQhB+Lz
+# auths:manual
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,6 +41,6 @@ jobs:
           fetch-depth: 0
 
       - name: Verify commit signatures
-        uses: auths-dev/auths-verify-github-action@v1
+        uses: auths-dev/verify@v1
         with:
           fail-on-unsigned: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,10 +34,7 @@ jobs:
       - name: Sign and verify dist/index.js
         uses: ./
         with:
-          passphrase: ${{ secrets.AUTHS_CI_PASSPHRASE }}
-          keychain: ${{ secrets.AUTHS_CI_KEYCHAIN }}
-          identity-repo: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
-          verify-bundle: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
+          token: ${{ secrets.AUTHS_CI_TOKEN }}
           files: 'dist/index.js'
           verify: true
           note: 'GitHub Actions release — ${{ github.ref_name }}'
diff --git a/README.md b/README.md
@@ -35,11 +35,10 @@ auths init
 From the repo you want to sign artifacts in:
 
 ```bash
-just ci-setup
-# or: bash scripts/ci-setup.sh
+auths ci setup
 ```
 
-This creates a limited-capability CI device key and sets the required GitHub secrets automatically.
+This creates a limited-capability CI device key and sets a single `AUTHS_CI_TOKEN` GitHub secret automatically.
 
 ### 4. Add the action to your release workflow
 
@@ -88,29 +87,7 @@ jobs:
 | `note` | No | | Note to include in the attestation |
 | `auths-version` | No | latest | Pin a specific Auths CLI version |
 
-*Either `token` or the individual credential inputs (`passphrase`, `keychain`, `identity-repo`) are required.
-
-### Individual credential inputs (fallback)
-
-If you're not using `AUTHS_CI_TOKEN`, provide these instead:
-
-| Input | Description |
-|-------|-------------|
-| `passphrase` | Device key passphrase (`AUTHS_CI_PASSPHRASE` secret) |
-| `keychain` | Base64-encoded encrypted keychain (`AUTHS_CI_KEYCHAIN` secret) |
-| `identity-repo` | Base64-encoded tar.gz of identity repo (`AUTHS_CI_IDENTITY_BUNDLE` secret) |
-| `verify-bundle` | Identity bundle JSON for verification (`AUTHS_CI_IDENTITY_BUNDLE_JSON` secret) |
-
-```yaml
-- uses: auths-dev/sign@v1
-  with:
-    passphrase: ${{ secrets.AUTHS_CI_PASSPHRASE }}
-    keychain: ${{ secrets.AUTHS_CI_KEYCHAIN }}
-    identity-repo: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
-    verify-bundle: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
-    files: 'dist/index.js'
-    verify: true
-```
+*`token` is the `AUTHS_CI_TOKEN` secret generated by `auths ci setup`.
 
 ## Outputs
 
@@ -159,12 +136,12 @@ Consumers can verify your artifacts independently:
 auths artifact verify dist/index.js --identity-bundle bundle.json
 ```
 
-Or using the [auths-dev/auths-verify-github-action](https://github.com/auths-dev/auths-verify-github-action):
+Or using the [auths-dev/verify](https://github.com/auths-dev/verify) action:
 
 ```yaml
-- uses: auths-dev/auths-verify-github-action@v1
+- uses: auths-dev/verify@v1
   with:
-    identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
+    identity: ${{ secrets.AUTHS_CI_TOKEN }}
     artifact-paths: 'dist/index.js'
 ```
 
@@ -184,7 +161,7 @@ If the CI device key is compromised:
 auths device revoke --device-did <DEVICE_DID> --key <KEY_ALIAS>
 ```
 
-The device DID and key alias are printed by `just ci-setup` during initial setup. After revocation, existing attestations remain valid (they were legitimate when signed), but the device can no longer produce new ones.
+The device DID and key alias are printed by `auths ci setup` during initial setup. After revocation, existing attestations remain valid (they were legitimate when signed), but the device can no longer produce new ones.
 
 ## License
 
diff --git a/justfile b/justfile
@@ -19,7 +19,7 @@ ci: test build check-dist
 
 # Set up CI secrets for release artifact signing (one-time)
 ci-setup:
-    bash scripts/ci-setup.sh
+    auths ci setup
 
 # Sign the dist/index.js artifact locally (creates dist/index.js.auths.json)
 sign-dist:
diff --git a/scripts/ci-setup.sh b/scripts/ci-setup.sh
