GitHub action which uses AWS Code Signer to sign βπΌ AWS Lambda artifacts π¦
| Functionality | Status |
|---|---|
| Create AWS Signer signing request for existing object in source AWS S3 bucket | β |
| Wait for signing job to complete | β |
| Rename signed object to original/friendly name under destination prefix | β |
| Copy tags from original object to signed object | |
| Upload local artifact from CI pipeline to AWS S3 source bucket | |
| Generate zip archive for upload to AWS S3 source bucket |
See the AWS documentation for more details related to code signing AWS Lambda artifacts.
βΉοΈ The artifact must already exist in AWS S3 in order for the action to initiate a signing job request; the action does not handle uploading a local artifact to AWS S3 (at this time) before initiating a signing job request.
The following is an example of creating a signing job and retrieving the resulting jobId.
jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
steps:
- name: Sign AWS Lambda artifact
uses: clowdhaus/aws-lambda-code-signing-action/@main
id: signed
with:
aws-region: us-east-1
source-s3-bucket: source-s3-bucket-us-east-1
source-s3-key: unsigned/dist.zip
source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
destination-s3-prefix: signed/
profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
- name: Outputs
run: |
echo "${{ steps.signed.outputs.job-id }}"
echo "${{ steps.signed.outputs.signed-object-key }}"jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
steps:
- name: Sign AWS Lambda artifact
uses: clowdhaus/aws-lambda-code-signing-action/@main
with:
aws-region: us-east-1
source-s3-bucket: source-s3-bucket-us-east-1
source-s3-key: unsigned/dist.zip
source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
destination-s3-prefix: signed/
profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
wait-until-successful: true
max-wait-time: 60The following configuration will create a signing job, wait for the job to finish, and then rename the signed object from the AWS Signer output of <job-id>.<source-file-extension> to <destination-s3-prefix>/<source-file-name-and-extension>. Given the configuration below, there would be two signed artifacts created:
<job-id>.zipcreated by the AWS Signer jobsigned/dist.zipcreated by the action (usingrename-signed-object: true)
Because the job must complete successfully before the signed object can be renamed, wait-until-successful is not required but it will be treated as though its true. Therefore, you can also set the amount of wait time when renaming to give the job more time if necessary.
jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
steps:
- name: Sign AWS Lambda artifact & rename signed artifact
uses: clowdhaus/aws-lambda-code-signing-action/@main
id: signed
with:
aws-region: us-east-1
source-s3-bucket: source-s3-bucket-us-east-1
source-s3-key: unsigned/dist.zip
source-s3-version: xtmNOx66ZujPT5G.ihF6p60zz8hF5YAK
destination-s3-bucket: destination-s3-bucket-us-east-1 # can re-use same bucket
destination-s3-prefix: signed/
profile-name: AwsLambdaCodeSigningAction20211013170708789000654321
max-wait-time: 60
rename-signed-object: true
- name: Outputs
run: |
echo "${{ steps.signed.outputs.job-id }}"
echo "${{ steps.signed.outputs.renamed-signed-object-key }}"See the __infra__ directory for example of resource definitions necessary for signing.
The following instructions will help you get setup for development and testing purposes.
yarn is used to handle dependencies and executing scripts on the codebase.
See here for instructions on installing yarn on your local machine.
Once you have installed yarn, you can install the project dependencies by running the following command from within the project root directory:
$ yarnPlease read CODE_OF_CONDUCT.md for details on our code of conduct and the process for submitting pull requests.
Please see the CHANGELOG.md for details on individual releases.