{"id":27147439,"url":"https://github.com/signpath/github-actions-demo","last_synced_at":"2025-04-08T11:26:11.125Z","repository":{"id":207557379,"uuid":"719503381","full_name":"SignPath/github-actions-demo","owner":"SignPath","description":"Demo Project for showcasing SignPath's Github Actions integration","archived":false,"fork":false,"pushed_at":"2024-08-20T06:26:08.000Z","size":182,"stargazers_count":2,"open_issues_count":2,"forks_count":4,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-08-20T08:33:45.031Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SignPath.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-16T10:02:23.000Z","updated_at":"2024-08-20T08:33:54.853Z","dependencies_parsed_at":"2024-05-07T14:28:20.794Z","dependency_job_id":"76fcc82b-4662-453e-80cc-3a4dc86749e2","html_url":"https://github.com/SignPath/github-actions-demo","commit_stats":null,"previous_names":["signpath/github-actions-demo"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SignPath%2Fgithub-actions-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SignPath%2Fgithub-actions-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SignPath%2Fgithub-actions-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SignPath%2Fgithub-actions-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SignPath","download_url":"https://codeload.github.com/SignPath/github-actions-demo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247831944,"owners_count":21003490,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-08T11:26:10.458Z","updated_at":"2025-04-08T11:26:11.111Z","avatar_url":"https://github.com/SignPath.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Using SignPath with GitHub Actions\n\nThis project demonstrates signing artifacts using [SignPath](https://about.signpath.io) from GitHub Actions workflows.\n\nSigning is invoked in the `sign` step of [.github/workflows/build-and-sign.yml](.github/workflows/build-and-sign.yml). \n\nSee [github.com/SignPath/github-actions](https://github.com/SignPath/github-actions) for a full documentation of SignPath actions.\n\n## Policy demonstrations\n\nThis project demonstrates the following attempts to violate SignPath policies and how they are averted on the control plane:\n\n* This step selects the appropriate [signing policy] depending on the branch name. The actual branch must match the branch condition of the selected signing policy. The [`attempt-signing-release`] branch demonstrates how SignPath will detect incorrect attempts.\n* The [`release/malicious-dll`] branch demonstrates how SignPath will detect content-level violations of the [artifact configuration].\n\n## Configuration\n\nTo use this demo with your own SignPath subscription, you need to get access to SignPath's GitHub Actions preview. Please contact support@signpath.io.\n\n* Fork this repository\n  * Uncheck _Copy the main branch only_\n* In your SignPath organization, create a project with \n  * Slug: `Demo_Application` \n  * Repository URLs: Your forked GitHub repository, e.g. `https://github.com/my/github-actions-demo`\n  * Trusted Build Systems: Link _GitHub.com_\n  * Add the following artifact configuration as default: [.signpath/artifact-configurations/default.xml](.signpath/artifact-configurations/default.xml)\n  * Add a `test-signing` signing policy\n  * Add a `release-signing` signing policy with origin verification enabled and restricted to `main` and `release/*` branches\n* Create an [API token] in SignPath and add it as a GitHub Actions secret `SIGNPATH_API_TOKEN` (make sure the user is a submitter in your signing policies)\n* Add your SignPath _Organization ID_ as a GitHub Actions variable `SIGNPATH_ORGANIZATION_ID` (click your organization's name at the upper right corner)\n* Enable Actions for your GitHub repository\n\n\n[signing policy]: https://about.signpath.io/documentation/projects#signing-policies\n[artifact configuration]: https://about.signpath.io/documentation/projects#artifact-configurations\n[`attempt-signing-release`]: https://github.com/SignPath/github-actions-demo/blob/feature/attempt-signing-release/.github/workflows/build-and-sign.yml#L46\n[`release/malicious-dll`]: https://github.com/SignPath/github-actions-demo/blob/release/malicious-dll/src/Build.ps1#L4\n\n[API token]: https://about.signpath.io/documentation/users#interactive-api-token\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsignpath%2Fgithub-actions-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsignpath%2Fgithub-actions-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsignpath%2Fgithub-actions-demo/lists"}