Skip to content

Commit ad06c6e

Browse files
committed
Add signed release pipeline and notes templates
1 parent 2f42a0d commit ad06c6e

4 files changed

Lines changed: 102 additions & 10 deletions

File tree

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
This channel publishes the latest prebuilt LLVM toolchain used by this project.
2+
3+
Included assets:
4+
- `llvm-wasm-install.zip`
5+
- `llvm-wasm-install.zip.sha256`
6+
- `llvm-wasm-install.zip.sig`
7+
- `llvm-wasm-install.zip.pem`
8+
9+
Signature:
10+
- Keyless Sigstore signature generated in GitHub Actions
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
This channel publishes the latest relocatable CMake package for project consumers.
2+
3+
Included assets:
4+
- `webvulkan-package.zip`
5+
- `webvulkan-package.zip.sha256`
6+
- `webvulkan-package.zip.sig`
7+
- `webvulkan-package.zip.pem`
8+
9+
Signature:
10+
- Keyless Sigstore signature generated in GitHub Actions

.github/workflows/prebuilt-refresh.yml

Lines changed: 62 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ concurrency:
1212
permissions:
1313
contents: write
1414
actions: write
15+
id-token: write
1516

1617
env:
1718
BUILD_TYPE: Release
@@ -109,6 +110,41 @@ jobs:
109110
(out / f"{zip_name}.sha256").write_text(f"{digest} {zip_name}\n", encoding="utf-8")
110111
PY
111112
113+
- name: Install cosign
114+
uses: sigstore/cosign-installer@v3
115+
116+
- name: Sign release bundles
117+
run: |
118+
cosign sign-blob --yes \
119+
--output-signature release_artifacts/llvm-wasm-install.zip.sig \
120+
--output-certificate release_artifacts/llvm-wasm-install.zip.pem \
121+
release_artifacts/llvm-wasm-install.zip
122+
cosign sign-blob --yes \
123+
--output-signature release_artifacts/webvulkan-package.zip.sig \
124+
--output-certificate release_artifacts/webvulkan-package.zip.pem \
125+
release_artifacts/webvulkan-package.zip
126+
127+
- name: Prepare release notes
128+
shell: bash
129+
run: |
130+
mkdir -p release_notes
131+
132+
cp .github/release-notes/llvm-wasm-prebuilt-latest.md release_notes/llvm-wasm-prebuilt-latest.md
133+
{
134+
echo
135+
echo "Build metadata:"
136+
echo "- Commit: \`${GITHUB_SHA}\`"
137+
echo "- Workflow run: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
138+
} >> release_notes/llvm-wasm-prebuilt-latest.md
139+
140+
cp .github/release-notes/webvulkan-package-latest.md release_notes/webvulkan-package-latest.md
141+
{
142+
echo
143+
echo "Build metadata:"
144+
echo "- Commit: \`${GITHUB_SHA}\`"
145+
echo "- Workflow run: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
146+
} >> release_notes/webvulkan-package-latest.md
147+
112148
- name: Upload refresh artifacts
113149
uses: actions/upload-artifact@v4
114150
with:
@@ -122,15 +158,18 @@ jobs:
122158
run: |
123159
LLVM_ZIP="release_artifacts/llvm-wasm-install.zip"
124160
LLVM_SHA="release_artifacts/llvm-wasm-install.zip.sha256"
161+
LLVM_SIG="release_artifacts/llvm-wasm-install.zip.sig"
162+
LLVM_PEM="release_artifacts/llvm-wasm-install.zip.pem"
163+
LLVM_NOTES="release_notes/llvm-wasm-prebuilt-latest.md"
125164
if gh release view "${LLVM_RELEASE_TAG}" >/dev/null 2>&1; then
126-
gh release upload "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" --clobber
165+
gh release upload "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" "${LLVM_SIG}" "${LLVM_PEM}" --clobber
127166
gh release edit "${LLVM_RELEASE_TAG}" \
128167
--title "LLVM wasm prebuilt latest" \
129-
--notes "Auto-refreshed from ${GITHUB_SHA}."
168+
--notes-file "${LLVM_NOTES}"
130169
else
131-
gh release create "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" \
170+
gh release create "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" "${LLVM_SIG}" "${LLVM_PEM}" \
132171
--title "LLVM wasm prebuilt latest" \
133-
--notes "Auto-refreshed from ${GITHUB_SHA}."
172+
--notes-file "${LLVM_NOTES}"
134173
fi
135174
136175
- name: Publish package release
@@ -139,30 +178,45 @@ jobs:
139178
run: |
140179
PKG_ZIP="release_artifacts/webvulkan-package.zip"
141180
PKG_SHA="release_artifacts/webvulkan-package.zip.sha256"
181+
PKG_SIG="release_artifacts/webvulkan-package.zip.sig"
182+
PKG_PEM="release_artifacts/webvulkan-package.zip.pem"
183+
PKG_NOTES="release_notes/webvulkan-package-latest.md"
142184
if gh release view "${PACKAGE_RELEASE_TAG}" >/dev/null 2>&1; then
143-
gh release upload "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" --clobber
185+
gh release upload "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" "${PKG_SIG}" "${PKG_PEM}" --clobber
144186
gh release edit "${PACKAGE_RELEASE_TAG}" \
145187
--title "WebVulkan package latest" \
146-
--notes "Auto-refreshed from ${GITHUB_SHA}."
188+
--notes-file "${PKG_NOTES}"
147189
else
148-
gh release create "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" \
190+
gh release create "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" "${PKG_SIG}" "${PKG_PEM}" \
149191
--title "WebVulkan package latest" \
150-
--notes "Auto-refreshed from ${GITHUB_SHA}."
192+
--notes-file "${PKG_NOTES}"
151193
fi
152194
153195
- name: Update repository variables
154196
env:
155197
GH_TOKEN: ${{ github.token }}
198+
continue-on-error: true
199+
shell: bash
156200
run: |
157201
LLVM_SHA="$(cut -d' ' -f1 release_artifacts/llvm-wasm-install.zip.sha256)"
158202
LLVM_URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/${LLVM_RELEASE_TAG}/llvm-wasm-install.zip"
159203
PKG_SHA="$(cut -d' ' -f1 release_artifacts/webvulkan-package.zip.sha256)"
160204
PKG_URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/${PACKAGE_RELEASE_TAG}/webvulkan-package.zip"
161205
206+
set +e
162207
gh variable set WEBVULKAN_LLVM_PREBUILT_URL --repo "${GITHUB_REPOSITORY}" --body "${LLVM_URL}"
208+
STATUS_A=$?
163209
gh variable set WEBVULKAN_LLVM_PREBUILT_SHA256 --repo "${GITHUB_REPOSITORY}" --body "${LLVM_SHA}"
210+
STATUS_B=$?
164211
gh variable set WEBVULKAN_PACKAGE_URL --repo "${GITHUB_REPOSITORY}" --body "${PKG_URL}"
212+
STATUS_C=$?
165213
gh variable set WEBVULKAN_PACKAGE_SHA256 --repo "${GITHUB_REPOSITORY}" --body "${PKG_SHA}"
214+
STATUS_D=$?
215+
set -e
216+
217+
if [ "${STATUS_A}" -ne 0 ] || [ "${STATUS_B}" -ne 0 ] || [ "${STATUS_C}" -ne 0 ] || [ "${STATUS_D}" -ne 0 ]; then
218+
echo "::warning::Repository variable update was skipped due to permission policy. Releases were still updated."
219+
fi
166220
167221
- name: Save refresh build cache
168222
if: always() && steps.cache_build.outputs.cache-hit != 'true'

README.md

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,5 +67,23 @@ target_link_libraries(my_app PRIVATE webvulkan::llvmpipe_wasm)
6767

6868
## Release channels
6969

70-
- `llvm-wasm-prebuilt-latest` contains only `llvm-wasm-install.zip`
71-
- `webvulkan-package-latest` contains only `webvulkan-package.zip`
70+
- `llvm-wasm-prebuilt-latest` contains only the LLVM prebuilt bundle
71+
- `webvulkan-package-latest` contains only the relocatable CMake package
72+
73+
Each channel ships:
74+
- bundle `.zip`
75+
- checksum `.sha256`
76+
- Sigstore signature `.sig`
77+
- Sigstore certificate `.pem`
78+
79+
Verify a downloaded bundle:
80+
81+
```bash
82+
sha256sum -c <bundle>.zip.sha256
83+
cosign verify-blob \
84+
--signature <bundle>.zip.sig \
85+
--certificate <bundle>.zip.pem \
86+
--certificate-identity-regexp "https://github.com/Devsh-Graphics-Programming/llvmpipe2wasm/.*" \
87+
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
88+
<bundle>.zip
89+
```

0 commit comments

Comments
 (0)