Skip to content

riptideslabs/setup-riptides

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github
.github
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
icon.svg
icon.svg
 
 

Repository files navigation

setup-riptides

GitHub Action to install the Riptides daemon and join a control plane from a GitHub Actions runner. Authentication uses GitHub Actions OIDC, no join tokens or long-lived credentials required.

What is Riptides?

Riptides is a zero-trust networking layer that runs as a kernel module on your hosts. For CI pipelines it solves two problems:

Secure secret injection — instead of storing cloud credentials, API keys, or service tokens in GitHub secrets, Riptides gives the runner a verified SPIFFE workload identity and enforces your policy at the network layer. Your CI job calls AWS, S3, internal APIs, or any other service exactly as it would in production — credentials are injected transparently based on the runner's identity, without ever touching a secret.

Connection visibility — every outbound and inbound TCP connection made during a CI job is tracked with full workload identity context: which workflow, which repository, which actor made the call, and whether it was allowed or denied by policy. This gives you the same traffic observability and access control in CI that you have across the rest of your fleet.

Prerequisites

  1. A Riptides control plane with a GitHubActionsVerifier configured for your repository owner:
apiVersion: auth.riptides.io/v1alpha1
kind: Verifier
metadata:
  name: github-actions
spec:
  GitHubActions:
    repositoryOwner: your-org   # required, restricts to your org
    audience: riptides           # must match the action's audience input
  1. The workflow must have id-token: write permission.

Usage

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write   # required for OIDC token
      contents: read
    steps:
      - uses: riptideslabs/setup-riptides@v1
        with:
          controlplane-url: https://abc123.console.riptides.io

Fetch a cloud resource

No AWS access keys in GitHub secrets. Riptides injects temporary credentials based on the runner's workload identity.

      - name: Fetch config from S3
        run: aws s3 cp s3://my-bucket/config.json ./config.json

Post a deployment result

Riptides injects the bearer token for outbound calls to services in your policy, no secrets stored in the workflow.

      - name: Notify Sentry of deployment
        run: |
          sentry-cli releases new "${{ github.sha }}"
          sentry-cli releases deploys "${{ github.sha }}" new -e production

Inputs

Input Required Default Description
controlplane-url yes URL of your Riptides control plane
audience no riptides OIDC token audience, must match GitHubActionsVerifier config
version no latest Daemon version to install

How it works

The action calls the Riptides install.sh with --github-actions. The installer:

  1. Installs the kernel driver and daemon package
  2. Calls riptides daemon auth --plugin GitHubActions, fetches an OIDC token from the Actions token endpoint and exchanges it for a SPIFFE x509 identity certificate
  3. Starts the daemon as a systemd service

The runner VM is ephemeral so no cleanup step is needed.

About

No description or website provided.

Topics

github-actions

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v1.0.3 Latest
Jun 8, 2026
+ 3 releases

Packages

 
 
 

Contributors