From ac2f55f4579540530533beeece6f10f02c991a97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=98=D0=B0=D0=BD=20=D0=93=D0=B5=D0=BE?= =?UTF-8?q?=D1=80=D0=B3=D0=B8=D0=B5=D0=B2=D1=81=D0=BA=D0=B8?= Date: Sat, 30 Mar 2024 23:05:26 +0100 Subject: [PATCH] Implement cosign signing of release builds references: - https://github.com/sigstore/cosign/blob/main/doc/cosign_sign-blob.md - https://github.blog/2022-10-25-why-were-excited-about-the-sigstore-general-availability/ - https://github.com/marketplace/actions/cosign-installer --- .github/workflows/release.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8f3efd4..3c41ab8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,10 @@ on: tags: - 'v*' +permissions: + contents: write + id-token: write + jobs: release: name: Build and Release @@ -25,18 +29,22 @@ jobs: asset_name: http-server-$tag-windows.zip zipcmd: 7z a -tzip steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + - uses: sigstore/cosign-installer@v3.4.0 - name: Build project run: cargo build --release --locked - name: make release.zip - run: ${{ matrix.zipcmd}} release.zip target/release/${{ matrix.artifact_name }} + run: ${{ matrix.zipcmd}} ${{ matrix.asset_name }} target/release/${{ matrix.artifact_name }} - - name: Upload binary to release + - name: Sign release.zip + run: cosign sign-blob --yes --output-signature ${{ matrix.asset_name }}.sig --output-certificate ${{ matrix.asset_name }}.cert ${{ matrix.asset_name }} + + - name: Upload artifacts to release uses: svenstaro/upload-release-action@v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} - file: release.zip - asset_name: ${{ matrix.asset_name }} + file: http-server-* + file_glob: true tag: ${{ github.ref }}