github-zktls/.github/workflows/github-identity.yml at master · Account-Link/github-zktls · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# GitHub Identity Attestation
#
# PURPOSE: Prove you control a GitHub account by running a workflow.
#
# ARTIFACT: JSON containing your GitHub username, recipient address, and target faucet,
#           plus a ZK proof ready for on-chain submission.
#
# TRUST MODEL:
#   - The workflow runs in YOUR repo (you triggered it)
#   - Sigstore signs: "repo X at commit Y produced artifact Z"
#   - Verifier trusts: this workflow correctly outputs github.actor
#
# HOW TO CLAIM:
#   1. Run this workflow with your ETH address
#   2. Download the identity-proof artifact
#   3. Open issue at main repo with title "[CLAIM]" and paste claim.json
#
# NO SECRETS NEEDED - just fork and run.

name: GitHub Identity

on:
  workflow_dispatch:
    inputs:
      recipient_address:
        description: 'ETH address to receive funds (0x...)'
        required: true
      faucet_address:
        description: 'Faucet contract address (Base Sepolia)'
        required: true
        default: '0x72cd70d28284dD215257f73e1C5aD8e28847215B'
      generate_proof:
        description: 'Generate ZK proof (takes ~5 min)'
        required: true
        type: boolean
        default: true

permissions:
  id-token: write
  contents: read
  attestations: write

jobs:
  attest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Validate inputs
        run: |
          if ! echo "${{ inputs.recipient_address }}" | grep -qE '^0x[a-fA-F0-9]{40}$'; then
            echo "Invalid recipient address format"
            exit 1
          fi
          if ! echo "${{ inputs.faucet_address }}" | grep -qE '^0x[a-fA-F0-9]{40}$'; then
            echo "Invalid faucet address format"
            exit 1
          fi

      - name: Check commit SHA
        run: |
          REQUIRED_TAG=$(python3 -c "import json; print(json.load(open('VERSIONS.json'))['requirements']['required_commit']['tag'])")
          REQUIRED_SHA=$(python3 -c "import json; print(json.load(open('VERSIONS.json'))['requirements']['required_commit']['value'])")
          CURRENT_SHA="${{ github.sha }}"
          if [ "${CURRENT_SHA:0:40}" != "$REQUIRED_SHA" ]; then
            echo "::error::Wrong commit. The faucet requires tag $REQUIRED_TAG (commit $REQUIRED_SHA)."
            echo "::error::You ran from commit $CURRENT_SHA."
            echo ""
            echo "Fix: gh workflow run github-identity.yml --ref $REQUIRED_TAG -f recipient_address=YOUR_ADDRESS"
            echo "Or in the GitHub UI: select '$REQUIRED_TAG' from the 'Use workflow from' dropdown."
            exit 1
          fi
          echo "✓ Commit SHA matches required tag $REQUIRED_TAG"

      - name: Generate identity certificate
        run: |
          mkdir -p proof
          RECIPIENT=$(echo "${{ inputs.recipient_address }}" | tr '[:upper:]' '[:lower:]')
          FAUCET=$(echo "${{ inputs.faucet_address }}" | tr '[:upper:]' '[:lower:]')
          cat > proof/certificate.json << EOF
          {
            "type": "github-identity",
            "github_actor": "${{ github.actor }}",
            "github_repository": "${{ github.repository }}",
            "recipient_address": "$RECIPIENT",
            "faucet_address": "$FAUCET",
            "chain_id": 84532,
            "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "workflow_run": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
          }
          EOF
          echo "Certificate:" && cat proof/certificate.json

      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: identity-proof
          path: proof/

      - name: Attest
        id: attest
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: proof/certificate.json

      - name: Copy attestation bundle
        if: ${{ inputs.generate_proof }}
        run: cp ${{ steps.attest.outputs.bundle-path }} proof/bundle.json

      - name: Generate ZK proof
        if: ${{ inputs.generate_proof }}
        run: |
          PROVER_DIGEST=$(python3 -c "import json; print(json.load(open('VERSIONS.json'))['reference']['prover_digest']['value'])")
          EXPECTED_VK_HASH=$(python3 -c "import json; print(json.load(open('VERSIONS.json'))['requirements']['vk_hash']['value'])")
          REGISTRY="${{ vars.PROVER_REGISTRY || 'ghcr.io/amiller/zkproof' }}"
          echo "Using prover: ${REGISTRY}@${PROVER_DIGEST}"
          docker run --rm -e EXPECTED_VK_HASH="${EXPECTED_VK_HASH}" \
            -v ${{ github.workspace }}/proof:/work \
            "${REGISTRY}@${PROVER_DIGEST}" generate /work/bundle.json /work

      - name: Update artifact with proof
        if: ${{ inputs.generate_proof }}
        uses: actions/upload-artifact@v4
        with:
          name: identity-proof
          path: proof/
          overwrite: true