Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

admin: Sign release artifacts #4580

Merged
merged 1 commit into from
Jan 1, 2025
Merged

admin: Sign release artifacts #4580

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions .github/workflows/release-sign.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) Contributors to the OpenImageIO Project.

#
# Releases are signed via https://github.com/sigstore/sigstore-python.
# See https://docs.sigstore.dev for information about sigstore.
#
# This action creates a .tar.gz of the complete OpenImageIO source tree at
# the given release tag, signs it via sigstore, and uploads the
# .tar.gz and the associated .tar.gz.sigstore credential bundle.
#
# To verify a downloaded release at a given tag:
#
# % pip install sigstore
# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/OpenImageIO/.github/workflows/release-sign.yml@refs/tags/<tag> OpenImageIO-<tag>.tar.gz
#

name: Sign Release

on:
release:
types: [published]

permissions:
contents: read

jobs:
release:
name: Sign & upload release artifacts
runs-on: ubuntu-latest

env:
TAG: ${{ github.ref_name }}
permissions:
contents: write
Dismissed Show dismissed Hide dismissed
id-token: write
repository-projects: write

steps:

- name: Set Prefix
# The tag name begins with a 'v', e.g. "v3.0.3", but the prefix
# should omit the 'v', so the tarball "OpenImageIO-3.0.3.tar.gz"
# extracts files into "OpenImageIO-v3.0.3/...". This matches
# the GitHub release page autogenerated artifact conventions.
run: |
echo OPENIMAGEIO_PREFIX=OpenImageIO-${TAG//v}/ >> $GITHUB_ENV
echo OPENIMAGEIO_TARBALL=OpenImageIO-${TAG//v}.tar.gz >> $GITHUB_ENV
shell: bash

- name: Checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Create archive
run: git archive --format=tar.gz -o ${OPENIMAGEIO_TARBALL} --prefix ${OPENIMAGEIO_PREFIX} ${TAG}

- name: Sign archive with Sigstore
uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
with:
inputs: ${{ env.OPENIMAGEIO_TARBALL }}
upload-signing-artifacts: false
release-signing-artifacts: false

- name: Upload release archive
env:
GH_TOKEN: ${{ github.token }}
run: gh release upload ${TAG} ${OPENIMAGEIO_TARBALL} ${OPENIMAGEIO_TARBALL}.sigstore.json
Loading