Sign build artifacts and commits in CI using ephemeral keys. No secrets needed.
- uses: auths-dev/sign@v1
with:
files: |
dist/*.tar.gz
dist/*.zipNo tokens. No secrets. The action generates a throwaway key per run, signs your artifacts, and discards the key. Trust is anchored to the commit, not to a CI credential.
- Installs the
authsCLI - Runs
auths artifact sign --ci --commit $GITHUB_SHAfor each matched file - Produces
.auths.jsonattestation files alongside your artifacts - Verifiers trace: artifact ← ephemeral key ← commit SHA ← maintainer signature
- name: Sign artifacts
uses: auths-dev/sign@v1
with:
files: |
dist/*.tar.gz
dist/*.zip
note: "Release ${{ github.ref_name }}"- name: Sign commits
uses: auths-dev/sign@v1
with:
commits: HEAD~1..HEAD| Input | Required | Default | Description |
|---|---|---|---|
files |
No | Glob patterns for files to sign, one per line | |
commits |
No | Git revision range to sign | |
commit-sha |
No | $GITHUB_SHA |
Commit SHA to anchor attestation to |
note |
No | Note to include in the attestation | |
auths-version |
No | latest | Auths CLI version to use |
At least one of files or commits must be provided.
| Output | Description |
|---|---|
signed-files |
JSON array of signed file paths |
attestation-files |
JSON array of .auths.json paths |
signed-commits |
JSON array of signed commit SHAs |