diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index 24588b2..8bdd6fa 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -6,8 +6,6 @@ run-name: Demo workflow signing with SignPath on: push: pull_request: - #schedule: - # - cron: '30 3 * * *' # every day at 3:30am UTC workflow_dispatch: # Allows you to run this workflow manually from the Actions tab jobs: @@ -27,6 +25,7 @@ jobs: run: ./sbom/Create-SBOM.ps1 - name: upload-unsigned-artifact + id: upload-unsigned-artifact uses: actions/upload-artifact@v4 with: name: "demo-application" @@ -36,17 +35,23 @@ jobs: .\_BuildResult-unsigned\bom.xml - name: sign - uses: signpath/github-action-submit-signing-request@v0.3 + uses: signpath/github-action-submit-signing-request@v0.4 env: - SIGNPATH_SIGNING_POLICY_SLUG: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 'release-signing' || 'test-signing' }} + # select release-signing policy for main and release branches + SIGNPATH_SIGNING_POLICY_SLUG: | + ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) + && 'release-signing' + || 'test-signing' }} with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' project-slug: 'Demo_Application' - signing-policy-slug: '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}' - github-artifact-name: "demo-application" + # maliciously try to get a release signature from a feature branch + signing-policy-slug: 'release-signing' + github-artifact-id: "${{steps.upload-unsigned-artifact.outputs.artifact-id}}" wait-for-completion: true output-artifact-directory: 'demo-application-signed' + github-extended-verification-token: '${{ secrets.EXTENDED_VERIFICATION_TOKEN }}' - name: upload-signed-artifact uses: actions/upload-artifact@v4