GitHub Actions workflow at .github/workflows/publish.yml builds the
firmware on every push to main, pushes it to ghcr.io/imjasonh/esp32,
and cosign-signs it keylessly using the workflow's ambient OIDC token.
Required repo secrets: WIFI_SSID, WIFI_PASS (the GITHUB_TOKEN is
injected automatically).
Trust changes:
- src/trust.rs adds the GHA workflow identity to TRUSTED_IDENTITIES,
alongside the existing email entry. The SAN URI pins the exact
workflow file at refs/heads/main; a malicious commit that adds a
different workflow won't match.
- src/sig.rs's SAN extractor now also handles GeneralName::Uniform-
ResourceIdentifier (workflow URIs), not just Rfc822Name (emails).
Sign-by-digest:
- tools/publisher prints `digest: sha256:...` on stdout (tracing logs
redirected to stderr) so downstream tooling can target the immutable
manifest digest.
- Makefile captures that digest and runs `cosign sign ... $REPO@DIGEST`
instead of `:latest`, eliminating the tag-race window between push
and sign.
Bootstrap: the device's currently-running firmware doesn't know the
GHA identity yet, so the first GHA-signed publish will be rejected.
A manual `make publish` after this lands rolls out the new
TRUSTED_IDENTITIES, after which GHA-signed updates verify cleanly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>