Skip to content

Merge pull request #526 from always-further/runtime-session-push #4

Merge pull request #526 from always-further/runtime-session-push

Merge pull request #526 from always-further/runtime-session-push #4

# Sign instruction files with the official nono-attest GitHub Action.
#
# Produces Sigstore bundles containing DSSE envelopes with in-toto
# statements that nono's trust pipeline can verify. Uses GitHub Actions
# OIDC for identity; Fulcio issues a short-lived certificate carrying
# the repository, workflow, and ref claims.
#
# Consumer-side verification: nono's pre-exec trust scan validates bundles
# against the user's local trust-policy.json (keyed, signed by the user).
name: Sign instruction files
on:
push:
branches: [main]
paths:
- "SKILLS*"
- "CLAUDE*"
- "AGENT*"
- ".claude/**/*.md"
workflow_dispatch:
permissions:
id-token: write # Sigstore keyless OIDC token
contents: write # Commit generated bundle files
jobs:
sign:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: always-further/agent-sign@8d70fb7bdcdfb921a1613d0701ca44c7d6c34e6f # v0.0.8