It's unclear how to use this GitHub Action
Opened this issue · 2 comments
Neither the ReadMe content or the provided help link show an example of how to use this action.
What are the inputs? What does it do?
The examples provided in the link do not utilize digicert/ssm-code-signing at all!
To any others that find this, I ended up finding the yaml for a 3rd party action that utilizes this action, and that served well as a primer for this. If you're so inclined, you could just use the 3rd party action as is, but I prefer not to let 3rd party actions handle potentially sensitive data.
https://github.com/cognitedata/code-sign-action/blob/main/action.yaml
Here's the meat:
- name: Configure Digicert Secure Software Manager
uses: digicert/ssm-code-signing@v0.0.2
env:
SM_API_KEY: ${{ env.SM_API_KEY }}
SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }}
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
This sets up the dependencies and command line utilities you need. You still need to securely provide the cert file and actually sign the file(s) you need.
To the DigiCert devs:
Just that snippet with a description of the required "env" setup and a description of what part of the cert process this actually does would go a long way to improving this action.
Thanks for sharing this example. That is helpful.
The doc can also get clearer on this: https://docs.digicert.com/de/software-trust-manager/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html
From this doc, it seemed that the action can be used once. Possibly because it leverage tool cache which is kept between run on self hosted runner.This could also be more clearly documented.