Skip to content

refactor: replace old 3-secret ci-setup with single AUTHS_CI_TOKEN across workflows, docs, justfiles, and templates #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bordumb merged 2 commits into from
Apr 5, 2026
Merged

refactor: replace old 3-secret ci-setup with single AUTHS_CI_TOKEN across workflows, docs, justfiles, and templates #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3d6a395
refactor: replace old 3-secret ci-setup with single AUTHS_CI_TOKEN ac…
bordumb Apr 5, 2026
f2ef626
build: update release and ci scripts, add auths approved signers
bordumb Apr 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .auths/allowed_signers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# auths:managed — do not edit manually
# auths:attestation
z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuPK6OfYp7ngZp40Q+Dsrahhks472v6gPIMD0upCRnM
z6MkhfnUUc2UJJ5C9sQQ7GvXmSbQJsdtNKV6HNYcQtTjc7xE@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/Ib83sxXogDnEVzLjFBkyC+DhP+cssbPzZAmQhB+Lz
# auths:manual
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,6 @@ jobs:
fetch-depth: 0

- name: Verify commit signatures
uses: auths-dev/auths-verify-github-action@v1
uses: auths-dev/verify@v1
with:
fail-on-unsigned: true
5 changes: 1 addition & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,7 @@ jobs:
- name: Sign and verify dist/index.js
uses: ./
with:
passphrase: ${{ secrets.AUTHS_CI_PASSPHRASE }}
keychain: ${{ secrets.AUTHS_CI_KEYCHAIN }}
identity-repo: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
verify-bundle: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
token: ${{ secrets.AUTHS_CI_TOKEN }}
files: 'dist/index.js'
verify: true
note: 'GitHub Actions release — ${{ github.ref_name }}'
Expand Down
37 changes: 7 additions & 30 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,10 @@ auths init
From the repo you want to sign artifacts in:

```bash
just ci-setup
# or: bash scripts/ci-setup.sh
auths ci setup
```

This creates a limited-capability CI device key and sets the required GitHub secrets automatically.
This creates a limited-capability CI device key and sets a single `AUTHS_CI_TOKEN` GitHub secret automatically.

### 4. Add the action to your release workflow

Expand Down Expand Up @@ -88,29 +87,7 @@ jobs:
| `note` | No | | Note to include in the attestation |
| `auths-version` | No | latest | Pin a specific Auths CLI version |

*Either `token` or the individual credential inputs (`passphrase`, `keychain`, `identity-repo`) are required.

### Individual credential inputs (fallback)

If you're not using `AUTHS_CI_TOKEN`, provide these instead:

| Input | Description |
|-------|-------------|
| `passphrase` | Device key passphrase (`AUTHS_CI_PASSPHRASE` secret) |
| `keychain` | Base64-encoded encrypted keychain (`AUTHS_CI_KEYCHAIN` secret) |
| `identity-repo` | Base64-encoded tar.gz of identity repo (`AUTHS_CI_IDENTITY_BUNDLE` secret) |
| `verify-bundle` | Identity bundle JSON for verification (`AUTHS_CI_IDENTITY_BUNDLE_JSON` secret) |

```yaml
- uses: auths-dev/sign@v1
with:
passphrase: ${{ secrets.AUTHS_CI_PASSPHRASE }}
keychain: ${{ secrets.AUTHS_CI_KEYCHAIN }}
identity-repo: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
verify-bundle: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
files: 'dist/index.js'
verify: true
```
*`token` is the `AUTHS_CI_TOKEN` secret generated by `auths ci setup`.

## Outputs

Expand Down Expand Up @@ -159,12 +136,12 @@ Consumers can verify your artifacts independently:
auths artifact verify dist/index.js --identity-bundle bundle.json
```

Or using the [auths-dev/auths-verify-github-action](https://github.com/auths-dev/auths-verify-github-action):
Or using the [auths-dev/verify](https://github.com/auths-dev/verify) action:

```yaml
- uses: auths-dev/auths-verify-github-action@v1
- uses: auths-dev/verify@v1
with:
identity-bundle-json: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE_JSON }}
identity: ${{ secrets.AUTHS_CI_TOKEN }}
artifact-paths: 'dist/index.js'
```

Expand All @@ -184,7 +161,7 @@ If the CI device key is compromised:
auths device revoke --device-did <DEVICE_DID> --key <KEY_ALIAS>
```

The device DID and key alias are printed by `just ci-setup` during initial setup. After revocation, existing attestations remain valid (they were legitimate when signed), but the device can no longer produce new ones.
The device DID and key alias are printed by `auths ci setup` during initial setup. After revocation, existing attestations remain valid (they were legitimate when signed), but the device can no longer produce new ones.

## License

Expand Down
2 changes: 1 addition & 1 deletion justfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ ci: test build check-dist

# Set up CI secrets for release artifact signing (one-time)
ci-setup:
bash scripts/ci-setup.sh
auths ci setup

# Sign the dist/index.js artifact locally (creates dist/index.js.auths.json)
sign-dist:
Expand Down
226 changes: 0 additions & 226 deletions scripts/ci-setup.sh
View file
Open in desktop

This file was deleted.

Loading