GitHub Actions Integration with TigerTrust
TigerTrust provides official GitHub Actions for seamless certificate lifecycle management in your GitHub workflows. Leverage enterprise code signing, certificate provisioning, and compliance validation directly in your CI/CD pipelines.
OIDC Authentication
Use GitHub's OIDC provider for secure, secret-less authentication:
name: Deploy with TLS on: push: branches: [main] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Authenticate with TigerTrust uses: tigertrust/auth-action@v1 with: audience: 'https://api.tigertrust.io' org-id: ${{ vars.TIGERTRUST_ORG_ID }}
Code Signing Action
Sign build artifacts with enterprise code signing certificates:
name: Build and Sign on: release: types: [created] jobs: build-and-sign: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build application run: | npm ci npm run build - name: Sign artifacts uses: tigertrust/sign-action@v1 with: certificate-name: 'release-signing-cert' artifacts: | dist/*.js dist/*.mjs timestamp-server: 'https://timestamp.digicert.com' - name: Upload signed artifacts uses: actions/upload-artifact@v4 with: name: signed-release path: dist/
Certificate Provisioning
Provision certificates for deployment:
name: Provision and Deploy on: workflow_dispatch: jobs: provision-certificate: runs-on: ubuntu-latest outputs: cert-id: ${{ steps.provision.outputs.certificate-id }} steps: - name: Provision certificate id: provision uses: tigertrust/provision-action@v1 with: common-name: 'app.example.com' san-names: | app.example.com www.example.com issuer: 'letsencrypt-prod' validity-days: 90 deploy: needs: provision-certificate runs-on: ubuntu-latest steps: - name: Download certificate uses: tigertrust/download-action@v1 with: certificate-id: ${{ needs.provision-certificate.outputs.cert-id }} output-path: ./certs - name: Deploy to Kubernetes run: | kubectl create secret tls app-tls \ --cert=./certs/cert.pem \ --key=./certs/key.pem
Compliance Validation
Validate certificates in pull requests:
name: Certificate Compliance on: pull_request: paths: - 'certs/**' - 'kubernetes/**/*.yaml' jobs: validate: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Validate certificates uses: tigertrust/validate-action@v1 with: certificate-paths: | certs/*.pem kubernetes/**/tls.yaml policy: 'production-policy' fail-on-violation: true - name: Post validation results if: always() uses: tigertrust/report-action@v1 with: report-type: 'pr-comment'
Reusable Workflows
Create organization-wide certificate workflows:
# .github/workflows/sign-release.yml name: Sign Release on: workflow_call: inputs: artifact-name: required: true type: string secrets: TIGERTRUST_API_KEY: required: true jobs: sign: runs-on: ubuntu-latest steps: - uses: tigertrust/sign-action@v1 with: api-key: ${{ secrets.TIGERTRUST_API_KEY }} certificate-name: 'org-signing-cert' artifacts: ${{ inputs.artifact-name }}
Container Image Signing
Sign container images with Sigstore/Cosign:
name: Build and Sign Container on: push: tags: ['v*'] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build container run: docker build -t myapp:${{ github.ref_name }} . - name: Sign container image uses: tigertrust/cosign-action@v1 with: certificate-name: 'container-signing-cert' image: 'ghcr.io/${{ github.repository }}:${{ github.ref_name }}' registry: 'ghcr.io'
Matrix Builds
Sign artifacts across multiple platforms:
jobs: build: strategy: matrix: os: [ubuntu-latest, windows-latest, macos-latest] runs-on: ${{ matrix.os }} steps: - uses: tigertrust/sign-action@v1 with: certificate-name: '${{ matrix.os }}-signing-cert' artifacts: 'build/*'
Automate enterprise code signing and certificate management in your GitHub workflows with TigerTrust.