The GitHub Action (auths-dev/auths-verify-github-action@v1) only
verifies commit signatures. It cannot verify artifact attestations.
For the supply chain attack use case, the most critical verification
is: "does this published artifact have a valid signature from a known
maintainer?" The action should support this.
Task 3.1: Add artifact verification inputs to the GitHub Action
What: Add new inputs to the action for verifying artifact attestations
alongside (or instead of) commit signatures.
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/action.yml
Add inputs:
inputs:
# ... existing inputs ...
artifact-paths:
description: 'Glob pattern or newline-separated list of artifact files to verify (e.g., "dist/*.tar.gz")'
required: false
default: ''
artifact-attestation-dir:
description: 'Directory containing .auths.json attestation files (default: alongside artifacts)'
required: false
default: ''Add outputs:
outputs:
# ... existing outputs ...
artifacts-verified:
description: 'Whether all artifacts were verified (true/false)'
artifact-results:
description: 'JSON array of per-artifact verification results'Task 3.2: Implement artifact verification logic in the action
What: Add artifact verification to the action's main execution flow.
When artifact-paths is provided, invoke auths artifact verify for
each matched file and aggregate results.
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.ts
Current flow (line ~326):
// Only handles commits
const commitRange = detectCommitRange(...)
const results = await verifier.verifyCommits(commitRange, ...)
Add after commit verification:
// Artifact verification (when artifact-paths is provided)
const artifactPaths = core.getInput('artifact-paths')
if (artifactPaths) {
const files = await glob.create(artifactPaths).then(g => g.glob())
for (const file of files) {
const result = await verifier.verifyArtifact(file, allowedSignersPath)
artifactResults.push(result)
}
}File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/verifier.ts
Add method:
async verifyArtifact(
filePath: string,
allowedSignersOrBundle: string,
): Promise<ArtifactVerificationResult> {
// Invoke: auths artifact verify <filePath> --allowed-signers <path>
// Parse JSON output
// Return structured result
}
The GitHub Action (
auths-dev/auths-verify-github-action@v1) onlyverifies commit signatures. It cannot verify artifact attestations.
For the supply chain attack use case, the most critical verification
is: "does this published artifact have a valid signature from a known
maintainer?" The action should support this.
Task 3.1: Add artifact verification inputs to the GitHub Action
What: Add new inputs to the action for verifying artifact attestations
alongside (or instead of) commit signatures.
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/action.ymlAdd inputs:
Add outputs:
Task 3.2: Implement artifact verification logic in the action
What: Add artifact verification to the action's main execution flow.
When
artifact-pathsis provided, invokeauths artifact verifyforeach matched file and aggregate results.
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.tsCurrent flow (line ~326):
Add after commit verification:
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/verifier.tsAdd method: