Bump cycodelabs/cimon-action from 0.10.1 to 1.0.1

[dependabot]

Bumps cycodelabs/cimon-action from 0.10.1 to 1.0.1.

Release notes

Sourced from cycodelabs/cimon-action's releases.

v1.0.1 — Expose installed cimon path to downstream steps

Follow-up to v1.0.0. The per-job install dir that landed in v1.0.0 made the binary unreachable for any verify step that hardcoded the pre-v1.0.0 path. This release surfaces the install location three ways so workflows don't have to reconstruct the tmpdir layout.

What's in (#121)

After the action installs cimon, the install directory is added to PATH, the absolute path is exported as CIMON_PATH, and the same path is emitted as the cimon-path step output. Subsequent steps can pick whichever fits their pattern:

- id: cimon
  uses: cycodelabs/cimon-action/attest@v1
  with: { subjects: dist\my-app.msi, keyless: true }


name: Verify (PATH lookup)
run: cimon.exe attest verify --subjects dist\my-app.msi --signed-prov provenance.intoto.jsonl.sig --keyless


name: Verify (env var)
run: '& $env:CIMON_PATH attest verify ...'


name: Verify (step output)
run: '& "${{ steps.cimon.outputs.cimon-path }}" attest verify ...'

Applies to all three install branches: Windows release-zip, Linux install.sh, and the release-path input override.

Verified

verify-attest-windows end-to-end job on windows-latest exercises the new behavior and passes in ~21s.

Notes

• No input changes, no breaking changes for existing @​v1 consumers — workflows that didn't reach into $RUNNER_TEMP keep working unchanged.
• The hardcoded-path failure mode only affected explicit $RUNNER_TEMP\cimon\ references in verify steps; the action's own attest call continued to work in v1.0.0.

v1.0.0 — Windows / GHES attest support

First numbered v1.X.Y release. From here on, concrete release tags and the @v1 floating tag agree on the major.

Cross-platform cimon-action/attest: the attest sub-action now runs on Linux, Windows, and macOS GitHub Actions runners — including self-hosted runners on GitHub Enterprise Server.

What's in

• Windows install path (#118): resolves the latest tag from cycodelabs/cimon-releases and downloads cimon_windows_x86_64.zip directly. No S3 dependency.
• Per-job install dir + wipe-before-install (#114): closes a silent-reuse hole on self-hosted runners with persistent $RUNNER_TEMP. Applied to both the Linux install.sh path and the Windows release-zip path.
• verify-attest-windows CI job exercises the action end-to-end on windows-latest with keyed signing.
• Cross-platform attest/README.md with GHES support notes and signing-path guidance (KMS / private Sigstore / keyed offline / public Sigstore).
• Hardened build-attest-dist.yaml: npm ci --ignore-scripts, single-file commit guard, fork-safe checkout.

Requirements

• Cimon binary ≥ v1.0.17 on the release side (already published to cycodelabs/cimon-releases). The action installs this automatically.

Notes

• Hardening agent (cimon-action@v1 top-level, prevent: true) remains Linux-only.

... (truncated)

Commits

• a0870cc fix(attest): export install path so verify steps can find cimon (#121)
• 5b283fa feat(attest): post-#118 hardening + Windows CI verification + docs (#114)
• 3bd4d12 feat(attest): Windows support — fetch zip from cimon-releases, ncc 0.38 upgra...
• 198bedc chore: bump action runtime to node24 (#115)
• b321589 fix: skip RC/alpha/beta tags when finding latest v1.x release (#106)
• 8f178f9 docs: update README for v1 with hardening support (#105)
• 08c774d feat: v1 hardening support (#104)
• See full diff in compare view