pentest-github-action/.github/workflows/sign.yml at main · SignPath/pentest-github-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Sign

on:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Download dummy executable for signing
        run: curl -o random.dll -L https://github.com/carterjones/hello-world-dll/releases/download/v1.0.0/hello-world-x64.dll

      - name: Upload unsigned artifact
        id: upload-unsigned-artifact
        uses: actions/upload-artifact@v7
        with:
          name: 'unsigned'
          if-no-files-found: error
          path: random.dll
          archive: false

      - name: Submit Signing Request
        uses: signpath/github-action-submit-signing-request@v2
        with:
          connector-url: 'https://githubactions.connectors.fqa.test.signpath.io:15021'
          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
          organization-id: '4a9057ed-a32e-4d6b-a5ef-cbb4e0fc4b86'
          project-slug: 'Sample_Executable_Project'
          signing-policy-slug:  'release-signing'
          github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
          skip-decompress: true
          wait-for-completion: true
          output-artifact-directory: signed

      - name: test
        # due to a bug in GitHub, the filename needs to be unique across all uploads
        # see https://github.com/actions/upload-artifact/issues/769
        run: mv signed/random.dll signed/random-signed.dll

      - name: Upload signed artifact
        uses: actions/upload-artifact@v7
        with:
          name: 'signed'
          if-no-files-found: error
          path: signed/random-signed.dll
          archive: false