From 27a3c9446e5f7a09b87096534826095da0cba7d0 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Tue, 9 Apr 2024 14:44:31 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=8F=F0=9F=A7=AA=20Sign=20released=20ar?= =?UTF-8?q?tifacts=20@=20CI/CD=20w/=20Sigstore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/ci-cd.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 446ac3ca82..0934dfc51c 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -1348,6 +1348,7 @@ jobs: permissions: contents: write discussions: write + id-token: write # IMPORTANT: mandatory for Sigstore signing steps: - name: Download all the dists @@ -1423,16 +1424,28 @@ jobs: }}' | tee -a release-notes.md shell: bash + - name: Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: >- + dist/${{ needs.pre-setup.outputs.sdist-artifact-name }} + dist/${{ needs.pre-setup.outputs.wheel-artifact-name }} + - name: >- Publish a GitHub Release for ${{ needs.pre-setup.outputs.git-tag }} + with Sigstore-signed artifacts uses: ncipollo/release-action@v1 with: allowUpdates: false artifactErrorsFailBuild: false artifacts: | dist/${{ needs.pre-setup.outputs.sdist-artifact-name }} + dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}.crt + dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}.sig dist/${{ needs.pre-setup.outputs.wheel-artifact-name }} + dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}.crt + dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}.sig artifactContentType: raw # Because whl and tgz are of different types bodyFile: release-notes.md discussionCategory: Announcements