Create example workflow

Author: scheibling

.github/workflows/wait-signature.yml

@@ -0,0 +1,91 @@
+# This file implements a waiting loop to check for signed files from OSSign.
+
+# You need to create the environment "Signatures" (or another name) in your repository
+# and set a waiting period to change the interval. If you do not set a waiting period, this workflow will run again directly after it has finished every time.
+name: OSSign Waiting Loop
+
+on:
+  # You can also manually start this workflow with the ID printed out in the dispatch workflow
+  workflow_dispatch:
+    inputs:
+      workflow_id:
+        description: 'The workflow ID from dispatch'
+        required: true
+        type: string
+      attempt:
+        required: false
+        description: 'The attempt number'
+        type: number
+        default: 1
+      max_attempts:
+        required: false
+        description: 'The maximum number of attempts (times the waiting period duration you set in the environment gives the max wait time, e.g. 30 minutes * 48 = 24 hours)'
+        type: number
+        default: 100
+
+jobs:
+    wait-and-check:
+        runs-on: ubuntu-latest
+
+        # This job uses an environment with a wait period set in the policy to work around the fact that you cannot pause workflows
+        environment: Signatures
+
+        permissions:
+          # Needs actions: write to be able to dispatch workflows
+          actions: write
+
+          #  Uses contents: write to be able to read and write workflow artifacts
+          contents: write
+        steps:
+
+          # Checks if the attempt threshold was reached, if yes, exits with error
+          - name: Check if the threshold has been reached
+            shell: bash
+            run: |
+                if [ ${{ github.event.inputs.attempt }} -gt ${{ github.event.inputs.max_attempts }} ]; then
+                  echo "Maximum number of attempts reached, exiting."
+                  exit 1
+                fi
+        
+          - name: Check if signing is finished
+            id: check
+            uses: ossign/actions/workflow/dispatch@main
+            with:
+              username: ${{ secrets.OSSIGN_USER }}
+              token: ${{ secrets.OSSIGN_TOKEN }}
+              single_check: ${{ github.event.inputs.workflow_id }}
+        
+          # You can replace this step with another that downloads the signed artifacts and uploads them to releases
+          # The data returnjed in signed_artifacts is:
+          # [
+          #    {
+          #        "id": "Release artifact ID",
+          #        "name": "Filename.exe",
+          #        "url": "https://api.github.com/repos/OSSign/exampleuser--examplerepo/releases/assets/[releaseArtifactID]",
+          #        "browser_download_url": "https://github.com/OSSign/exampleuser--examplerepo/releases/download/[releaseArtifactID]/Filename.exe"
+          #    }
+          # ]
+          - name: If artifacts were returned, we are done!
+            if: steps.check.outputs.signed_artifacts != ''
+            run: |
+               echo "Signing complete, signed artifacts: ${{ steps.check.outputs.signed_artifacts }}"
+
+
+          # If the signature was not finished, increase the attempt counter and restart the workflow
+          - name: Increase attempt counter
+            if: steps.check.outputs.signed_artifacts == ''
+            id: increased
+            run: |
+              echo "Attempt ${{ github.event.inputs.attempt }} failed, will try again."
+              echo "attempt_no=$(( ${{ github.event.inputs.attempt }} + 1 ))" >> $GITHUB_OUTPUT
+
+          - name: If signing is not finished, restart the workflow
+            if: steps.check.outputs.signed_artifacts == ''
+            uses: benc-uk/workflow-dispatch@v1
+            with:
+              workflow: waiting-loop.yml
+              inputs: |
+                { 
+                    "workflow_id": "${{ github.event.inputs.workflow_id }}",
+                    "attempt": "${{ steps.increased.outputs.attempt_no }}"
+                }

.github/workflows/win-build.yml

@@ -0,0 +1,53 @@
+# This file will build the program and dispatch it to OSSign for signing.
+# It will then start a waiting loop with the workflow file wait-signature to wait for the signed files to appear
+name: Build and Dispatch
+
+on:
+  push:
+    tags: ['*.*.*']
+
+jobs:
+  build:
+    runs-on: windows-latest
+    permissions:
+      # Needs actions: write to be able to dispatch workflows
+      actions: write
+      contents: read
+    steps:
+      # Checkout the code and build the program
+      # to make sure everything works as expected
+      - uses: actions/checkout@v5
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.25.1'
+      
+      - name: Build the program
+        run: go build -o myprogram.exe main.go
+
+
+      # Dispatch a request to the OSSign repo for build + signing
+      - name: Dispatch to OSSign
+        uses: ossign/actions/workflow/dispatch@main
+        with:
+          # You receive the username and token from OSSign after your application has been approved
+          username: ${{ secrets.OSSIGN_USER }}
+          token: ${{ secrets.OSSIGN_TOKEN }}
+
+          # If you want to keep the workflow running until you have the signed file, you can change this to false
+          # Bear in mind that it might sometimes take a while before the dispatch is approved, and this will keep the workflow running and billing if you are using a non-free runner
+          dispatch_only: true
+        
+      # Echo the workflow ID for debugging purposes
+      - run: |
+          echo "Received workflow ID: ${{ steps.dispatch.outputs.workflow_id }}"
+    
+      # Starts the waiting loop, only required with dispatch_only: true
+      # This will start the waiting-loop.yml workflow. For more information, see that file.    
+      - name: Start the waiting loop
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: wait-signature.yml
+          inputs: |
+            { "workflow_id": "${{ steps.dispatch.outputs.workflow_id }}" }

README.md

@@ -1,2 +1,26 @@
 # example-workflow
 This is an example workflow with instructions on how to set up the remote approval flow for OSSign
+
+## .github/workflows/win-build.yml
+Builds your application and then dispatches a request to OSSign for signing. After dispatching, it starts a waiting loop to wait for the signed files to be available.
+
+### Set the secrets
+To use this workflow, you need to set the following secrets in your GitHub repository. You will get these details from OSSign after your application has been approved for signing.
+- `OSSIGN_USER`: Your OSSign username
+- `OSSIGN_TOKEN`: Your OSSign token
+
+## .github/workflows/wait-signature.yml
+This workflow is started by the waiting loop in the build workflow. It periodically checks with OSSign to see if the signing is complete. Once the signed files are available, you can add steps to download and use them as needed.
+
+### Waiting loop setup
+To set up the waiting loop, start by creating a new environment:
+1. Go to your GitHub repository.
+2. Click on "Settings" > "Environments".![alt text](docs/image-2.png)
+
+3. Create a new environment named `Signatures`. ![alt text](docs/image.png)
+
+4. In the environment settings, check the "Wait timer" option and set it to 20 minutes ![alt text](docs/image-1.png)
+
+5. Click "Save protection rules".
+
+When setting the secrets, those need to be set outside of the environment.

docs/image-1.png

@@ -0,0 +1,3 @@
+module github.com/ossign/example-workflow
+
+go 1.25.2

docs/image-2.png

@@ -0,0 +1,7 @@
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("Hello, World!")
+}