epic: v1.0 customer UX — zero-config experience

[colek42]

Goal

A customer should be able to add cilock-action to their CI pipeline with zero configuration for the hosted platform. Today there are still manual steps that block adoption.

P0 — Must have for launch

1. Auto-provision OIDC credentials on GitHub App install

When a customer installs the TestifySec GitHub App, auto-create an OIDC credential:

• Issuer: https://token.actions.githubusercontent.com
• Subject: repo:<org>/*
• Audience: derived from platform URL
• Scopes: attestation:upload

No manual credential setup. The customer installs the app and it works.

2. Better error messages

Current errors are opaque:

• archivista store returned 500: unexpected end of JSON input → "Upload failed. Check your OIDC credential at Settings > Credentials"
• failed to obtain certificate from Fulcio → "Fulcio signing failed. Verify your platform URL is correct and the Fulcio service is reachable"
• 401: Invalid API credential → "Authentication failed. Ensure an OIDC credential exists for this repository"

Map common error codes to actionable guidance with links to docs.

3. v1 major version tag

Users should pin to @v1 and get patches automatically. The release workflow has the v1 tag update step but it's failing. Fix the git tag -fa v1 step in the release workflow.

4. Progress output with ::group:: blocks

The action is silent during signing/upload. Add structured output:

::group::Signing attestation with Fulcio
Requesting certificate from https://platform.testifysec.com/api/v2/signingCert
Certificate obtained for subject: repo:org/repo:ref:refs/heads/main
::endgroup::
::group::Uploading to Archivista
Storing signed DSSE envelope (3.2 KB)
Attestation stored: gitoid:sha256:abc123def456
::endgroup::

P1 — Should have

5. Starter workflow template

Ship a .github/workflows/cilock.yml starter workflow that appears in the GitHub Actions tab:

name: Supply Chain Attestation
on: [push]
jobs:
  attest:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: aflock-ai/cilock-action@v1
        with:
          step: build
          command: make build

6. cilock verify local command

Customers can create attestations but can't verify locally:

cilock verify --attestation output.json --policy policy.yaml

Checks the signed envelope against a policy without needing the full platform.

7. README with copy-paste examples

• Basic: Go/Node/Python build
• Docker: Build + push with attestation
• Multi-step: Build → test → deploy pipeline
• Self-hosted: Platform URL override
• Troubleshooting: Common errors and fixes

P2 — Nice to have

8. --dry-run flag

Run the command and create the attestation but don't upload. Useful for testing.

9. Attestation summary in GitHub Actions

Post an Actions Job Summary with:

• What was attested (step name, command)
• Signing status (Fulcio cert subject)
• Upload status (gitoid link to platform)
• List of subjects (material/product digests)

10. Badge

[![Supply Chain Attested](https://platform.testifysec.com/badge/org/repo)](https://platform.testifysec.com/products/org/repo)