feat(attest): platform-aware action for Windows / GHES [RC]#114
Merged
Conversation
ronens88
added a commit
that referenced
this pull request
May 1, 2026
cycodelabs/cimon-action@v0 is the legacy line — frozen at f99ad55, predates hardening (PR #104) and predates the platform-aware Windows install added in PR #114. cycodelabs/cimon-action@v1 is the line that follows main and will pick up the Windows changes once that PR merges and v1 is force-updated. Today attest@v0 and attest@v1 are byte-identical, but documenting @v0 in customer-facing examples is a footgun: when our Windows support lands and v1 advances, customers pinned to @v0 will silently keep getting the Linux-only attest action. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ronens88
force-pushed
the
feature/windows-ghes-attestation
branch
from
5d8259b to
7634224
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7634224b43
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
#118 already shipped the cross-platform install path (release-zip from cycodelabs/cimon-releases, ncc 0.38 upgrade), so this branch's earlier install.ps1-based implementation is dropped. The remaining pieces from this PR that #118 didn't cover are kept here: 1. Per-job install dir + wipe-before-install ($RUNNER_TEMP/cimon-<run_id>-<run_attempt>-<job>/) Closes the silent-reuse hole where a malicious earlier step on a self-hosted runner with persistent $RUNNER_TEMP could plant cimon[.exe] or install.sh at the action's expected path and the action would execute it without re-downloading. Applied uniformly to the Linux install.sh path and the Windows release-zip path. 2. Hardened build-attest-dist.yaml - npm ci --ignore-scripts so a PR adding a malicious dependency can't run a postinstall hook under contents:write before the auto-commit lands. - Single-file commit guard: the step refuses to act unless the only changed file is exactly attest/dist/index.js. Anything else fails the workflow loudly instead of silently landing under github-actions[bot]. - Fork-safe checkout: pin to pull_request.head.sha and set repository to pull_request.head.repo.full_name. Without these, actions/checkout would try to resolve github.head_ref in the base repo, which does not contain the forks branch, and the rebuild job would fail before it could run at all. - Auto-commit gated to same-repo PRs. On fork PRs the base-repo GITHUB_TOKEN is read-only and cannot push to the fork anyway, so the step fails with a clear rebuild-locally instruction instead of attempting a 403ing push. 3. verify-attest-windows CI job in verify-pr.yaml Exercises ./attest end-to-end on windows-latest with keyed signing. No longer gated by continue-on-error: the comment about install.ps1 missing from S3 is obsolete now that #118 fetches cimon_windows_x86_64.zip directly from the GitHub release. 4. attest/README.md Cross-platform quickstart, GHES support notes, signing-path guidance for air-gapped / data-residency customers. 5. attest/action.yml Name + description disambiguated from the top-level hardening action ("Cimon by Cycode (Attest)" + cross-platform mention). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ronens88
force-pushed
the
feature/windows-ghes-attestation
branch
from
7634224 to
cb16539
Compare
RoniCycode
approved these changes
May 17, 2026
3 tasks
ronens88
added a commit
that referenced
this pull request
May 17, 2026
PR #114 scoped the action's install directory to $RUNNER_TEMP/cimon-<run_id>-<run_attempt>-<job>/ as a security fix, but the docs + customer-facing demo workflow still hardcode the pre-#114 path of $RUNNER_TEMP/cimon/. A naive `cimon.exe attest verify` step following the action now fails with "cimon.exe not found". Surface the install path three ways so workflows can pick whichever fits their pattern without ever reconstructing the per-job tmpdir layout: 1. core.addPath(dir) — `cimon` / `cimon.exe` resolves on PATH for plain `run:` steps in the same job. 2. CIMON_PATH env var — absolute path, for callers that bypass PATH (locked-down self-hosted runners). 3. step output cimon-path — chains cleanly into other jobs via ${{ steps.<id>.outputs.cimon-path }}. Applies to all three install branches (Windows release-zip, Linux install.sh, and the release-path input override). After this lands, the docs example collapses from $exe = Join-Path $env:RUNNER_TEMP 'cimon\cimon.exe' & $exe attest verify ... to just cimon.exe attest verify ... — which is also what every other Marketplace action does. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make the `./attest` action cross-platform so customers on Windows GHES self-hosted runners can use it. Companion to cimon#1452 — both branches together form the Digital Grid RC.
Changes
Notes
Test plan
🤖 Generated with Claude Code