Skip to content
edit

GitHub Action

AWS Lambda Code Signing GitHub Action

v1.5.1 Latest version

AWS Lambda Code Signing GitHub Action

edit

AWS Lambda Code Signing GitHub Action

GitHub action which uses AWS Code Signer to sign โœ๐Ÿผ AWS Lambda artifacts ๐Ÿ“ฆ from your pipeline

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: AWS Lambda Code Signing GitHub Action

              
  uses: clowdhaus/[email protected]
Learn more about this action in clowdhaus/aws-lambda-code-signing-action

Choose a version

AWS Lambda Code Signing

aws-lambda-code-signing-action

Strict TypeScript Commitizen friendly Known Vulnerabilities

integration test

GitHub action which uses AWS Code Signer to sign โœ๐Ÿผ AWS Lambda artifacts ๐Ÿ“ฆ

Functionality Status
Create AWS Signer signing request for existing object in source AWS S3 bucket โœ…
Wait for signing job to complete โœ…
Rename signed object to original/friendly name under destination prefix โœ…
Copy tags from original object to signed object
Upload local artifact from CI pipeline to AWS S3 source bucket
Generate zip archive for upload to AWS S3 source bucket

Usage

See the AWS documentation for more details related to code signing AWS Lambda artifacts.

โ„น๏ธ The artifact must already exist in AWS S3 in order for the action to initiate a signing job request; the action does not handle uploading a local artifact to AWS S3 (at this time) before initiating a signing job request.

Sign

The following is an example of creating a signing job and retrieving the resulting jobId.

jobs:
  deploy:
    name: Upload to Amazon S3
    runs-on: ubuntu-latest
    steps:
      - name: Sign AWS Lambda artifact
        uses: clowdhaus/aws-lambda-code-signing-action/@main
        id: signed
        with:
          aws-region: us-east-1
          source-s3-bucket: source-s3-bucket-us-east-1
          source-s3-key: unsigned/dist.zip
          source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
          destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
          destination-s3-prefix: signed/
          profile-name: AwsLambdaCodeSigningAction20211013170708789000654321

      - name: Outputs
        run: |
          echo "${{ steps.signed.outputs.job-id }}"
          echo "${{ steps.signed.outputs.signed-object-key }}"

Sign & Wait

jobs:
  deploy:
    name: Upload to Amazon S3
    runs-on: ubuntu-latest
    steps:
      - name: Sign AWS Lambda artifact
        uses: clowdhaus/aws-lambda-code-signing-action/@main
        with:
          aws-region: us-east-1
          source-s3-bucket: source-s3-bucket-us-east-1
          source-s3-key: unsigned/dist.zip
          source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
          destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
          destination-s3-prefix: signed/
          profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
          wait-until-successful: true
          max-wait-time: 60

Sign & Rename

The following configuration will create a signing job, wait for the job to finish, and then rename the signed object from the AWS Signer output of <job-id>.<source-file-extension> to <destination-s3-prefix>/<source-file-name-and-extension>. Given the configuration below, there would be two signed artifacts created:

  1. <job-id>.zip created by the AWS Signer job
  2. signed/dist.zip created by the action (using rename-signed-object: true)

Because the job must complete successfully before the signed object can be renamed, wait-until-successful is not required but it will be treated as though its true. Therefore, you can also set the amount of wait time when renaming to give the job more time if necessary.

jobs:
  deploy:
    name: Upload to Amazon S3
    runs-on: ubuntu-latest
    steps:
      - name: Sign AWS Lambda artifact & rename signed artifact
        uses: clowdhaus/aws-lambda-code-signing-action/@main
        id: signed
        with:
          aws-region: us-east-1
          source-s3-bucket: source-s3-bucket-us-east-1
          source-s3-key: unsigned/dist.zip
          source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
          destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
          destination-s3-prefix: signed/
          profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
          max-wait-time: 60
          rename-signed-object: true

      - name: Outputs
        run: |
          echo "${{ steps.signed.outputs.job-id }}"
          echo "${{ steps.signed.outputs.renamed-signed-object-key }}"

AWS Signing Resources

See the __infra__ directory for example of resource definitions necessary for signing.

Getting Started

The following instructions will help you get setup for development and testing purposes.

Prerequisites

yarn

yarn is used to handle dependencies and executing scripts on the codebase.

See here for instructions on installing yarn on your local machine.

Once you have installed yarn, you can install the project dependencies by running the following command from within the project root directory:

  $ yarn

Contributing

Please read CODE_OF_CONDUCT.md for details on our code of conduct and the process for submitting pull requests.

Changelog

Please see the CHANGELOG.md for details on individual releases.