Skip to content
.github/workflows/signed-release.yml

ci: add signed release and provenance workflow #4

Sign in to view logs

ci: add signed release and provenance workflow

ci: add signed release and provenance workflow #4

Workflow file for this run

.github/workflows/signed-release.yml at 46cd272
name: Sign GitHub Release Artifacts
on:
release:
types: [published]
permissions:
contents: write
id-token: write
jobs:
sign-assets:
name: Sign and Generate Provenance
runs-on: ubuntu-latest
steps:
- name: Checkout source
uses: actions/checkout@v4@9d476bda2b52b4a4fbe396aa9b674bca6a2d4a13
- name: Install Cosign
uses: sigstore/cosign-installer@v3.4.0@7e0c53cb364b5f7cfc6b04d99b68353c6c14fd64
- name: Install GitHub CLI
uses: cli/cli-action@v2@a0fbe95a6ba35e3d6c45d3bcf89b94e912e3d776
with:
version: latest
- name: Create download dir and fetch assets
run: |
mkdir release-assets
gh release download "$GITHUB_REF_NAME" --dir release-assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Sign each asset using Cosign keyless
run: |
for file in release-assets/*; do
echo "Signing $file"
cosign sign-blob \
--yes \
--output-signature "${file}.sig" \
--output-certificate "${file}.pem" \
"$file"
done
- name: Upload signatures and certs to release
uses: softprops/action-gh-release@v1@c96e5e2fd7bc3506a738bfe8d10a57b517aa9940
with:
files: |
release-assets/*.sig
release-assets/*.pem
tag_name: ${{ github.ref_name }}
- name: Generate SLSA provenance (optional but recommended)
uses: slsa-framework/slsa-github-generator@v1.7.0@52cbcb7c206c4f8ad25e5b53a22bc3ff3e174e5f
with:
builder: github
output: provenance.intoto.jsonl
- name: Upload provenance
uses: softprops/action-gh-release@v1@c96e5e2fd7bc3506a738bfe8d10a57b517aa9940
with:
files: provenance.intoto.jsonl
tag_name: ${{ github.ref_name }}
- name: Validate signatures
run: |
for file in release-assets/*; do
echo "Verifying $file"
cosign verify-blob \
--key "${file}.pem" \
--signature "${file}.sig" \
"$file"
done