From 408d95a6e53a3ee985504f993ba99297d14ed976 Mon Sep 17 00:00:00 2001 From: Larry Gritz Date: Wed, 1 Jan 2025 11:51:33 -0800 Subject: [PATCH] admin: Sign release artifacts (#4580) Approach copied from OpenEXR. Let's try it! Fixes #4404 Signed-off-by: Larry Gritz --- .github/workflows/release-sign.yml | 67 ++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/release-sign.yml diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml new file mode 100644 index 0000000000..209d1057e5 --- /dev/null +++ b/.github/workflows/release-sign.yml @@ -0,0 +1,67 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) Contributors to the OpenImageIO Project. + +# +# Releases are signed via https://github.com/sigstore/sigstore-python. +# See https://docs.sigstore.dev for information about sigstore. +# +# This action creates a .tar.gz of the complete OpenImageIO source tree at +# the given release tag, signs it via sigstore, and uploads the +# .tar.gz and the associated .tar.gz.sigstore credential bundle. +# +# To verify a downloaded release at a given tag: +# +# % pip install sigstore +# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/OpenImageIO/.github/workflows/release-sign.yml@refs/tags/ OpenImageIO-.tar.gz +# + +name: Sign Release + +on: + release: + types: [published] + +permissions: + contents: read + +jobs: + release: + name: Sign & upload release artifacts + runs-on: ubuntu-latest + + env: + TAG: ${{ github.ref_name }} + permissions: + contents: write + id-token: write + repository-projects: write + + steps: + + - name: Set Prefix + # The tag name begins with a 'v', e.g. "v3.0.3", but the prefix + # should omit the 'v', so the tarball "OpenImageIO-3.0.3.tar.gz" + # extracts files into "OpenImageIO-v3.0.3/...". This matches + # the GitHub release page autogenerated artifact conventions. + run: | + echo OPENIMAGEIO_PREFIX=OpenImageIO-${TAG//v}/ >> $GITHUB_ENV + echo OPENIMAGEIO_TARBALL=OpenImageIO-${TAG//v}.tar.gz >> $GITHUB_ENV + shell: bash + + - name: Checkout + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Create archive + run: git archive --format=tar.gz -o ${OPENIMAGEIO_TARBALL} --prefix ${OPENIMAGEIO_PREFIX} ${TAG} + + - name: Sign archive with Sigstore + uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 + with: + inputs: ${{ env.OPENIMAGEIO_TARBALL }} + upload-signing-artifacts: false + release-signing-artifacts: false + + - name: Upload release archive + env: + GH_TOKEN: ${{ github.token }} + run: gh release upload ${TAG} ${OPENIMAGEIO_TARBALL} ${OPENIMAGEIO_TARBALL}.sigstore.json