Skip to content

feat: complete OIDC machine identity commit signing dogfooding#120

Merged
bordumb merged 4 commits intomainfrom
dev-oidcAuto
Mar 28, 2026
Merged

feat: complete OIDC machine identity commit signing dogfooding#120
bordumb merged 4 commits intomainfrom
dev-oidcAuto

Conversation

@bordumb
Copy link
Copy Markdown
Contributor

@bordumb bordumb commented Mar 28, 2026

Implement end-to-end commit signing with ephemeral machine identities and
OIDC binding for GitHub Actions CI/CD workflows.

Changes:

  • Extend Attestation struct: commit_sha, commit_message, author, oidc_binding
  • Create OidcBinding struct: issuer, subject, audience, platform, normalized_claims
  • Implement sign_commit_with_identity() SDK workflow with full Rustdoc
  • Add auths sign-commit CLI command with context injection and attestation display
  • Extend verify-commit to read and display OIDC binding from refs/auths/commits/
  • 6 integration tests covering signing with/without OIDC, serialization, multiple commits
  • Unit tests for SignCommitParams, OidcMachineIdentity, OidcBinding structures
  • Document feature in OIDC_COMMIT_SIGNING.md (user guide, architecture, FAQ)
  • E2E validation checklist for live GitHub Actions workflow
  • Update all Attestation initializers across SDK and test code

Enables:

  • GitHub Actions workflow signs commits with OIDC-bound machine identities
  • Attestations stored at refs/auths/commits/ (git-native)
  • Local verification: auths verify-commit shows OIDC context (repo, actor, run_id)
  • Cryptographic proof of CI/CD workload without central registry

@bordumb
feat: complete OIDC machine identity commit signing dogfooding
8207998 
  Implement end-to-end commit signing with ephemeral machine identities and
  OIDC binding for GitHub Actions CI/CD workflows.

  Changes:
  - Extend Attestation struct: commit_sha, commit_message, author, oidc_binding
  - Create OidcBinding struct: issuer, subject, audience, platform, normalized_claims
  - Implement sign_commit_with_identity() SDK workflow with full Rustdoc
  - Add auths sign-commit CLI command with context injection and attestation display
  - Extend verify-commit to read and display OIDC binding from refs/auths/commits/<sha>
  - 6 integration tests covering signing with/without OIDC, serialization, multiple commits
  - Unit tests for SignCommitParams, OidcMachineIdentity, OidcBinding structures
  - Document feature in OIDC_COMMIT_SIGNING.md (user guide, architecture, FAQ)
  - E2E validation checklist for live GitHub Actions workflow
  - Update all Attestation initializers across SDK and test code

  Enables:
  - GitHub Actions workflow signs commits with OIDC-bound machine identities
  - Attestations stored at refs/auths/commits/<commit-sha> (git-native)
  - Local verification: auths verify-commit <sha> shows OIDC context (repo, actor, run_id)
  - Cryptographic proof of CI/CD workload without central registry
@bordumb bordumb self-assigned this Mar 28, 2026
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 28, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auths Ready Ready Preview, Comment Mar 28, 2026 8:30pm

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

Auths Commit Verification

Commit Status Details
82079987 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local

Result: ✅ 1/1 commits verified

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

Auths Commit Verification

Commit Status Details
f382a604 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local
82079987 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local

Result: ✅ 2/2 commits verified

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

Auths Commit Verification

Commit Status Details
1c6593a5 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local
f382a604 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local
82079987 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local

Result: ✅ 3/3 commits verified

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

Auths Commit Verification

Commit Status Details
8ead7834 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local
1c6593a5 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local
f382a604 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local
82079987 ✅ Verified Signed by z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local

Result: ✅ 4/4 commits verified

@bordumb bordumb merged commit 6f3a42f into main Mar 28, 2026
16 checks passed
@bordumb bordumb deleted the dev-oidcAuto branch March 28, 2026 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bordumb bordumb

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bordumb