---
title: "CI/CD Integration"
description: "Automatically sign build artifacts in your deployment pipeline using XI Objects trust blocks."
published: 2026-02-18T18:06:30.375941+00:00
updated: 2026-02-18T18:06:30.375941+00:00
tags: ["cicd", "devops", "guide"]
url: https://xiobjects.com/docs/xio/guides/cicd-integration
source: XI Objects
---

<!-- xion:doctype xion+markdown -->
<!-- xion:metadata
{
  "version": "1.0",
  "content_type": "application/xion\u002Bmarkdown",
  "source_type": "xi-content/doc",
  "generator": "xio-content-publisher/1.0.0",
  "generated": "2026-05-13T22:51:28.1844420\u002B00:00",
  "encoding": "utf-8",
  "render_intent": "markdown",
  "title": "CI/CD Integration",
  "slug": "xio/guides/cicd-integration",
  "copyright": "\u00A9 2026 XI Objects Inc"
}
-->

# CI/CD Integration

Automate content signing in your build and deployment pipelines to ensure every artifact has provenance from the moment it's created. XI Objects integrates into CI/CD through the **Xio.Trust** library for programmatic signing and the **`xi` CLI** for pipeline scripting.

## Overview

```mermaid
flowchart LR
    subgraph CI["CI Pipeline"]
        B[Build] --> T[Test]
        T --> S["Sign with Xio.Trust"]
        S --> P[Publish]
    end
    
    subgraph Orbital
        O{{Orbital Network}}
    end
    
    P --> R[(Artifact Registry)]
    S --> O
    
    style CI fill:#1a1a2e,stroke:#7a4a9e
    style S fill:#582c7e,stroke:#7a4a9e,color:#fff
```

## Approach: Trust Block Signing

CI/CD signing uses the same trust block mechanism as all XI Objects signing:

1. **Obtain a short-lived leaf certificate** from a certified Orbital
2. **Sign artifacts** using Xio.Trust: embed trust blocks with the CI certificate chain
3. **Register on the Orbital network**: publish `XSIGN` records for discoverable provenance

### CI Certificate Best Practices

- **Use short-lived certificates.** Issue CI certificates with hours-long validity, not days
- **Scope narrowly.** Create dedicated CI leaf certificates, separate from human creator certificates
- **Rotate per-build.** Request a fresh leaf certificate at the start of each pipeline run
- **Secure the private key.** Use a signing delegate pattern with a vault or secrets manager

## Programmatic Signing in .NET

For .NET-based pipelines, reference Xio.Trust directly:

```csharp
using Xio.Trust;
using Xio.Crypto;

// Configure trust options with CI certificate
var trustOptions = new TrustOptions
{
    PublicKey = ciPublicKey,
    Signer = async (data) => await vault.SignAsync("ci-signing-key", data),
    Context = "ci.build-signing",
    X509ChainPem = new[] { ciLeafPem, intermediatePem },
    HashAlgorithm = HashAlgorithm.Blake3_256
};

// Sign each artifact
var trustSigner = new Ed25519XionTrustSigner(cryptoServices);

foreach (var artifact in buildArtifacts)
{
    var content = await File.ReadAllBytesAsync(artifact);
    var signed = await trustSigner.SignAsync(content, trustOptions);
    await File.WriteAllBytesAsync(artifact, signed);
}
```

## Using the `xi` CLI

The `xi` CLI can be used in pipeline scripts for status checks and Orbital operations:

```bash
# Configure connection to Orbital
xi config add ci-orbital -e $ORBITAL_ENDPOINT

# Check Orbital health before signing
xi orbital status --output json

# Verify cluster is ready
xi cluster status
```

## Pipeline Configuration

### Certificate Acquisition

At the start of your pipeline, request a leaf certificate from a certified Orbital.

Store the certificate and use a secure signing delegate with your secrets manager (Azure Key Vault, GitHub Secrets, HashiCorp Vault) to avoid exposing the private key.

### Artifact Registration

After signing, publish records to the Orbital network to make provenance globally discoverable. This stores signing metadata (`XSIGN` records) and optionally spectral fingerprints (`XFPR` records) for visual artifacts.

## Verification in Deployment

Before deploying artifacts, verify their trust blocks:

1. **Extract the trust block** from the artifact
2. **Verify the BLAKE3 hash** matches the canonical content
3. **Verify the Ed25519 signature** against the embedded public key
4. **Validate the certificate chain** traces to the Institute of Provenance Root CA
5. **Check revocation status** via the Orbital network's Sparse Merkle proofs

This ensures only authentically signed artifacts from your CI pipeline are deployed.

## Security Considerations

- **Never commit certificates or keys to source control.** Use CI secrets or vault integration
- **Use short-lived leaf certificates.** Request fresh certificates per pipeline run (hours, not days)
- **Separate CI certificates from human certificates.** Different leaf certificates for different purposes
- **Monitor signing activity.** Query the Orbital network to audit signing records for unexpected events
- **Verify before deploying.** Always validate trust blocks on artifacts before production deployment
- **Use the delegate pattern.** Signing delegates keep private keys in secure backends
<!-- xion:trust
{
  "v": 1,
  "canon_v": 1,
  "ctx": "xiobjects.com/content",
  "hash_blake3_hex": "ef0e1325f40379c7341b15dd33e4316fcda10c79ad20a848b2b2b84e06dbaf4d",
  "hash_sha256_hex": null,
  "sig_alg": "ed25519",
  "sig_b64": "jrWlBpqNq45nIx9sqIhVz11M-Lmkg6oJSG9lSpTV1YGWYWb2Kf1N5hgxM4-piwcYJbJzfgM226QmQquqTCQJCA",
  "pubkey_b64": "h-awvV8Rn-juph_c2Y7UH5A6e7NaFia3zBiMrJUOMOo",
  "x509_chain_pem": [
    "-----BEGIN CERTIFICATE-----\nMIIB9DCCAaagAwIBAgIQBrrNsmRlBvKQdA4idEliJjAFBgMrZXAwLjEsMCoGA1UE\nAwwjWEkgT2JqZWN0cyBJbmMgQ29udHJvbCBJbnRlcm1lZGlhdGUwHhcNMjYwNTEz\nMjI0NjA1WhcNMjYwNjEyMjI0NjA1WjBLMR4wHAYDVQQDDBV4aW8tY29udGVudC1w\ndWJsaXNoZXIxFzAVBgNVBAoMDlhJIE9iamVjdHMgSW5jMRAwDgYDVQQLDAdDb250\nZW50MCowBQYDK2VwAyEAh\u002BawvV8Rn\u002Bjuph/c2Y7UH5A6e7NaFia3zBiMrJUOMOqj\ngbwwgbkwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI\nKwYBBQUHAyQwZQYDVR0jBF4wXIAUOym3mFmw/qs1fgKrujCkxhrTk7KhLqQsMCox\nKDAmBgNVBAMMH0luc3RpdHV0ZSBvZiBQcm92ZW5hbmNlIFJvb3QgQ0GCFFJgN/ix\nQn72H6h3T5lEr9f8lJQFMB0GA1UdDgQWBBS1LSJi5\u002BeqBq8h974Ht9HTgIcdgTAF\nBgMrZXADQQCKjXbPwnk/DZHmLQstUWRzU6GSf\u002BSHTXTTZCtRLbmJKxT17Qlbpexc\nsRgdSpxNWpJPe9Fr4vwhRkESMqMIpgQO\n-----END CERTIFICATE-----\n",
    "-----BEGIN CERTIFICATE-----\nMIIByDCCAXqgAwIBAgIUUmA3\u002BLFCfvYfqHdPmUSv1/yUlAUwBQYDK2VwMCoxKDAm\nBgNVBAMMH0luc3RpdHV0ZSBvZiBQcm92ZW5hbmNlIFJvb3QgQ0EwHhcNMjUxMTAy\nMDMxNzEyWhcNMzAxMTAxMDMxNzEyWjAuMSwwKgYDVQQDDCNYSSBPYmplY3RzIElu\nYyBDb250cm9sIEludGVybWVkaWF0ZTAqMAUGAytlcAMhAFSS/pggSRmTcAMko7uc\nATH8OHgxVymd5mBFlPXbJkgio4GtMIGqMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD\nVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7KbeYWbD\u002BqzV\u002BAqu6MKTGGtOTsjBlBgNV\nHSMEXjBcgBQAZRTDswSVORu\u002BkUOKX6WvrOvmQKEupCwwKjEoMCYGA1UEAwwfSW5z\ndGl0dXRlIG9mIFByb3ZlbmFuY2UgUm9vdCBDQYIUJqoJlpiSFg\u002B7W5IJLMrLttgR\nQp4wBQYDK2VwA0EA5FOht7YOsVRPp/FOKMQ\u002B3Mo9JxrvGR3ylKWAWNm6OUV7N3DB\nI9cD62wU5I0d0EKDBy0CX9DnoqUyxv5yguraAA==\n-----END CERTIFICATE-----\n",
    "-----BEGIN CERTIFICATE-----\nMIIBaTCCARugAwIBAgIUJqoJlpiSFg\u002B7W5IJLMrLttgRQp4wBQYDK2VwMCoxKDAm\nBgNVBAMMH0luc3RpdHV0ZSBvZiBQcm92ZW5hbmNlIFJvb3QgQ0EwHhcNMjUxMTAy\nMDMwNTEyWhcNMzUxMDMxMDMwNTEyWjAqMSgwJgYDVQQDDB9JbnN0aXR1dGUgb2Yg\nUHJvdmVuYW5jZSBSb290IENBMCowBQYDK2VwAyEAEWNZl\u002Br3IC7\u002BgBh90Yo1kWk1\npZCVzVuFdFT7qBBU8W2jUzBRMB0GA1UdDgQWBBQAZRTDswSVORu\u002BkUOKX6WvrOvm\nQDAfBgNVHSMEGDAWgBQAZRTDswSVORu\u002BkUOKX6WvrOvmQDAPBgNVHRMBAf8EBTAD\nAQH/MAUGAytlcANBAO6QeydOFNrN75qNyftggYudsxMyl4w9qWkSdZ6hlhrRcbSr\niG9Si0kbrIJOwYB/LTBU0RM4Rl\u002Bo9PM3Qp0mPwo=\n-----END CERTIFICATE-----\n"
  ],
  "key_id": "SDyVO7FvlAM-6CvQ62VZYOBO7JADFqLquUunUABRgKg",
  "created_at": "2026-05-13T22:51:28Z"
}
-->