1
0
Fork 0
mirror of https://github.com/imjasonh/esp32 synced 2026-07-12 18:18:30 +00:00
esp32/.github/workflows
Jason Hall 6cc6f38ce0 Auto-publish from GHA on push to main; sign by immutable digest
GitHub Actions workflow at .github/workflows/publish.yml builds the
firmware on every push to main, pushes it to ghcr.io/imjasonh/esp32,
and cosign-signs it keylessly using the workflow's ambient OIDC token.
Required repo secrets: WIFI_SSID, WIFI_PASS (the GITHUB_TOKEN is
injected automatically).

Trust changes:
- src/trust.rs adds the GHA workflow identity to TRUSTED_IDENTITIES,
  alongside the existing email entry. The SAN URI pins the exact
  workflow file at refs/heads/main; a malicious commit that adds a
  different workflow won't match.
- src/sig.rs's SAN extractor now also handles GeneralName::Uniform-
  ResourceIdentifier (workflow URIs), not just Rfc822Name (emails).

Sign-by-digest:
- tools/publisher prints `digest: sha256:...` on stdout (tracing logs
  redirected to stderr) so downstream tooling can target the immutable
  manifest digest.
- Makefile captures that digest and runs `cosign sign ... $REPO@DIGEST`
  instead of `:latest`, eliminating the tag-race window between push
  and sign.

Bootstrap: the device's currently-running firmware doesn't know the
GHA identity yet, so the first GHA-signed publish will be rejected.
A manual `make publish` after this lands rolls out the new
TRUSTED_IDENTITIES, after which GHA-signed updates verify cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 13:58:44 -04:00
..
publish.yml Auto-publish from GHA on push to main; sign by immutable digest 2026-05-02 13:58:44 -04:00