mirror of https://github.com/hashicorp/setup-signore synced 2026-04-05 19:02:04 +00:00

No description

JavaScript 100%

Find a file

dependabot[bot] d40aa72034 Bump undici from 6.23.0 to 6.24.1 (#129 ) Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v6.23.0...v6.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>		2026-03-18 05:58:18 +05:30
.github	address secvuln-37766 (#124 )	2026-03-04 11:39:45 -06:00
__fixtures__	address secvuln-37766 (#124 )	2026-03-04 11:39:45 -06:00
__tests__	address secvuln-37766 (#124 )	2026-03-04 11:39:45 -06:00
badges	Remaining deps updated and fixes made. (#99 )	2025-03-25 16:20:00 -06:00
dist	address secvuln-37766 (#124 )	2026-03-04 11:39:45 -06:00
META.d	[IND-4227] [COMPLIANCE] Update Copyright Headers (Batch 1 of 1) (#122 )	2026-01-08 13:35:04 -08:00
src	address secvuln-37766 (#124 )	2026-03-04 11:39:45 -06:00
.copywrite.hcl	Exempt dist/** via .copywrite.hcl config	2022-12-01 13:15:14 -08:00
.env.example	Updating to match current github actions template (#98 )	2025-03-25 16:00:29 -06:00
.eslintrc.json	Updating to match current github actions template (#98 )	2025-03-25 16:00:29 -06:00
.gitattributes	Updating to match current github actions template (#98 )	2025-03-25 16:00:29 -06:00
.gitignore	Updating to match current github actions template (#98 )	2025-03-25 16:00:29 -06:00
.licensed.yml	[COMPLIANCE] Add Copyright and License Headers (#102 )	2025-03-31 10:51:47 -06:00
.markdown-lint.yml	[COMPLIANCE] Add Copyright and License Headers (#102 )	2025-03-31 10:51:47 -06:00
.node-version	Remaining deps updated and fixes made. (#99 )	2025-03-25 16:20:00 -06:00
.prettierignore	Updating to match current github actions template (#98 )	2025-03-25 16:00:29 -06:00
.prettierrc.yml	[COMPLIANCE] Add Copyright and License Headers (#102 )	2025-03-31 10:51:47 -06:00
action.yml	[IND-4227] [COMPLIANCE] Update Copyright Headers (Batch 1 of 1) (#122 )	2026-01-08 13:35:04 -08:00
biome.json	address secvuln-37766 (#124 )	2026-03-04 11:39:45 -06:00
eslint.config.mjs	[IND-4227] [COMPLIANCE] Update Copyright Headers (Batch 1 of 1) (#122 )	2026-01-08 13:35:04 -08:00
jest.config.js	[IND-4227] [COMPLIANCE] Update Copyright Headers (Batch 1 of 1) (#122 )	2026-01-08 13:35:04 -08:00
LICENSE	[IND-4227] [COMPLIANCE] Update Copyright Headers (Batch 1 of 1) (#122 )	2026-01-08 13:35:04 -08:00
package-lock.json	Bump undici from 6.23.0 to 6.24.1 (#129 )	2026-03-18 05:58:18 +05:30
package.json	address secvuln-37766 (#124 )	2026-03-04 11:39:45 -06:00
README.md	SECS-5223: New owners: team-selfmanaged-releng (#105 )	2025-04-17 13:41:42 -06:00
rollup.config.js	[IND-4227] [COMPLIANCE] Update Copyright Headers (Batch 1 of 1) (#122 )	2026-01-08 13:35:04 -08:00

README.md

setup-signore

Download and configure the signore signing service.

Originally based off of setup-terraform.

This version of the setup-signore Action requires a GitHub personal access token to access GitHub's Releases API and has cross-platform support.

If you only need to install Signore on Linux GitHub Runners, consider using the setup-signore-package Action, which does not require any authentication for repositories and Actions in HashiCorp enterprise GitHub organizations.

Usage

Note: see action.yml for detailed information about configuration and defaults.

Install the latest signore client release

- name: Install signore
  uses: hashicorp/setup-signore@v2
  with:
    github-token: ${{secrets.GITHUB_TOKEN_WITH_SIGNORE_REPO_ACCESS}}

Install a specific signore client release, verifying its archive checksum

- name: Install signore v0.1.2 and verify checksum
  uses: hashicorp/setup-signore@v2
  with:
    github-token: ${{secrets.GITHUB_TOKEN_WITH_SIGNORE_REPO_ACCESS}}
    version: v0.1.2
    # https://github.com/hashicorp/signore/releases/download/v0.1.2/signore_0.1.2_darwin_x86_64.tar.gz sha256 hash
    archive-checksum: 6b58be415b3e9b2f77d74f2cf70857819d15df512626658223b2d4a4f3adc404

Install a specific signore client release and configure signer

- name: Install signore v0.1.2 with client config
  uses: hashicorp/setup-signore@v2
  with:
    github-token: ${{secrets.GITHUB_TOKEN_WITH_SIGNORE_REPO_ACCESS}}
    version: v0.1.2
    signer: ${{secrets.SIGNORE_SIGNER}}

FAQ

What GitHub token do we need?
- We need to download a signore release from GitHub, and because the repository is private we need a token that allows access.
What checksum are we verifying?
- After downloading the os/arch specific tar or zip archive that contains the signore binary, we compare its SHA256 hash against the user supplied archive-checksum
How do I get a GitHub token with access to the signore repository?
- TBD
How do I get access to the signore signing service?
- For now... talk to team-selfmanaged-releng.