GitHub Actions

Overview

QCecuring provides GitHub Actions for integrating code signing and certificate provisioning into CI/CD workflows. Developers sign artifacts and provision certificates without managing private keys in repository secrets, maintaining security while enabling automation.

Key capabilities

• GitHub Action for signing binaries, containers, and packages during workflow runs.
• Certificate provisioning actions for deploying TLS certificates as part of release workflows.
• Keyless signing architecture where private keys never leave QCecuring’s secure infrastructure.
• Support for OIDC-based authentication eliminating long-lived API tokens in GitHub secrets.
• Detailed signing logs correlated with GitHub workflow run metadata for audit purposes.

Typical use cases

• Open source and enterprise teams signing release artifacts in GitHub Actions pipelines.
• DevOps teams provisioning certificates for environments deployed through GitHub-based GitOps.
• Organizations requiring verifiable provenance and integrity for software built in GitHub.

High-level integration flow

1. Add the QCecuring GitHub Action to workflow YAML files and configure OIDC trust or API credentials.
2. Workflow steps request signing operations, passing artifact hashes to QCecuring’s signing service.
3. QCecuring validates the request against policies, performs signing, and returns signatures.
4. Signed artifacts and certificates are published as workflow outputs or deployed to target environments.
5. Audit records link each signing event to the specific commit, workflow, and actor for traceability.

CBOM Discovery

QCecuring scans GitHub Actions workflows for code signing steps, secret references, and TLS configurations, mapping cryptographic usage into your CBOM.