GitHub Action
AWS Lambda Code Signing GitHub Action
GitHub action which uses AWS Code Signer to sign ✍🏼 AWS Lambda artifacts 📦 from your pipeline.
See the AWS documentation for more details related to code signing AWS Lambda artifacts.
The following is an example of creating a signing job and retrieving the resulting jobId
.
jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
steps:
- name: Sign AWS Lambda artifact
uses: clowdhaus/aws-lambda-code-signing-action/@main
id: signed
with:
aws-region: us-east-1
source-s3-bucket: source-s3-bucket-us-east-1
source-s3-key: unsigned/dist.zip
source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
destination-s3-prefix: signed/
profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
- name: Outputs
run: |
echo "${{ steps.signed.outputs.job-id }}"
echo "${{ steps.signed.outputs.signed-object-key }}"
jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
steps:
- name: Sign AWS Lambda artifact
uses: clowdhaus/aws-lambda-code-signing-action/@main
with:
aws-region: us-east-1
source-s3-bucket: source-s3-bucket-us-east-1
source-s3-key: unsigned/dist.zip
source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
destination-s3-prefix: signed/
profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
wait-until-successful: true
max-wait-time: 60
The following configuration will create a signing job, wait for the job to finish, and then rename the signed object from the AWS Signer output of <job-id>.<source-file-extension>
to <destination-s3-prefix>/<source-file-name-and-extension>
. Given the configuration below, there would be two signed artifacts created:
<job-id>.zip
created by the AWS Signer jobsigned/dist.zip
created by the action (usingrename-signed-object: true
)
Because the job must complete successfully before the signed object can be renamed, wait-until-successful
is not required but it will be treated as though its true
. Therefore, you can also set the amount of wait time when renaming to give the job more time if necessary.
jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
steps:
- name: Sign AWS Lambda artifact & rename signed artifact
uses: clowdhaus/aws-lambda-code-signing-action/@main
id: signed
with:
aws-region: us-east-1
source-s3-bucket: source-s3-bucket-us-east-1
source-s3-key: unsigned/dist.zip
source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
destination-s3-prefix: signed/
profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
max-wait-time: 60
rename-signed-object: true
- name: Outputs
run: |
echo "${{ steps.signed.outputs.job-id }}"
echo "${{ steps.signed.outputs.renamed-signed-object-key }}"
See the __infra__
directory for example of resource definitions necessary for signing.
The following instructions will help you get setup for development and testing purposes.
yarn
is used to handle dependencies and executing scripts on the codebase.
See here for instructions on installing yarn on your local machine.
Once you have installed yarn
, you can install the project dependencies by running the following command from within the project root directory:
$ yarn
Please read CODE_OF_CONDUCT.md for details on our code of conduct and the process for submitting pull requests.
Please see the CHANGELOG.md for details on individual releases.