From 49597d290d41ab87a5f05ba1229748e857f6cac8 Mon Sep 17 00:00:00 2001 From: Jan Maarten van Doorn Date: Fri, 29 May 2026 10:53:09 +0200 Subject: [PATCH] Release signing wip --- .github/workflows/release-signing.yaml | 28 ++++++++++++++++++++++++++ .github/workflows/release-v4.yaml | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/release-signing.yaml diff --git a/.github/workflows/release-signing.yaml b/.github/workflows/release-signing.yaml new file mode 100644 index 000000000..4956b577f --- /dev/null +++ b/.github/workflows/release-signing.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2026 Contributors to the OpenSTEF project +# SPDX-License-Identifier: MPL-2.0 + +name: Sign Release Artifacts + +on: + release: + types: [published] + +permissions: {} + +jobs: + sign-release: + name: Sign release artifacts with Sigstore + runs-on: ubuntu-latest + if: ${{ startsWith(github.ref, 'refs/tags/v4.') }} + + permissions: + # Needed to mint an OIDC token for Sigstore + id-token: write + # Needed to upload signing artifacts to the GitHub Release + contents: write + + steps: + - name: Sign all release artifacts + uses: sigstore/gh-action-sigstore-python@v3.2.0 + with: + release-signing-artifacts: true diff --git a/.github/workflows/release-v4.yaml b/.github/workflows/release-v4.yaml index 12c5ab5c9..207036a9b 100644 --- a/.github/workflows/release-v4.yaml +++ b/.github/workflows/release-v4.yaml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2025 Contributors to the OpenSTEF project +# SPDX-FileCopyrightText: 2026 Contributors to the OpenSTEF project # SPDX-License-Identifier: MPL-2.0 name: Release V4 @@ -79,5 +79,10 @@ jobs: run: poe build - name: Publish packages run: uv publish --trusted-publishing always + - name: Upload release assets + if: github.event_name == 'release' + uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 + with: + files: dist/* - name: Summary run: echo "Published version ${{ steps.ver.outputs.version }}"