-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathgithub-identity.yml
More file actions
113 lines (102 loc) · 3.77 KB
/
github-identity.yml
File metadata and controls
113 lines (102 loc) · 3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# GitHub Identity Attestation
#
# PURPOSE: Prove you control a GitHub account by running a workflow.
#
# ARTIFACT: JSON containing your GitHub username, recipient address, and target faucet,
# plus a ZK proof ready for on-chain submission.
#
# TRUST MODEL:
# - The workflow runs in YOUR repo (you triggered it)
# - Sigstore signs: "repo X at commit Y produced artifact Z"
# - Verifier trusts: this workflow correctly outputs github.actor
#
# HOW TO CLAIM:
# 1. Run this workflow with your ETH address
# 2. Download the identity-proof artifact
# 3. Open issue at main repo with title "[CLAIM]" and paste claim.json
#
# NO SECRETS NEEDED - just fork and run.
name: GitHub Identity
on:
workflow_dispatch:
inputs:
recipient_address:
description: 'ETH address to receive funds (0x...)'
required: true
faucet_address:
description: 'Faucet contract address (Base Sepolia)'
required: true
default: '0x72cd70d28284dD215257f73e1C5aD8e28847215B'
generate_proof:
description: 'Generate ZK proof (takes ~5 min)'
required: true
type: boolean
default: true
permissions:
id-token: write
contents: read
attestations: write
jobs:
attest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate inputs
run: |
if ! echo "${{ inputs.recipient_address }}" | grep -qE '^0x[a-fA-F0-9]{40}$'; then
echo "Invalid recipient address format"
exit 1
fi
if ! echo "${{ inputs.faucet_address }}" | grep -qE '^0x[a-fA-F0-9]{40}$'; then
echo "Invalid faucet address format"
exit 1
fi
- name: Generate identity certificate
run: |
mkdir -p proof
RECIPIENT=$(echo "${{ inputs.recipient_address }}" | tr '[:upper:]' '[:lower:]')
FAUCET=$(echo "${{ inputs.faucet_address }}" | tr '[:upper:]' '[:lower:]')
cat > proof/certificate.json << EOF
{
"type": "github-identity",
"github_actor": "${{ github.actor }}",
"github_repository": "${{ github.repository }}",
"recipient_address": "$RECIPIENT",
"faucet_address": "$FAUCET",
"chain_id": 84532,
"timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"workflow_run": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
EOF
echo "Certificate:" && cat proof/certificate.json
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: identity-proof
path: proof/
- name: Attest
id: attest
uses: actions/attest-build-provenance@v2
with:
subject-path: proof/certificate.json
- name: Copy attestation bundle
if: ${{ inputs.generate_proof }}
run: cp ${{ steps.attest.outputs.bundle-path }} proof/bundle.json
- name: Generate ZK proof
if: ${{ inputs.generate_proof }}
env:
PROVER_DIGEST: sha256:b13465c5bc36840dc80a4cbfdc8d98abd51ae2abfdaa0d48edc4da872146e5f0
EXPECTED_VK_HASH: "0x0d0b56f315c3dda7236c1d352fae8974871d3482125edea8a74139123d17d2fc"
run: |
REGISTRY="${{ vars.PROVER_REGISTRY || 'ghcr.io/amiller/zkproof' }}"
echo "Using prover: ${REGISTRY}@${PROVER_DIGEST}"
docker run --rm -e EXPECTED_VK_HASH="${EXPECTED_VK_HASH}" \
-v ${{ github.workspace }}/proof:/work \
"${REGISTRY}@${PROVER_DIGEST}" generate /work/bundle.json /work
- name: Update artifact with proof
if: ${{ inputs.generate_proof }}
uses: actions/upload-artifact@v4
with:
name: identity-proof
path: proof/
overwrite: true