From b4e0e15db644b8a854d510d18b1544550f9d7439 Mon Sep 17 00:00:00 2001
From: Cary Phillips <cary@ilm.com>
Date: Thu, 28 Mar 2024 10:59:05 -0700
Subject: [PATCH] sign

Signed-off-by: Cary Phillips <cary@ilm.com>
---
 .github/workflows/release-sign.yml | 62 ++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 .github/workflows/release-sign.yml

diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml
new file mode 100644
index 0000000..75027e4
--- /dev/null
+++ b/.github/workflows/release-sign.yml
@@ -0,0 +1,62 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright (c) Contributors to the OpenEXR Project.
+
+#
+# Releases are signed via https://github.com/sigstore/sigstore-python.
+# See https://docs.sigstore.dev for information about sigstore.
+#
+# This action creates a .tar.gz of the complete OpenEXR source tree at
+# the given release tag, signs it via sigstore, and uploads the
+# .tar.gz and the associated .tar.gz.sigstore credential bundle.
+#
+# To verify a downloaded release at a given tag:
+# 
+#   % pip install sigstore
+#   % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/<tag> openexr-<tag>.tar.gz
+#
+
+name: Sign Release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+  id-token: write
+  repository-projects: write
+  
+jobs:
+  release:
+    name: Sign & upload release artifacts
+    runs-on: ubuntu-latest
+
+    env:
+       TAG: ${{ github.ref_name }}
+       
+    steps:
+
+      - name: Set Prefix
+        # The tag name begins with a 'v', e.g. "v3.2.4", but the prefix
+        # should omit the 'v', so the tarball "openexr-3.2.4.tar.gz"
+        # extracts files into "openexr-v3.2.4/...".  This matches
+        # the GitHub release page autogenerated artifact conventions.
+        run: echo OPENEXR_PREFIX=openexr-${TAG//v} >> $GITHUB_ENV
+        shell: bash
+
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Create archive
+        run: git archive --format=tar.gz -o ${OPENEXR_PREFIX}.tar.gz --prefix ${OPENEXR_PREFIX}/ ${TAG}
+
+      - name: Sign archive with Sigstore
+        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        with:
+          inputs: ${{ env.tarball }}
+
+      - name: Upload release archive
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release upload ${{ github.ref_name }} ${{ env.tarball }} ${{ env.tarball }}.sigstore
+