docs: update README for auth.notme.bot + notme repo#114
Merged
jamestexas merged 4 commits intomainfrom Mar 29, 2026
Merged
Conversation
auth.notme.bot is now the canonical signet identity authority (CF Worker with SigningAuthority DO, zero-copy CA key). - gha-identity.yml: cert exchange → auth.notme.bot/cert/gha - signet-resign.yml: updated comment - APAS spec: auth.notme.bot as running authority - Bridge cert design doc: updated domain references Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- OIDC section: auth.notme.bot as default authority, self-host via notme/worker - GHA section: reusable workflow from agentic-research/notme - Roadmap: edge authority shipped, Go workspace + OAuth port next - Related section: links to notme repo, auth.notme.bot, notme.bot Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates project documentation and GitHub Actions guidance to reflect auth.notme.bot as the default identity authority and to link out to the agentic-research/notme ecosystem (worker, schemas, reusable workflows). Also introduces a reusable GHA identity-exchange workflow and updates the re-sign workflow to consume bridge certs from that exchange.
Changes:
- Update docs/spec references from
auth.rosary.bottoauth.notme.botand clarify authority/orchestrator separation. - Refresh README sections for OIDC bridge issuance and GHA OIDC signing to point to hosted authority + reusable workflow approach.
- Add
.github/workflows/gha-identity.ymland refactorsignet-resign.ymlto use it (no storedSIGNET_MASTER_KEY).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/design/004-bridge-certs.md | Updates deployed authority domain reference to auth.notme.bot. |
| docs/apas/agent-provenance-standard.md | Updates APAS URI resolution + reference implementation domain separation to auth.notme.bot. |
| cmd/signet/auth_login.go | Updates inline comment example URL for certificate request. |
| README.md | Reworks OIDC bridge + GHA signing documentation to emphasize hosted authority and notme reusable workflows; updates roadmap/related links. |
| .github/workflows/signet-resign.yml | Switches re-sign flow to consume bridge cert/key outputs from a reusable identity workflow. |
| .github/workflows/gha-identity.yml | Adds reusable workflow that exchanges GHA OIDC for octo-sts GitHub token (optional) and a bridge cert from auth.notme.bot. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- gha-identity.yml: Bearer capitalization, validate CERT/KEY non-null, mask base64-encoded key form (not just raw PEM) - signet-resign.yml: validate base64 inputs non-empty, check decoded PEM contains BEGIN CERTIFICATE - auth_login.go: fix example URL in comment (/api/cert not /exchange-token) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Addresses remaining Copilot comments: - URL-encode BRIDGE_AUDIENCE before appending to query string (jq @uri) - Use jq -er for certificate/private_key/expires_at extraction (fails on null/missing instead of producing "null" string) - Remove redundant post-hoc null checks (jq -e handles this) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
auth.notme.botas default authority, self-host vianotme/workeragentic-research/notmeAlso includes the earlier commit (72e9844): gha-identity.yml → auth.notme.bot/cert/gha, APAS spec docs updated.
Test plan
🤖 Generated with Claude Code