Skip to content

ci: add signed release and provenance workflow #1164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

ci: add signed release and provenance workflow #1164

wants to merge 4 commits into from

Conversation

@blazethunderstorm
Copy link
Contributor

@blazethunderstorm blazethunderstorm commented Jul 1, 2025

Describe the changes in this pull request using active verbs such as Add, Remove, Replace ...

Add workflow to sign release assets and upload provenance for Scorecard compliance.

Closes #1159

@blazethunderstorm
Copy link
Contributor Author

blazethunderstorm commented Jul 1, 2025

@sozercan pls review

@codecov
Copy link

codecov bot commented Jul 1, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.51%. Comparing base (d49d655) to head (70d482b).
⚠️ Report is 95 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1164   +/-   ##
=======================================
  Coverage   40.51%   40.51%           
=======================================
  Files          24       24           
  Lines        3786     3786           
=======================================
  Hits         1534     1534           
  Misses       2140     2140           
  Partials      112      112

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sozercan
sozercan reviewed Jul 2, 2025
View reviewed changes
sozercan
sozercan reviewed Jul 2, 2025
View reviewed changes
.github/workflows/signed-release.yml Outdated
uses: actions/checkout@v4

- name: Install Cosign
uses: sigstore/cosign-installer@v3.4.0
Copy link
Member

@sozercan sozercan Jul 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please pin to digest for all github actions (see existing actions for examples)

sozercan
sozercan reviewed Jul 2, 2025
View reviewed changes
.github/workflows/signed-release.yml Outdated
done

- name: Upload signatures and certs to release
uses: softprops/action-gh-release@v1
Copy link
Member

@sozercan sozercan Jul 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how does this one find the corresponding release

sozercan
sozercan reviewed Jul 2, 2025
View reviewed changes
.github/workflows/signed-release.yml
- name: Upload provenance
uses: softprops/action-gh-release@v1
with:
files: provenance.intoto.jsonl
Copy link
Member

@sozercan sozercan Jul 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add a validation at the end

@blazethunderstorm
Copy link
Contributor Author

blazethunderstorm commented Jul 2, 2025

@sozercan will make all the req changes by today

@sozercan sozercan moved this from 🆕 New to 🏗 In progress in Copacetic Workboard Jul 3, 2025
@blazethunderstorm blazethunderstorm force-pushed the docy branch 2 times, most recently from 238d849 to 773606b Compare July 3, 2025 18:02
@blazethunderstorm
ci: add signed release and provenance workflow
6adc8f4
@blazethunderstorm
fix: pin actions, add tag_name, validate signatures
6980d68 
Signed-off-by: ANIRUDH NARANG <anirudhnarang0@gmail.com>
@blazethunderstorm
fix: add proper DCO sign-off
5ef3ec8 
Signed-off-by: ANIRUDH <anirudhnarang0@gmail.com>
@blazethunderstorm
chore: fix DCO sign-off
70d482b 
Signed-off-by: Anirudh Narang <anirudhnarang0@gmail.com>
@robert-cronin
Copy link
Contributor

robert-cronin commented Aug 6, 2025

@blazethunderstorm are you still working on this feature?

@github-actions
Copy link
Contributor

github-actions bot commented Oct 6, 2025

This pull request has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.

@github-actions github-actions bot added the stale label Oct 6, 2025
@github-actions github-actions bot closed this Oct 13, 2025
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in Copacetic Workboard Oct 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sozercan sozercan sozercan left review comments

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard jeremyrickard is a code owner

@ashnamehrotra ashnamehrotra Awaiting requested review from ashnamehrotra ashnamehrotra is a code owner

Assignees

No one assigned

Labels

stale

Projects

Copacetic Workboard
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REQ] openssf Signed-Releases

3 participants

@blazethunderstorm @robert-cronin @sozercan