A GitHub Action that installs the Astrid CLI
(astrid, astrid-daemon, astrid-build, astrid-emit) onto a CI runner and puts it on
PATH — so a later step can run astrid capsule check, build a capsule, or anything else,
in one line.
It is verified by default: the released SHA256SUMS.txt is checked against the release's
keyless sigstore signature (provenance, bound to the Astrid
release workflow's identity), and the downloaded archive is checked against those sums
(integrity). Nothing runs until both pass.
- uses: astrid-runtime/setup-astrid@v2
- run: astrid capsule checkPin a version and run a full capsule build:
- uses: astrid-runtime/setup-astrid@v2
with:
version: "0.9.2"
- run: astrid buildA minimal capsule-CI job:
name: capsule-ci
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: astrid-runtime/setup-astrid@v2
- run: astrid capsule check # non-zero exit fails the job| Input | Default | Description |
|---|---|---|
version |
latest |
Astrid version to install (e.g. 0.9.2), or latest. |
repository |
astrid-runtime/astrid |
Owner/repo to install the release from (override for a fork, mirror, or historical Astrid release). |
verify |
sigstore |
sigstore (cosign provenance + integrity), checksum (SHA256 integrity only, no extra tooling), or none (not recommended). |
certificate-identity |
(derived) | Advanced: override the expected cosign certificate identity. Defaults to the release.yml workflow of repository at the version tag. |
github-token |
${{ github.token }} |
Token for the release lookup and asset downloads. |
Historical Astrid releases published before the organization transfer retain the
unicity-astrid/astrid Sigstore workflow identity. The default Astrid Runtime
repository automatically retries that historical identity when needed. Forks and an
explicit certificate-identity override still require an exact identity match.
v1 remains pinned to the original action implementation and continues to work
through GitHub's repository redirects. v2 uses the canonical
astrid-runtime/astrid release repository and can verify both the current
Sigstore workflow identity and the historical unicity-astrid/astrid identity.
See RELEASING.md for the signed-tag release procedure.
| Output | Description |
|---|---|
version |
The resolved Astrid version that was installed. |
bindir |
The directory added to PATH containing the Astrid binaries. |
sigstore(default) — installs cosign and runscosign verify-blobagainstSHA256SUMS.txt.sigstore.json, requiring the signature's certificate identity to match the Astridrelease.ymlworkflow at the version tag and the issuer to be GitHub's OIDC provider. The archive is then checked against the now-trusted checksums. This is authenticity + integrity: a tampered checksums file or a substituted archive both fail.checksum— SHA256 of the archive againstSHA256SUMS.txtonly. No extra tooling (usessha256sum/shasum, present on every runner). Integrity (catches a corrupted or on-the-wire-altered download) but not authenticity, so prefersigstorewhere you can.none— no verification. Emits a warning; not recommended.
macOS and Linux runners, x86_64 and aarch64 (Astrid ships those four release targets).
Windows is not supported and fails with a clear error.
Licensed under either of Apache License, Version 2.0 or MIT license at your option.