Skip to content

GitHub Action wrapper with Sigstore attestation and pinned-version verification #6

Description

@gkanitz

Parent

#1

What to build

The GitHub trust chain: a composite Action wrapping the CLI binary that runs in the org's CI and produces a Sigstore/OIDC artifact attestation over the report JSON. The report's verification block records how it is attested (provider, workflow identity, attestation pointer). Establish the pinned-version convention: consumers reference the published action at a tagged version, and verification instructions check workflow identity against the canonical action — a modified fork must fail this check.

A local CLI run continues to produce an honest unverified verification block; attestation exists only in CI.

Acceptance criteria

  • Running the published Action in a workflow produces report JSON + an attestation verifiable with gh attestation verify, proving repo/org of origin and the exact workflow/version that produced it
  • Report verification block identifies the attestation and the producing workflow ref
  • Verification documentation explains what passing proves and that workflow identity must match the canonical action
  • Reports produced outside CI carry an explicit unverified verification block

Parallel-work contract

This issue runs in parallel with #3, #4, #5. Territory rules (reviewer must enforce):

  • Owns: the composite Action definition and workflow YAML, attestation/verification documentation, the verification sub-struct of the report schema, and verification-block population logic as new files.
  • Go core changes are confined to verification-related files; the CLI seam for "running in CI vs locally" must be additive.
  • Must not touch: metrics package files, ActivitySet, the collaboration/cadence/coverage sub-structs, adapter fetch/enumeration files.
  • Shared files (schema root): additive-only changes.

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    ready-for-agentTriage complete; ready for an agent to pick up

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions