Skip to content

MemDeco-WG/setup-kam

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
.github/workflows
.github/workflows
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README_zh.md
README_zh.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Setup kam

Release License

Install kam in your GitHub Actions runner with optional caching and template import.

Important

  • By default the private-key input is optional. If it is not provided the action will continue but will print a warning. To make the key mandatory set require-private-key: 'true'. When provided the key will be imported into the kam keyring (secret name main) and a random passphrase will be exported to KAM_SIGN_PASSPHRASE (masked).
  • The action will attempt to install Commitizen (python-commitizen) via uv when install-commitizen is 'true' (default). Verification prefers module invocation (python -m commitizen) and falls back to the cz CLI if present. If Commitizen cannot be verified and require-commitizen is 'true', the action will fail; otherwise it will continue and emit a warning.
  • The action performs preflight checks for required tools (such as curl and openssl) and will fail fast with guidance if missing.
  • To avoid unnecessary recompilation when a later step in the job fails after a successful build, this action saves the compiled kam artifacts to the GitHub Actions cache immediately after installation. The cache save is guarded so it only runs when a working kam binary is present, and it is executed with an always()-style guard so that it will still attempt to save the build even if later steps fail. Keep enable-cache: 'true' (the default) and ensure files used in the cache key (for example Cargo.lock) are present so the cache can be reliably restored on subsequent runs.

Usage

Basic example:

name: CI with kam
on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup kam
        uses: MemDeco-WG/setup-kam@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          private-key: ${{ secrets.KAM_PRIVATE_KEY }}   # required
      - run: kam --version

With template import and caching:

- name: Setup kam (with template)
  uses: MemDeco-WG/setup-kam@v1
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}        # optional (recommended)
    enable-cache: 'true'                             # optional, default true
    template-url: https://example.com/template.zip   # optional
    kam-version: '0.3.1'                             # optional, pin version
    private-key: ${{ secrets.KAM_PRIVATE_KEY }}      # optional (see 'require-private-key' to enforce)
    require-private-key: 'true'                      # optional (fail if private-key not provided)

Inputs

  • github-token (optional): Default ${{ github.token }}. Use this if you need authenticated access to private releases/assets.
  • enable-cache (optional): 'true' (default) or 'false' to disable caching.
  • kam-version (optional): Pin a specific kam version to install (e.g., '0.1.2'). When set, network lookup for the latest version is skipped and the pinned version will be used for installation and cache keys.
  • template-url (optional): URL to a template archive (e.g., .zip, .tgz, .tar.gz). The URL must include a filename and extension; if you download manually, preserve the extension or provide the extracted directory path to kam tmpl import.
  • private-key (optional): The KAM private key contents (PEM). Provide it through a repository secret, for example: private-key: ${{ secrets.KAM_PRIVATE_KEY }}. If provided, the action will import it into the kam keyring (using secret name main) and export an auto-generated passphrase as KAM_SIGN_PASSPHRASE (masked).
  • require-private-key (optional): 'false' (default) or 'true'. When 'true' the action will fail early if private-key is not provided.
  • install-commitizen (optional): 'true' (default) or 'false'. Attempt to install commitizen via uv. If you prefer not to install commitizen in the runner, set to 'false'.
  • require-commitizen (optional): 'false' (default) or 'true'. When 'true' the action will fail if commitizen cannot be verified after attempted installation.

Outputs

  • latest-version: Resolved kam version (from crates.io/GitHub or pinned).
  • installed-version: Currently installed kam version (string, or empty).
  • should-install: 'true' if the action decided to install kam.
  • key-imported: 'true' if the private key was successfully imported.

Notes

  • The action attempts to install python-commitizen and verifies it's callable (preferring python -m commitizen and falling back to cz if present). This behavior is controlled by install-commitizen and require-commitizen inputs; if verification fails and require-commitizen is 'true', the action will fail, otherwise it will continue with a warning.
  • The action performs preflight checks for required tools (e.g., curl, openssl, and archive utilities if template-url points to an archive) and will fail early with guidance if they are missing.
  • When a private-key is imported the action masks sensitive values and sets KAM_SIGN_PASSPHRASE in the environment for subsequent steps (masked in logs).
  • Prefer uses: MemDeco-WG/setup-kam@v1 (major alias) rather than pinning patch versions for stable behavior.

About

setup kam

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v2 Latest
Dec 14, 2025
+ 1 release

Packages

 
 
 

Contributors