{"id":18822003,"url":"https://github.com/notaryproject/notation-action","last_synced_at":"2025-09-26T14:46:15.900Z","repository":{"id":182502881,"uuid":"663149290","full_name":"notaryproject/notation-action","owner":"notaryproject","description":"GitHub Actions for signing and verifying artifacts with Notation","archived":false,"fork":false,"pushed_at":"2025-06-04T03:25:38.000Z","size":10800,"stargazers_count":20,"open_issues_count":6,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-04T10:21:49.956Z","etag":null,"topics":["cicd","container","notation","sign","signing","supply-chain-security","verify"],"latest_commit_sha":null,"homepage":"https://notaryproject.dev/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/notaryproject.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-07-06T16:58:13.000Z","updated_at":"2025-06-04T03:25:40.000Z","dependencies_parsed_at":"2024-04-08T21:29:36.054Z","dependency_job_id":"b70e54d2-52e8-4642-bac5-321c331b51e6","html_url":"https://github.com/notaryproject/notation-action","commit_stats":null,"previous_names":["notaryproject/notation-action"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/notaryproject/notation-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/notaryproject%2Fnotation-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/notaryproject%2Fnotation-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/notaryproject%2Fnotation-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/notaryproject%2Fnotation-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/notaryproject","download_url":"https://codeload.github.com/notaryproject/notation-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/notaryproject%2Fnotation-action/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259509291,"owners_count":22868830,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","container","notation","sign","signing","supply-chain-security","verify"],"created_at":"2024-11-08T00:47:02.379Z","updated_at":"2025-09-26T14:46:10.852Z","avatar_url":"https://github.com/notaryproject.png","language":"TypeScript","readme":"# GitHub Actions for Notation\n\nThis repository contains the implementation of [GitHub Actions](https://docs.github.com/en/actions) for [Notation](https://github.com/notaryproject/notation). It provides actions for signing and verifying OCI artifacts with Notation in CI/CD.\n\nThe following three actions are available:\n\n- `setup`: Install Notation\n- `sign`: Sign OCI artifacts with a specified Notation plugin\n- `verify`: Verify signatures with Notation trust store and trust policy\n\n\u003e [!NOTE]\n\u003e The Notary Project documentation is available [here](https://notaryproject.dev/docs/). You can also find the Notary Project [README](https://github.com/notaryproject/.github/blob/main/README.md) to learn about the overall Notary Project.\n\n## Usage\n\nSigning an image relies on a Notation plugin, such as [AWS Signer plugin for Notation](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html), [Azure Key Vault for Notation](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push), [HashiCorp Vault plugin](https://github.com/notaryproject/notation-hashicorp-vault/pulls). \n\nCurrently, [Azure Key Vault plugin for Notation](https://github.com/Azure/notation-azure-kv) has been well tested in the Notation Github Actions by the sub-project maintainers. See this [doc](https://github.com/notation-playground/notation-integration-with-ACR-and-AKV/blob/main/sign-action.md) for hands-on steps if you want to use Notation with the AKV plugin. You can submit test cases and examples for other plugins here.\n\n### Notation Setup\n\n```yaml\n- name: setup Notation CLI\n  uses: notaryproject/notation-action/setup@v1\n  with:\n    version: \u003cversion_of_official_Notation_CLI_release\u003e\n    url: \u003curl_of_customized_Notation_CLI\u003e\n    checksum: \u003cSHA256_of_the_customized_Notation_CLI\u003e\n```\n\n\u003cdetails\u003e\n\n\u003csummary\u003eSee an example (Click here).\u003c/summary\u003e\n\n```yaml\n- name: setup Notation CLI\n  uses: notaryproject/notation-action/setup@v1\n  with:\n    version: \"1.3.2\"\n```\n\n\u003c/details\u003e\n\n### Notation Sign\n\n```yaml\n- name: sign releasd artifact with signing plugin\n  uses: notaryproject/notation-action/sign@v1\n  with:\n    plugin_name: \u003cnotation_signing_plugin_name\u003e\n    plugin_url: \u003cplugin_download_url\u003e\n    plugin_checksum: \u003cSHA256_of_the_signing_plugin\u003e\n    key_id: \u003ckey_identifier_to_sign\u003e\n    target_artifact_reference: \u003clist_of_target_artifact_references_in_remote_registry\u003e\n    signature_format: \u003csignature_envelope_format\u003e\n    plugin_config: \u003clist_of_plugin_defined_configs\u003e\n    force_referrers_tag: \u003cboolean_flag_for_referrers_tag_schema\u003e\n    timestamp_url: \u003curl_of_RFC_3161_Timestamp_Authority_server\u003e\n    timestamp_root_cert: \u003cfilepath_of_RFC_3161_Timestamp_Authority_root_certificate\u003e\n```\n\n\u003cdetails\u003e\n\n\u003csummary\u003eSee an example (Click here).\u003c/summary\u003e\n\n```yaml\n- name: sign releasd artifact with notation-azure-kv plugin and timestamping\n  uses: notaryproject/notation-action/sign@v1\n  with:\n    plugin_name: azure-kv\n    plugin_url: https://github.com/Azure/notation-azure-kv/releases/download/v1.2.0/notation-azure-kv_1.2.0_linux_amd64.tar.gz\n    plugin_checksum: 06bb5198af31ce11b08c4557ae4c2cbfb09878dfa6b637b7407ebc2d57b87b34\n    key_id: https://testnotationakv.vault.azure.net/keys/notationLeafCert/c585b8ad8fc542b28e41e555d9b3a1fd\n    target_artifact_reference: |-\n      myregistry.azurecr.io/myrepo@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9\n      myotherregistry.azurecr.io/myotherrepo@sha256:aaad27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcaaa\n    signature_format: cose\n    plugin_config: |-\n      ca_certs=.github/cert-bundle/cert-bundle.crt\n      self_signed=false\n    timestamp_url: http://my.trusted.timestamp.authority.wabbit-networks.io\n    timestamp_root_cert: .github/cert-bundle/tsa-root.crt\n```\n\nExample of using the [Referrers API](https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers) in signing:\n\n```yaml\n- name: sign releasd artifact with notation-azure-kv plugin\n  uses: notaryproject/notation-action/sign@v1\n  with:\n    force_referrers_tag: 'false' # use referrers api first, if supported.\n    plugin_name: azure-kv\n    plugin_url: https://github.com/Azure/notation-azure-kv/releases/download/v1.2.0/notation-azure-kv_1.2.0_linux_amd64.tar.gz\n    plugin_checksum: 06bb5198af31ce11b08c4557ae4c2cbfb09878dfa6b637b7407ebc2d57b87b34\n    key_id: https://testnotationakv.vault.azure.net/keys/notationLeafCert/c585b8ad8fc542b28e41e555d9b3a1fd\n    target_artifact_reference: |-\n      myregistry.azurecr.io/myrepo@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9\n      myotherregistry.azurecr.io/myotherrepo@sha256:aaad27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcaaa\n    signature_format: cose\n    plugin_config: |-\n      ca_certs=.github/cert-bundle/cert-bundle.crt\n      self_signed=false\n```\n\n\u003c/details\u003e\n\n### Notation Verify\n\n```yaml\n- name: verify released artifact\n  uses: notaryproject/notation-action/verify@v1\n  with:\n    target_artifact_reference: \u003clist_of_target_artifact_references_in_remote_registry\u003e\n    trust_policy: \u003cfile_path_to_user_defined_trustpolicy.json\u003e\n    trust_store: \u003cdir_to_user_trust_store\u003e\n```\n\n\u003e [!Note]\n\u003e For Notation CLI v1.2.0 or later, verify always uses the [Referrers API](https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers) first, if Referrers API is not supported, automatically fallback to the [Referrers tag schema](https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#referrers-tag-schema).\n\n\u003cdetails\u003e\n\n\u003csummary\u003eSee an example (Click here).\u003c/summary\u003e\n\n```yaml\n- name: verify released artifact\n  uses: notaryproject/notation-action/verify@v1\n  with:\n    target_artifact_reference: |-\n      myregistry.azurecr.io/myrepo@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9\n      myotherregistry.azurecr.io/myotherrepo@sha256:aaad27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcaaa\n    trust_policy: .github/trustpolicy/trustpolicy.json\n    trust_store: .github/truststore\n```\n\n\u003e [!NOTE]\n\u003e - `.github/trustpolicy/trustpolicy.json` MUST follow the Notation [trust policy specs](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/trust-store-trust-policy.md#trust-policy).\n\u003e - `.github/truststore` MUST follow the Notation [trust store specs](https://github.com/notaryproject/specifications/blob/v1.1.0/specs/trust-store-trust-policy.md#trust-store). See an example of trust store below.\n \n```\n.github/truststore\n└── x509\n    ├── ca\n    │   └── \u003cmy_trust_store1\u003e\n    │       ├── \u003cmy_certificate1\u003e\n    │       └── \u003cmy_certificate2\u003e\n    ├── signingAuthority\n    |   └── \u003cmy_trust_store2\u003e\n    |       ├── \u003cmy_certificate3\u003e\n    |       └── \u003cmy_certificate4\u003e\n    └── tsa\n        └── \u003ctsa_trust_store\u003e\n            ├── \u003ctsa_certificate1\u003e\n            └── \u003ctsa_certificate2\u003e\n```\n\n\u003c/details\u003e\n\n## Authentication\n\nTo sign and verify an image stored in the private registry with Notation GitHub Actions, you need to authenticate with the registry and KMS (Key Management Service). See the following authentication options for references. \n\n### Registry authentication\n\n- Use [Docker login GitHub Action](https://github.com/marketplace/actions/docker-login).\n- Use vendor-based login GitHub Action, such as [Amazon ECR \"Login\" Action for GitHub Actions](https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions), [GitHub Action for Azure Login](https://github.com/marketplace/actions/azure-login) or [Azure Container Registry Login GitHub Actions](https://github.com/marketplace/actions/azure-container-registry-login).\n\n### KMS authentication\n\nIf your signing key and certificate are stored in a KMS, make sure to authenticate with the KMS before signing the image in your GitHub Actions workflow.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnotaryproject%2Fnotation-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnotaryproject%2Fnotation-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnotaryproject%2Fnotation-action/lists"}