|
|
||
|---|---|---|
| action.yml | ||
| CODEOWNERS | ||
| LICENSE | ||
| README.md | ||
What
A setup-signore alternative for Linux GitHub Runners. Extracts a binary from the Signore Docker image on GitHub Packages to the local disk.
Why
- the setup-signore GitHub Action requires users to supply a GitHub personal access token
- this version automatically uses the
GITHUB_TOKENvended to a running Action to authenticate to the GitHub container registry (ghcr.io)
Limitations
- Linux only, because macOS workers do not have Docker installed, and Windows workers have other unexplored issues
- Incidentally, look how fun it is to "pull" a Docker image without Docker
Permissions
One security best practice to keep in mind when configuring your GitHub Actions is least privilege. GitHub grants a wide variety of scopes to a GitHub Action's GITHUB_TOKEN by default. Whenever possible, you should specify granularly scoped permissions to confine your workflows to their intended uses.
If specify granular permissions, be sure to include the package: read scope. This allows your action to use its GITHUB_TOKEN to pull the signore Docker image from the GitHub Container Registry.
permissions:
packages: read
Read more about permissions for GITHUB_TOKEN in the official docs.
How
Add a step to your workflow like so:
steps:
- name: install signore
uses: hashicorp/setup-signore-package@v1
With no inputs, the GITHUB_TOKEN is passed automatically, and a default version of signore is used.
Optionally, token, version, and signer can be set:
steps:
- uses: hashicorp/setup-signore-package@v1
with:
version: v0
signer: test_signer
token: ${{ secrets.GITHUB_TOKEN }}