66
77permissions :
88 contents : write
9- id-token : write # Required for keyless signing
9+ id-token : write
1010
1111jobs :
1212 sign-assets :
@@ -15,13 +15,13 @@ jobs:
1515
1616 steps :
1717 - name : Checkout source
18- uses : actions/checkout@v4
18+ uses : actions/checkout@v4@9d476bda2b52b4a4fbe396aa9b674bca6a2d4a13
1919
2020 - name : Install Cosign
21- uses : sigstore/cosign-installer@v3.4.0
21+ uses : sigstore/cosign-installer@v3.4.0@7e0c53cb364b5f7cfc6b04d99b68353c6c14fd64
2222
2323 - name : Install GitHub CLI
24- uses : cli/cli-action@v2
24+ uses : cli/cli-action@v2@a0fbe95a6ba35e3d6c45d3bcf89b94e912e3d776
2525 with :
2626 version : latest
2727
@@ -44,19 +44,31 @@ jobs:
4444 done
4545
4646name : Upload signatures and certs to release
47- uses : softprops/action-gh-release@v1
47+ uses : softprops/action-gh-release@v1@c96e5e2fd7bc3506a738bfe8d10a57b517aa9940
4848 with :
4949 files : |
5050 release-assets/*.sig
5151 release-assets/*.pem
52+ tag_name : ${{ github.ref_name }}
5253
5354 - name : Generate SLSA provenance (optional but recommended)
54- uses : slsa-framework/slsa-github-generator@v1.7.0
55+ uses : slsa-framework/slsa-github-generator@v1.7.0@52cbcb7c206c4f8ad25e5b53a22bc3ff3e174e5f
5556 with :
5657 builder : github
5758 output : provenance.intoto.jsonl
5859
5960 - name : Upload provenance
60- uses : softprops/action-gh-release@v1
61+ uses : softprops/action-gh-release@v1@c96e5e2fd7bc3506a738bfe8d10a57b517aa9940
6162 with :
6263 files : provenance.intoto.jsonl
64+ tag_name : ${{ github.ref_name }}
65+
66+ - name : Validate signatures
67+ run : |
68+ for file in release-assets/*; do
69+ echo "Verifying $file"
70+ cosign verify-blob \
71+ --key "${file}.pem" \
72+ --signature "${file}.sig" \
73+ "$file"
74+ done
0 commit comments