mirror of
https://github.com/imjasonh/esp32
synced 2026-07-12 18:18:30 +00:00
GitHub Actions workflow at .github/workflows/publish.yml builds the firmware on every push to main, pushes it to ghcr.io/imjasonh/esp32, and cosign-signs it keylessly using the workflow's ambient OIDC token. Required repo secrets: WIFI_SSID, WIFI_PASS (the GITHUB_TOKEN is injected automatically). Trust changes: - src/trust.rs adds the GHA workflow identity to TRUSTED_IDENTITIES, alongside the existing email entry. The SAN URI pins the exact workflow file at refs/heads/main; a malicious commit that adds a different workflow won't match. - src/sig.rs's SAN extractor now also handles GeneralName::Uniform- ResourceIdentifier (workflow URIs), not just Rfc822Name (emails). Sign-by-digest: - tools/publisher prints `digest: sha256:...` on stdout (tracing logs redirected to stderr) so downstream tooling can target the immutable manifest digest. - Makefile captures that digest and runs `cosign sign ... $REPO@DIGEST` instead of `:latest`, eliminating the tag-race window between push and sign. Bootstrap: the device's currently-running firmware doesn't know the GHA identity yet, so the first GHA-signed publish will be rejected. A manual `make publish` after this lands rolls out the new TRUSTED_IDENTITIES, after which GHA-signed updates verify cleanly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| publish.yml | ||