auths-dev · bordumb · Apr 5, 2026 · Apr 5, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -106,24 +106,27 @@ jobs:
       - name: Sign artifact (Unix)
         if: matrix.ext == '.tar.gz'
         env:
-          AUTHS_PASSPHRASE: ${{ secrets.AUTHS_CI_PASSPHRASE }}
-          AUTHS_CI_KEYCHAIN_B64: ${{ secrets.AUTHS_CI_KEYCHAIN }}
-          AUTHS_CI_IDENTITY_BUNDLE_B64: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
+          AUTHS_CI_TOKEN: ${{ secrets.AUTHS_CI_TOKEN }}
           AUTHS_KEYCHAIN_BACKEND: file
           AUTHS_KEYCHAIN_FILE: /tmp/auths-ci-keychain
         run: |
-          if [ -z "$AUTHS_PASSPHRASE" ] || [ -z "$AUTHS_CI_KEYCHAIN_B64" ] || [ -z "$AUTHS_CI_IDENTITY_BUNDLE_B64" ]; then
-            echo "Skipping artifact signing: AUTHS_CI_PASSPHRASE, AUTHS_CI_KEYCHAIN, and AUTHS_CI_IDENTITY_BUNDLE must all be set (run 'just ci-setup' to populate them)"
+          if [ -z "$AUTHS_CI_TOKEN" ]; then
+            echo "Skipping artifact signing: AUTHS_CI_TOKEN not set (run 'auths ci setup' to configure)"
             exit 0
           fi
 
-          printf '%s' "$AUTHS_CI_KEYCHAIN_B64" | tr -d '[:space:]' | base64 -d > /tmp/auths-ci-keychain
+          # Extract fields from the single CI token
+          AUTHS_PASSPHRASE=$(echo "$AUTHS_CI_TOKEN" | jq -r '.passphrase')
+          echo "::add-mask::$AUTHS_PASSPHRASE"
+          export AUTHS_PASSPHRASE
+
+          echo "$AUTHS_CI_TOKEN" | jq -r '.keychain' | base64 -d > /tmp/auths-ci-keychain
           mkdir -p /tmp/auths-identity
-          printf '%s' "$AUTHS_CI_IDENTITY_BUNDLE_B64" | tr -d '[:space:]' | base64 -d | tar -xz -C /tmp/auths-identity
+          echo "$AUTHS_CI_TOKEN" | jq -r '.identity_repo' | base64 -d | tar -xz -C /tmp/auths-identity
 
           if ! git -C /tmp/auths-identity rev-parse --git-dir > /dev/null 2>&1; then
-            echo "Skipping artifact signing: AUTHS_CI_IDENTITY_BUNDLE does not contain a valid git repository."
-            echo "Re-run 'just ci-setup' to regenerate the secret, then update AUTHS_CI_IDENTITY_BUNDLE in GitHub Secrets."
+            echo "Skipping artifact signing: identity repo in AUTHS_CI_TOKEN is not a valid git repository."
+            echo "Re-run 'auths ci setup' to regenerate the token."
             exit 0
           fi
 

diff --git a/.github/workflows/sign-commits.yml b/.github/workflows/sign-commits.yml
@@ -1,4 +1,4 @@
-name: Sign Commits with OIDC Machine Identity
+name: Sign Commits
 
 on:
   push:
@@ -11,121 +11,16 @@ on:
 
 permissions:
   contents: write
-  id-token: write
-
-env:
-  CARGO_TERM_COLOR: always
-  RUSTFLAGS: -D warnings
 
 jobs:
   sign-commits:
-    name: Sign Commits
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: dtolnay/rust-toolchain@stable
 
-      - uses: actions/cache@v4
+      - uses: auths-dev/sign@v1
         with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-
-      - name: Build auths-cli
-        run: cargo build --release -p auths-cli
-        continue-on-error: false
-
-      - name: Configure Git
-        run: |
-          git config --global user.name "auths-ci"
-          git config --global user.email "auths-ci@example.com"
-
-      - name: Sign commits with OIDC machine identity
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set +e  # Don't exit on error; we want to log and continue
-
-          # Build auths binary path
-          AUTHS_BIN="./target/release/auths"
-
-          # Get the list of new commits in this push
-          # For the first push (no HEAD@{1}), use all commits in main
-          if git rev-parse "HEAD@{1}" >/dev/null 2>&1; then
-            COMMIT_RANGE="HEAD@{1}..HEAD"
-          else
-            COMMIT_RANGE="HEAD"
-          fi
-
-          echo "Commits to sign:"
-          git rev-list $COMMIT_RANGE
-
-          # For each commit, initialize OIDC machine identity and sign
-          while IFS= read -r commit_sha; do
-            echo ""
-            echo "=========================================="
-            echo "Signing commit: $commit_sha"
-            echo "=========================================="
-
-            # Initialize machine identity from OIDC token
-            echo "Setting up OIDC machine identity..."
-            if ! $AUTHS_BIN init --profile ci 2>/dev/null; then
-              echo "⚠️  Warning: Failed to initialize OIDC machine identity for $commit_sha"
-              continue
-            fi
-
-            # Sign the commit
-            echo "Signing commit with machine identity..."
-            if ! $AUTHS_BIN signcommit "$commit_sha" 2>&1; then
-              echo "⚠️  Warning: Failed to sign commit $commit_sha"
-              echo "Continuing with next commit..."
-              continue
-            fi
-
-            # Display attestation for debugging
-            echo ""
-            echo "Attestation structure:"
-            if git show "refs/auths/commits/$commit_sha" 2>/dev/null; then
-              echo "✓ Attestation stored successfully"
-            else
-              echo "⚠️  Warning: Could not retrieve attestation for $commit_sha"
-            fi
-
-          done < <(git rev-list $COMMIT_RANGE)
-
-          echo ""
-          echo "=========================================="
-          echo "Commit signing complete"
-          echo "=========================================="
-
-      - name: Push attestation refs
-        if: always()
-        run: |
-          set +e
-
-          # Push all attestation refs to origin
-          echo "Pushing attestation refs to origin..."
-          if git push origin 'refs/auths/commits/*:refs/auths/commits/*' 2>&1; then
-            echo "✓ Attestation refs pushed successfully"
-          else
-            echo "⚠️  Warning: Failed to push attestation refs (may not exist yet)"
-          fi
-
-          # Also push KERI refs if they exist
-          if git show-ref | grep -q "refs/keri"; then
-            git push origin 'refs/keri/*:refs/keri/*' 2>&1 || echo "⚠️  Failed to push KERI refs"
-          fi
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "Commit signing workflow completed"
-          echo "View signed commits: git log --oneline -10"
-          echo "View attestations: git show refs/auths/commits/<commit-sha>"
-          echo "Verify attestation: ./target/release/auths verify-commit <commit-sha>"
+          token: ${{ secrets.AUTHS_CI_TOKEN }}
+          commits: 'HEAD~1..HEAD'
diff --git a/.github/workflows/verify-commits.yml b/.github/workflows/verify-commits.yml
@@ -16,7 +16,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: auths-dev/auths-verify-github-action@v1
+      - uses: auths-dev/verify@v1
         with:
           allowed-signers: .auths/allowed_signers
           fail-on-unsigned: true