---
title: "CI/CD Integration"
description: "Automatically sign build artifacts in your deployment pipeline using XI Objects trust blocks."
published: 2026-02-18T18:06:30.375941+00:00
updated: 2026-02-18T18:06:30.375941+00:00
tags: ["cicd", "devops", "guide"]
url: https://xiobjects.com/docs/xio/guides/cicd-integration
source: XI Objects
---

<!-- xion:doctype xion+markdown -->
<!-- xion:metadata
{
  "version": "1.0",
  "content_type": "application/xion\u002Bmarkdown",
  "source_type": "xi-content/doc",
  "generator": "xio-content-publisher/1.0.0",
  "generated": "2026-02-18T18:04:36.0215291\u002B00:00",
  "encoding": "utf-8",
  "render_intent": "markdown",
  "title": "CI/CD Integration",
  "slug": "xio/guides/cicd-integration",
  "copyright": "\u00A9 2026 XI Objects Inc"
}
-->

# CI/CD Integration

Automate content signing in your build and deployment pipelines to ensure every artifact has provenance from the moment it's created. XI Objects integrates into CI/CD through the **Xio.Trust** library for programmatic signing and the **`xi` CLI** for pipeline scripting.

## Overview

```mermaid
flowchart LR
    subgraph CI["CI Pipeline"]
        B[Build] --> T[Test]
        T --> S["Sign with Xio.Trust"]
        S --> P[Publish]
    end
    
    subgraph Orbital
        O{{Orbital Network}}
    end
    
    P --> R[(Artifact Registry)]
    S --> O
    
    style CI fill:#1a1a2e,stroke:#7a4a9e
    style S fill:#582c7e,stroke:#7a4a9e,color:#fff
```

## Approach: Trust Block Signing

CI/CD signing uses the same trust block mechanism as all XI Objects signing:

1. **Obtain a short-lived leaf certificate** from a certified Orbital
2. **Sign artifacts** using Xio.Trust: embed trust blocks with the CI certificate chain
3. **Register on the Orbital network**: publish `XSIGN` records for discoverable provenance

### CI Certificate Best Practices

- **Use short-lived certificates.** Issue CI certificates with hours-long validity, not days
- **Scope narrowly.** Create dedicated CI leaf certificates, separate from human creator certificates
- **Rotate per-build.** Request a fresh leaf certificate at the start of each pipeline run
- **Secure the private key.** Use a signing delegate pattern with a vault or secrets manager

## Programmatic Signing in .NET

For .NET-based pipelines, reference Xio.Trust directly:

```csharp
using Xio.Trust;
using Xio.Crypto;

// Configure trust options with CI certificate
var trustOptions = new TrustOptions
{
    PublicKey = ciPublicKey,
    Signer = async (data) => await vault.SignAsync("ci-signing-key", data),
    Context = "ci.build-signing",
    X509ChainPem = new[] { ciLeafPem, intermediatePem },
    HashAlgorithm = HashAlgorithm.Blake3_256
};

// Sign each artifact
var trustSigner = new Ed25519XionTrustSigner(cryptoServices);

foreach (var artifact in buildArtifacts)
{
    var content = await File.ReadAllBytesAsync(artifact);
    var signed = await trustSigner.SignAsync(content, trustOptions);
    await File.WriteAllBytesAsync(artifact, signed);
}
```

## Using the `xi` CLI

The `xi` CLI can be used in pipeline scripts for status checks and Orbital operations:

```bash
# Configure connection to Orbital
xi config add ci-orbital -e $ORBITAL_ENDPOINT

# Check Orbital health before signing
xi orbital status --output json

# Verify cluster is ready
xi cluster status
```

## Pipeline Configuration

### Certificate Acquisition

At the start of your pipeline, request a leaf certificate from a certified Orbital.

Store the certificate and use a secure signing delegate with your secrets manager (Azure Key Vault, GitHub Secrets, HashiCorp Vault) to avoid exposing the private key.

### Artifact Registration

After signing, publish records to the Orbital network to make provenance globally discoverable. This stores signing metadata (`XSIGN` records) and optionally spectral fingerprints (`XFPR` records) for visual artifacts.

## Verification in Deployment

Before deploying artifacts, verify their trust blocks:

1. **Extract the trust block** from the artifact
2. **Verify the BLAKE3 hash** matches the canonical content
3. **Verify the Ed25519 signature** against the embedded public key
4. **Validate the certificate chain** traces to the Institute of Provenance Root CA
5. **Check revocation status** via the Orbital network's Sparse Merkle proofs

This ensures only authentically signed artifacts from your CI pipeline are deployed.

## Security Considerations

- **Never commit certificates or keys to source control.** Use CI secrets or vault integration
- **Use short-lived leaf certificates.** Request fresh certificates per pipeline run (hours, not days)
- **Separate CI certificates from human certificates.** Different leaf certificates for different purposes
- **Monitor signing activity.** Query the Orbital network to audit signing records for unexpected events
- **Verify before deploying.** Always validate trust blocks on artifacts before production deployment
- **Use the delegate pattern.** Signing delegates keep private keys in secure backends
<!-- xion:trust
{
  "v": 1,
  "canon_v": 1,
  "ctx": "xiobjects.com/content",
  "hash_blake3_hex": "9c0dbb8f22845ea001501630b3871f68442a3f5c21b66f055bbc053fc154e323",
  "hash_sha256_hex": null,
  "sig_alg": "ed25519",
  "sig_b64": "6dGKsf-KDZwI2Jl9cDxclhTUTubr47NRMDXX8wxv0ohB51c6Ig9hX0V0w--_MlBa1w6c_11HOKbpQTluoI4HBw",
  "pubkey_b64": "ff4Npz7sRQH_vUn9FY8Wrc8v_00Z49h15EyQgKVTHR0",
  "x509_chain_pem": [
    "-----BEGIN CERTIFICATE-----\r\nMIIB9TCCAaegAwIBAgIRAM4lRb8aI/FYHOJD5OYqefQwBQYDK2VwMC4xLDAqBgNV\r\nBAMMI1hJIE9iamVjdHMgSW5jIENvbnRyb2wgSW50ZXJtZWRpYXRlMB4XDTI2MDIx\r\nNTIyMDg0OFoXDTI2MDMxNzIyMDg0OFowSzEeMBwGA1UEAwwVeGlvLWNvbnRlbnQt\r\ncHVibGlzaGVyMRcwFQYDVQQKDA5YSSBPYmplY3RzIEluYzEQMA4GA1UECwwHQ29u\r\ndGVudDAqMAUGAytlcAMhAH3\u002BDac\u002B7EUB/71J/RWPFq3PL/9NGePYdeRMkIClUx0d\r\no4G8MIG5MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG\r\nCCsGAQUFBwMkMGUGA1UdIwReMFyAFDspt5hZsP6rNX4Cq7owpMYa05OyoS6kLDAq\r\nMSgwJgYDVQQDDB9JbnN0aXR1dGUgb2YgUHJvdmVuYW5jZSBSb290IENBghRSYDf4\r\nsUJ\u002B9h\u002Bod0\u002BZRK/X/JSUBTAdBgNVHQ4EFgQUP5BTxnjCAxVKgMvFhx40ljlGOAkw\r\nBQYDK2VwA0EAjKlSBzHgXpPM2PA\u002BSJ/rMso5OEqtWIHGo/zr2QSuZRXhSWafIbk9\r\nZnl0kKZCqUB2HpCfgnpOGCPK6SlefwQsAQ==\r\n-----END CERTIFICATE-----\r\n",
    "-----BEGIN CERTIFICATE-----\r\nMIIByDCCAXqgAwIBAgIUUmA3\u002BLFCfvYfqHdPmUSv1/yUlAUwBQYDK2VwMCoxKDAm\r\nBgNVBAMMH0luc3RpdHV0ZSBvZiBQcm92ZW5hbmNlIFJvb3QgQ0EwHhcNMjUxMTAy\r\nMDMxNzEyWhcNMzAxMTAxMDMxNzEyWjAuMSwwKgYDVQQDDCNYSSBPYmplY3RzIElu\r\nYyBDb250cm9sIEludGVybWVkaWF0ZTAqMAUGAytlcAMhAFSS/pggSRmTcAMko7uc\r\nATH8OHgxVymd5mBFlPXbJkgio4GtMIGqMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD\r\nVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7KbeYWbD\u002BqzV\u002BAqu6MKTGGtOTsjBlBgNV\r\nHSMEXjBcgBQAZRTDswSVORu\u002BkUOKX6WvrOvmQKEupCwwKjEoMCYGA1UEAwwfSW5z\r\ndGl0dXRlIG9mIFByb3ZlbmFuY2UgUm9vdCBDQYIUJqoJlpiSFg\u002B7W5IJLMrLttgR\r\nQp4wBQYDK2VwA0EA5FOht7YOsVRPp/FOKMQ\u002B3Mo9JxrvGR3ylKWAWNm6OUV7N3DB\r\nI9cD62wU5I0d0EKDBy0CX9DnoqUyxv5yguraAA==\r\n-----END CERTIFICATE-----\r\n",
    "-----BEGIN CERTIFICATE-----\r\nMIIBaTCCARugAwIBAgIUJqoJlpiSFg\u002B7W5IJLMrLttgRQp4wBQYDK2VwMCoxKDAm\r\nBgNVBAMMH0luc3RpdHV0ZSBvZiBQcm92ZW5hbmNlIFJvb3QgQ0EwHhcNMjUxMTAy\r\nMDMwNTEyWhcNMzUxMDMxMDMwNTEyWjAqMSgwJgYDVQQDDB9JbnN0aXR1dGUgb2Yg\r\nUHJvdmVuYW5jZSBSb290IENBMCowBQYDK2VwAyEAEWNZl\u002Br3IC7\u002BgBh90Yo1kWk1\r\npZCVzVuFdFT7qBBU8W2jUzBRMB0GA1UdDgQWBBQAZRTDswSVORu\u002BkUOKX6WvrOvm\r\nQDAfBgNVHSMEGDAWgBQAZRTDswSVORu\u002BkUOKX6WvrOvmQDAPBgNVHRMBAf8EBTAD\r\nAQH/MAUGAytlcANBAO6QeydOFNrN75qNyftggYudsxMyl4w9qWkSdZ6hlhrRcbSr\r\niG9Si0kbrIJOwYB/LTBU0RM4Rl\u002Bo9PM3Qp0mPwo=\r\n-----END CERTIFICATE-----\r\n"
  ],
  "key_id": "-GCB4sEBzFethc5Pd0Rzyn_6ySyHB4QaqD9DAoW9ViE",
  "created_at": "2026-02-18T18:04:36Z"
}
-->