forked from AcademySoftwareFoundation/openexr
-
Notifications
You must be signed in to change notification settings - Fork 0
68 lines (55 loc) · 2.14 KB
/
release-sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) Contributors to the OpenEXR Project.
#
# Releases are signed via https://github.com/sigstore/sigstore-python.
# See https://docs.sigstore.dev for information about sigstore.
#
# This action creates a .tar.gz of the complete OpenEXR source tree at
# the given release tag, signs it via sigstore, and uploads the
# .tar.gz and the associated .tar.gz.sigstore credential bundle.
#
# To verify a downloaded release at a given tag:
#
# % pip install sigstore
# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/<tag> openexr-<tag>.tar.gz
#
name: Sign Release
on:
release:
types: [published]
permissions:
contents: read
jobs:
release:
name: Sign & upload release artifacts
runs-on: ubuntu-latest
env:
TAG: ${{ github.ref_name }}
permissions:
contents: write
id-token: write
repository-projects: write
steps:
- name: Set Prefix
# The tag name begins with a 'v', e.g. "v3.2.4", but the prefix
# should omit the 'v', so the tarball "openexr-3.2.4.tar.gz"
# extracts files into "openexr-v3.2.4/...". This matches
# the GitHub release page autogenerated artifact conventions.
run: |
echo OPENEXR_PREFIX=openexr-${TAG//v}/ >> $GITHUB_ENV
echo OPENEXR_TARBALL=openexr-${TAG//v}.tar.gz >> $GITHUB_ENV
shell: bash
- name: Checkout
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Create archive
run: git archive --format=tar.gz -o ${OPENEXR_TARBALL} --prefix ${OPENEXR_PREFIX} ${TAG}
- name: Sign archive with Sigstore
uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
with:
inputs: ${{ env.OPENEXR_TARBALL }}
upload-signing-artifacts: false
release-signing-artifacts: false
- name: Upload release archive
env:
GH_TOKEN: ${{ github.token }}
run: gh release upload ${TAG} ${OPENEXR_TARBALL} ${OPENEXR_TARBALL}.sigstore.json