{"id":31805244,"url":"https://github.com/openchami/github-actions","last_synced_at":"2026-03-01T07:31:39.078Z","repository":{"id":309547160,"uuid":"1036085046","full_name":"OpenCHAMI/github-actions","owner":"OpenCHAMI","description":"Organization Level Github Actions","archived":false,"fork":false,"pushed_at":"2025-08-21T20:42:44.000Z","size":28,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-21T21:58:53.987Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenCHAMI.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-11T14:33:50.000Z","updated_at":"2025-08-21T20:40:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"2db3aae8-4718-4d9e-b341-3c8e4909decb","html_url":"https://github.com/OpenCHAMI/github-actions","commit_stats":null,"previous_names":["openchami/github-actions"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/OpenCHAMI/github-actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenCHAMI%2Fgithub-actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenCHAMI%2Fgithub-actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenCHAMI%2Fgithub-actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenCHAMI%2Fgithub-actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenCHAMI","download_url":"https://codeload.github.com/OpenCHAMI/github-actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenCHAMI%2Fgithub-actions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279005958,"owners_count":26084004,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-11T02:47:31.846Z","updated_at":"2025-10-11T02:47:39.522Z","avatar_url":"https://github.com/OpenCHAMI.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitHub Actions Monorepo for `OpenCHAMI`\n\nReusable GitHub Actions for CI/CD.\n\n## Structure\n\n- `actions/gpg-ephemeral-key`: Ephemeral key generation for RPM/GPG signing\n- `actions/sign-rpm`: RPM signing with ephemeral keys\n- `.github/workflows/go-build-release.yml`: Reusable workflow for GoReleaser builds\n\n## Versioning \u0026 Usage\n\nUse major version tags for stability:\n\n```yaml\n# For actions\n- uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1\n- uses: OpenCHAMI/github-actions/actions/sign-rpm@v1\n\n# For reusable workflows\njobs:\n  release:\n    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3\n```\n\nPin a commit SHA internally for maximum supply‑chain safety if desired.\n\n## Actions and Workflows Overview\n\n### go-build-release (Reusable Workflow)\nStandardized GoReleaser workflow for building and releasing Go applications with:\n- Multi-architecture builds (linux/amd64, linux/arm64)\n- Flexible pre-build setup steps\n- Wraps `goreleaser-action` action with all .gorelease.yaml configurations\n- Container image builds and publishing\n- Binary and container attestation/signing\n- Snapshot builds on pull requests\n\n**Usage:**\n```yaml\nname: GoReleaser\nrun-name: GoReleaser ${{ startsWith(github.ref, 'refs/tags/v') \u0026\u0026 'Release' || 'Snapshot' }}\n\non:\n  workflow_dispatch:\n  pull_request:\n  push:\n    tags:\n      - v*\n\njobs:\n  goreleaser:\n    name: GoReleaser ${{ startsWith(github.ref, 'refs/tags/v') \u0026\u0026 'Release' || 'Snapshot' }}\n    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3\n    with:\n      pre-build-commands: |\n        go install github.com/swaggo/swag/cmd/swag@latest\n      attestation-binary-path: \"dist/cloud-init*\"\n      registry-name: ghcr.io/openchami/cloud-init\n\n```\n\nSee the [workflow](.github/workflows/go-build-release.yml) for additional input parameters.\n\n### gpg-ephemeral-key\nGenerates a short‑lived RSA key (default 3072‑bit, 1 day) using an isolated `GNUPGHOME`, signs it with a repo‑scoped subkey you provide, and outputs:\n- `ephemeral-fingerprint`\n- `ephemeral-public-key` (base64 of armored)\n- `gnupg-home` (path for downstream steps)\n\n### sign-rpm\nSigns an RPM using a provided GPG fingerprint (works with the ephemeral key output) and exposes signature verification output.\n\n## Security Model\n\nTrust chain: `Ephemeral Key ← Repo Subkey ← Offline Master Key`.\n\nDesign principles:\n- Ephemeral keys reduce exposure window.\n- Repo subkeys are easily revocable \u0026 rotated.\n- Isolated `GNUPGHOME` avoids polluting runner defaults.\n- Optional cleanup to remove secrets post‑sign.\n\nKey expiration limits future signing only; existing signatures remain valid if the trust chain remains intact.\n\n## Example Workflow (Combined)\n\n```yaml\njobs:\n  build-and-sign:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: Generate ephemeral key\n        id: gpg\n        uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1\n        with:\n          subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }}\n          comment: build:${{ github.run_id }}\n          cleanup: false # keep for subsequent signing\n      - name: Build RPM\n        run: ./scripts/build-rpm.sh\n      - name: Sign RPM\n        id: sign\n        uses: OpenCHAMI/github-actions/actions/sign-rpm@v1\n        with:\n          rpm-path: dist/my.rpm\n          gpg-fingerprint: ${{ steps.gpg.outputs.ephemeral-fingerprint }}\n          gnupg-home: ${{ steps.gpg.outputs.gnupg-home }}\n      - name: (Optional) Cleanup GNUPGHOME\n        if: always()\n        run: rm -rf \"${{ steps.gpg.outputs.gnupg-home }}\"\n```\n\n## Continuous Integration\n\nA future CI workflow will:\n- Lint action metadata (actionlint)\n- Perform a matrix test invoking each action\n- Validate RPM signing round‑trip\n\n## Rotation \u0026 Revocation\n\n1. Revoke and replace repo subkeys periodically.\n2. Update `GPG_SUBKEY_B64` secret.\n3. Tag a new release if behavior changes.\n\n## Contributing\n\n- Open issues for feature requests.\n- Submit PRs with accompanying test workflow updates.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenchami%2Fgithub-actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenchami%2Fgithub-actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenchami%2Fgithub-actions/lists"}