From b7100197917765de46eab9f551c039d6a3b8665a Mon Sep 17 00:00:00 2001 From: Nandor Kracser Date: Fri, 5 Jun 2026 16:30:25 +0200 Subject: [PATCH 1/4] fix: update install.sh flags to --controlplane-url and --plugin GitHubActions --- action.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index acd6a5c..d5321da 100644 --- a/action.yml +++ b/action.yml @@ -27,5 +27,6 @@ runs: DAEMON_VERSION: ${{ inputs.version }} run: | curl -fsSL https://docs.riptides.io/install.sh | sudo -E bash -s -- \ - --control-plane "${{ inputs.controlplane-url }}" \ - --github-actions "${{ inputs.audience }}" + --controlplane-url "${{ inputs.controlplane-url }}" \ + --plugin GitHubActions \ + --github-actions-audience "${{ inputs.audience }}" From acf400673b8cc4b71c5798a99c29a4e685b29da5 Mon Sep 17 00:00:00 2001 From: Nandor Kracser Date: Fri, 5 Jun 2026 16:38:36 +0200 Subject: [PATCH 2/4] docs: explain what Riptides provides for CI jobs --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index cfdb1d0..cb8e307 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,14 @@ GitHub Action to install the [Riptides](https://riptides.io) daemon and join a control plane from a GitHub Actions runner. Authentication uses GitHub Actions OIDC, no join tokens or long-lived credentials required. +## What is Riptides? + +Riptides is a zero-trust networking layer that runs as a kernel module on your hosts. For CI pipelines it solves two problems: + +**Secure secret injection** — instead of storing cloud credentials, API keys, or service tokens in GitHub secrets, Riptides gives the runner a verified SPIFFE workload identity and enforces your policy at the network layer. Your CI job calls AWS, S3, internal APIs, or any other service exactly as it would in production — credentials are injected transparently based on the runner's identity, without ever touching a secret. + +**Connection visibility** — every outbound and inbound TCP connection made during a CI job is tracked with full workload identity context: which workflow, which repository, which actor made the call, and whether it was allowed or denied by policy. This gives you the same traffic observability and access control in CI that you have across the rest of your fleet. + ## Prerequisites 1. A Riptides control plane with a `GitHubActionsVerifier` configured for your repository owner: From ed4f86d5bdc3a123c9a17d4727909bf48955e215 Mon Sep 17 00:00:00 2001 From: Nandor Kracser Date: Fri, 5 Jun 2026 16:39:44 +0200 Subject: [PATCH 3/4] chore: add CODEOWNERS --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..4b1c697 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @riptideslabs/devs From 9edf473349fec7c08b246eb4dbd2462f58429861 Mon Sep 17 00:00:00 2001 From: Nandor Kracser Date: Fri, 5 Jun 2026 16:40:33 +0200 Subject: [PATCH 4/4] ci: add actionlint workflow --- .github/workflows/ci.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..dc80d63 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,12 @@ +name: CI + +on: + push: + pull_request: + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: raven-actions/actionlint@v2