← Back to portal

Start (SRE / DevOps)

1. Minimal integration

Use the reference Wedge to produce a CRA readiness evidence pack (receipt + report) within CI/CD.

1.1 GitHub Actions

Enterprise environments often require pinning to a commit SHA. Pinning is recommended.

jobs:
  px-evidence:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: px-root-registry/eu-cra-readiness-audit@v1  # RECOMMENDED: pin to a commit SHA

1.2 Quickstart (evaluation only)

If your environment allows outbound HTTP during build, you may retrieve the Wedge artifact and verify it against the Root-signed manifest prior to execution. For enterprise production use, vendoring under change-control is recommended.

curl -fsSLO https://px-root-registry.org/.well-known/wedge/v1/manifest.json
curl -fsSLO https://px-root-registry.org/.well-known/wedge/v1/generate_cra_pack.js

# Verify Root signature + byte-level binding (requires PX_ROOT_PUBKEY_RAW32_B64U)
PX_ROOT_PUBKEY_RAW32_B64U=vKYG_q1FzMc3_mkDierRVA5HOdG7SIO-vw98NWwsQEg \
  node tools/verify_wedge_manifest.js --manifest manifest.json --base-dir .

node generate_cra_pack.js

1.3 Non-GitHub CI (local vendored wedge)

Assumes the Wedge artifact is vendored into your repository under /.well-known/wedge/.

GitLab CI

px_evidence:
  script:
    - node .well-known/wedge/v1/generate_cra_pack.js

Jenkins

stage('PX Evidence'){ steps{ sh 'node .well-known/wedge/v1/generate_cra_pack.js' } }

Azure DevOps

- script: node .well-known/wedge/v1/generate_cra_pack.js

2. Enterprise controls (vendoring and inspection)

• Vendoring: Retrieve the Wedge artifact and commit it into your internal repository (or internal artifact store) under change-control.
• Pinning: If using GitHub Actions, pin the action reference to a commit SHA per your supply-chain policy.
• Integrity: Verify Root signatures on registry documents under /v1/. A byte-level binding is published in /v1/registry-manifest.json.
• Attachable evidence: /v1/px-tl/registry-health returns an attachable audit evidence JSON snapshot for change-control templates.

3. Outputs

The Wedge produces a small evidence pack intended for attachment to internal governance workflows.

• Human-readable report (.md or equivalent).
• Machine-readable receipt (AL0 and, when applicable, AL2).
• Optional: a zipped submission pack for handoff to auditors.

4. Runtime endpoints

• POST /v1/px-tl/sct — SCT issuance (issuer-authenticated).
• GET /v1/trust-store.json — dynamic Root-signed trust store snapshot.
• GET /v1/px-tl/registry-health — registry health + attachable evidence JSON.

5. References

• /verify/ — verification steps.
• /.well-known/al2/issuer-onboarding/ — issuer onboarding.
• /v1/operator.json — Root-signed operator identity record.
• /v1/policy.json — administrative policy.
• /v1/fee-schedule.json — billing state and notice constraints.
• /.well-known/al2/auditor-guidelines/ — auditor manual.