{"id":19683073,"url":"https://github.com/clowdhaus/aws-lambda-code-signing-action","last_synced_at":"2025-07-17T07:36:04.882Z","repository":{"id":104010196,"uuid":"416756605","full_name":"clowdhaus/aws-lambda-code-signing-action","owner":"clowdhaus","description":"GitHub action which uses AWS Code Signer to sign āœšŸ¼ AWS Lambda artifacts šŸ“¦ from your pipeline","archived":false,"fork":false,"pushed_at":"2025-06-30T12:41:02.000Z","size":2794,"stargazers_count":5,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-30T13:48:13.803Z","etag":null,"topics":["aws","aws-lambda","code-signing","github-action","gitops"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/clowdhaus.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"bryantbiggs"}},"created_at":"2021-10-13T13:32:59.000Z","updated_at":"2025-06-30T12:41:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"1dc7a2c9-9318-46f6-9c66-434e82928285","html_url":"https://github.com/clowdhaus/aws-lambda-code-signing-action","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":"actions/typescript-action","purl":"pkg:github/clowdhaus/aws-lambda-code-signing-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clowdhaus%2Faws-lambda-code-signing-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clowdhaus%2Faws-lambda-code-signing-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clowdhaus%2Faws-lambda-code-signing-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clowdhaus%2Faws-lambda-code-signing-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/clowdhaus","download_url":"https://codeload.github.com/clowdhaus/aws-lambda-code-signing-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clowdhaus%2Faws-lambda-code-signing-action/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265577965,"owners_count":23791270,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-lambda","code-signing","github-action","gitops"],"created_at":"2024-11-11T18:13:42.574Z","updated_at":"2025-07-17T07:36:04.863Z","avatar_url":"https://github.com/clowdhaus.png","language":"TypeScript","funding_links":["https://github.com/sponsors/bryantbiggs"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\".github/aws-lambda-code-signing.png\" alt=\"AWS Lambda Code Signing\" width=\"50%\"\u003e\n\u003c/p\u003e\n\u003ch1 style=\"font-size: 56px; margin: 0; padding: 0;\" align=\"center\"\u003e\n aws-lambda-code-signing-action\n\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://badgen.net/badge/TypeScript/strict%20%F0%9F%92%AA/blue\" alt=\"Strict TypeScript\"\u003e\n \u003ca href=\"http://commitizen.github.io/cz-cli/\" alt=\"commitizen cli\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/commitizen-friendly-brightgreen.svg\" alt=\"Commitizen friendly\"\u003e\n \u003c/a\u003e\n \u003ca href=\"https://snyk.io/test/github/clowdhaus/aws-lambda-code-signing-action\"\u003e\n \u003cimg src=\"https://snyk.io/test/github/clowdhaus/aws-lambda-code-signing-action/badge.svg\" alt=\"Known Vulnerabilities\" data-canonical-src=\"https://snyk.io/test/github/clowdhaus/aws-lambda-code-signing-action\"\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/clowdhaus/aws-lambda-code-signing-action/actions?query=workflow%3Aintegration\"\u003e\n \u003cimg src=\"https://github.com/clowdhaus/aws-lambda-code-signing-action/workflows/integration/badge.svg\" alt=\"integration test\"\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\nGitHub action which uses AWS Code Signer to sign āœšŸ¼ AWS Lambda artifacts šŸ“¦\n\n| Functionality | Status |\n| ----------------------------------------------------------------------------- | :----: |\n| Create AWS Signer signing request for existing object in source AWS S3 bucket | āœ… |\n| Wait for signing job to complete | āœ… |\n| Rename signed object to original/friendly name under destination prefix | āœ… |\n| Copy tags from original object to signed object | |\n| Upload local artifact from CI pipeline to AWS S3 source bucket | |\n| Generate zip archive for upload to AWS S3 source bucket | |\n\n## Usage\n\nSee the [AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html) for more details related to code signing AWS Lambda artifacts.\n\nā„¹ļø The artifact must already exist in AWS S3 in order for the action to initiate a signing job request; the action does not handle uploading a local artifact to AWS S3 (at this time) before initiating a signing job request.\n\n### Sign\n\nThe following is an example of creating a signing job and retrieving the resulting `jobId`.\n\n```yml\njobs:\n deploy:\n name: Upload to Amazon S3\n runs-on: ubuntu-latest\n steps:\n - name: Sign AWS Lambda artifact\n uses: clowdhaus/aws-lambda-code-signing-action/@main\n id: signed\n with:\n aws-region: us-east-1\n source-s3-bucket: source-s3-bucket-us-east-1\n source-s3-key: unsigned/dist.zip\n source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK\n destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket\n destination-s3-prefix: signed/\n profile-name: AwsLambdaCodeSigningAction20211013170708789000654321\n\n - name: Outputs\n run: |\n echo \"${{ steps.signed.outputs.job-id }}\"\n echo \"${{ steps.signed.outputs.signed-object-key }}\"\n```\n\n### Sign \u0026 Wait\n\n```yml\njobs:\n deploy:\n name: Upload to Amazon S3\n runs-on: ubuntu-latest\n steps:\n - name: Sign AWS Lambda artifact\n uses: clowdhaus/aws-lambda-code-signing-action/@main\n with:\n aws-region: us-east-1\n source-s3-bucket: source-s3-bucket-us-east-1\n source-s3-key: unsigned/dist.zip\n source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK\n destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket\n destination-s3-prefix: signed/\n profile-name: AwsLambdaCodeSigningAction20211013170708789000654321\n wait-until-successful: true\n max-wait-time: 60\n```\n\n### Sign \u0026 Rename\n\nThe following configuration will create a signing job, wait for the job to finish, and then rename the signed object from the AWS Signer output of `\u003cjob-id\u003e.\u003csource-file-extension\u003e` to `\u003cdestination-s3-prefix\u003e/\u003csource-file-name-and-extension\u003e`. Given the configuration below, there would be two signed artifacts created:\n\n1. `\u003cjob-id\u003e.zip` created by the AWS Signer job\n2. `signed/dist.zip` created by the action (using `rename-signed-object: true`)\n\nBecause the job must complete successfully before the signed object can be renamed, `wait-until-successful` is not required but it will be treated as though its `true`. Therefore, you can also set the amount of wait time when renaming to give the job more time if necessary.\n\n```yml\njobs:\n deploy:\n name: Upload to Amazon S3\n runs-on: ubuntu-latest\n steps:\n - name: Sign AWS Lambda artifact \u0026 rename signed artifact\n uses: clowdhaus/aws-lambda-code-signing-action/@main\n id: signed\n with:\n aws-region: us-east-1\n source-s3-bucket: source-s3-bucket-us-east-1\n source-s3-key: unsigned/dist.zip\n source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK\n destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket\n destination-s3-prefix: signed/\n profile-name: AwsLambdaCodeSigningAction20211013170708789000654321\n max-wait-time: 60\n rename-signed-object: true\n\n - name: Outputs\n run: |\n echo \"${{ steps.signed.outputs.job-id }}\"\n echo \"${{ steps.signed.outputs.renamed-signed-object-key }}\"\n```\n\n## AWS Signing Resources\n\nSee the [`__infra__`](__infra__) directory for example of resource definitions necessary for signing.\n\n## Getting Started\n\nThe following instructions will help you get setup for development and testing purposes.\n\n### Prerequisites\n\n#### [yarn](https://github.com/yarnpkg/yarn)\n\n`yarn` is used to handle dependencies and executing scripts on the codebase.\n\nSee [here](https://yarnpkg.com/en/docs/install#debian-stable) for instructions on installing yarn on your local machine.\n\nOnce you have installed `yarn`, you can install the project dependencies by running the following command from within the project root directory:\n\n```bash\n $ yarn\n```\n\n## Contributing\n\nPlease read [CODE_OF_CONDUCT.md](.github/CODE_OF_CONDUCT.md) for details on our code of conduct and the process for submitting pull requests.\n\n## Changelog\n\nPlease see the [CHANGELOG.md](CHANGELOG.md) for details on individual releases.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclowdhaus%2Faws-lambda-code-signing-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fclowdhaus%2Faws-lambda-code-signing-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclowdhaus%2Faws-lambda-code-signing-action/lists"}