OpenColorIO/.github/workflows/release-sign.yml at main · AcademySoftwareFoundation/OpenColorIO · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# SPDX-License-Identifier: BSD-3-Clause
# Copyright Contributors to the OpenColorIO Project.

#
# Releases are signed via https://github.com/sigstore/sigstore-python.
# See https://docs.sigstore.dev for information about sigstore.
#
# This action creates a .tar.gz of the complete OpenColorIO source tree at
# the given release tag, signs it via sigstore, and uploads the
# .tar.gz and the associated .tar.gz.sigstore credential bundle.
#
# To verify a downloaded release at a given tag:
#
#   % pip install sigstore
#   % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/OpenColorIO/.github/workflows/release-sign.yml@refs/tags/<tag> OpenColorIO-<tag>.tar.gz
#

name: Sign Release

on:
  release:
    types: [published]

permissions:
  contents: read

jobs:
  release:
    name: Sign & upload release artifacts
    runs-on: ubuntu-latest

    env:
      TAG: ${{ github.ref_name }}
    permissions:
      contents: write
      id-token: write
      repository-projects: write

    steps:

      - name: Set Prefix
        # The tag name begins with a 'v', e.g. "v2.4.0", but the prefix
        # should omit the 'v', so the tarball "OpenColorIO-2.4.0.tar.gz"
        # extracts files into "OpenColorIO-2.4.0/...". This matches
        # the GitHub release page autogenerated artifact conventions.
        run: |
          echo OCIO_PREFIX=OpenColorIO-${TAG//v}/ >> $GITHUB_ENV
          echo OCIO_TARBALL=OpenColorIO-${TAG//v}.tar.gz >> $GITHUB_ENV
        shell: bash

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Create archive
        run: git archive --format=tar.gz -o ${OCIO_TARBALL} --prefix ${OCIO_PREFIX} ${TAG}

      - name: Sign archive with Sigstore
        uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d # v3.2.0
        with:
          inputs: ${{ env.OCIO_TARBALL }}
          upload-signing-artifacts: false
          release-signing-artifacts: false

      - name: Upload release archive
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh release upload ${TAG} ${OCIO_TARBALL} ${OCIO_TARBALL}.sigstore.json