Merge pull request #526 from always-further/runtime-session-push #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sign instruction files with the official nono-attest GitHub Action. | |
| # | |
| # Produces Sigstore bundles containing DSSE envelopes with in-toto | |
| # statements that nono's trust pipeline can verify. Uses GitHub Actions | |
| # OIDC for identity; Fulcio issues a short-lived certificate carrying | |
| # the repository, workflow, and ref claims. | |
| # | |
| # Consumer-side verification: nono's pre-exec trust scan validates bundles | |
| # against the user's local trust-policy.json (keyed, signed by the user). | |
| name: Sign instruction files | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "SKILLS*" | |
| - "CLAUDE*" | |
| - "AGENT*" | |
| - ".claude/**/*.md" | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write # Sigstore keyless OIDC token | |
| contents: write # Commit generated bundle files | |
| jobs: | |
| sign: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: always-further/agent-sign@8d70fb7bdcdfb921a1613d0701ca44c7d6c34e6f # v0.0.8 |