@@ -12,6 +12,7 @@ concurrency:
1212permissions :
1313 contents : write
1414 actions : write
15+ id-token : write
1516
1617env :
1718 BUILD_TYPE : Release
@@ -109,6 +110,41 @@ jobs:
109110 (out / f"{zip_name}.sha256").write_text(f"{digest} {zip_name}\n", encoding="utf-8")
110111 PY
111112
113+ - name : Install cosign
114+ uses : sigstore/cosign-installer@v3
115+
116+ - name : Sign release bundles
117+ run : |
118+ cosign sign-blob --yes \
119+ --output-signature release_artifacts/llvm-wasm-install.zip.sig \
120+ --output-certificate release_artifacts/llvm-wasm-install.zip.pem \
121+ release_artifacts/llvm-wasm-install.zip
122+ cosign sign-blob --yes \
123+ --output-signature release_artifacts/webvulkan-package.zip.sig \
124+ --output-certificate release_artifacts/webvulkan-package.zip.pem \
125+ release_artifacts/webvulkan-package.zip
126+
127+ - name : Prepare release notes
128+ shell : bash
129+ run : |
130+ mkdir -p release_notes
131+
132+ cp .github/release-notes/llvm-wasm-prebuilt-latest.md release_notes/llvm-wasm-prebuilt-latest.md
133+ {
134+ echo
135+ echo "Build metadata:"
136+ echo "- Commit: \`${GITHUB_SHA}\`"
137+ echo "- Workflow run: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
138+ } >> release_notes/llvm-wasm-prebuilt-latest.md
139+
140+ cp .github/release-notes/webvulkan-package-latest.md release_notes/webvulkan-package-latest.md
141+ {
142+ echo
143+ echo "Build metadata:"
144+ echo "- Commit: \`${GITHUB_SHA}\`"
145+ echo "- Workflow run: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
146+ } >> release_notes/webvulkan-package-latest.md
147+
112148 - name : Upload refresh artifacts
113149 uses : actions/upload-artifact@v4
114150 with :
@@ -122,15 +158,18 @@ jobs:
122158 run : |
123159 LLVM_ZIP="release_artifacts/llvm-wasm-install.zip"
124160 LLVM_SHA="release_artifacts/llvm-wasm-install.zip.sha256"
161+ LLVM_SIG="release_artifacts/llvm-wasm-install.zip.sig"
162+ LLVM_PEM="release_artifacts/llvm-wasm-install.zip.pem"
163+ LLVM_NOTES="release_notes/llvm-wasm-prebuilt-latest.md"
125164 if gh release view "${LLVM_RELEASE_TAG}" >/dev/null 2>&1; then
126- gh release upload "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" --clobber
165+ gh release upload "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" "${LLVM_SIG}" "${LLVM_PEM}" --clobber
127166 gh release edit "${LLVM_RELEASE_TAG}" \
128167 --title "LLVM wasm prebuilt latest" \
129- --notes "Auto-refreshed from ${GITHUB_SHA}. "
168+ --notes-file "${LLVM_NOTES} "
130169 else
131- gh release create "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" \
170+ gh release create "${LLVM_RELEASE_TAG}" "${LLVM_ZIP}" "${LLVM_SHA}" "${LLVM_SIG}" "${LLVM_PEM}" \
132171 --title "LLVM wasm prebuilt latest" \
133- --notes "Auto-refreshed from ${GITHUB_SHA}. "
172+ --notes-file "${LLVM_NOTES} "
134173 fi
135174
136175 - name : Publish package release
@@ -139,30 +178,45 @@ jobs:
139178 run : |
140179 PKG_ZIP="release_artifacts/webvulkan-package.zip"
141180 PKG_SHA="release_artifacts/webvulkan-package.zip.sha256"
181+ PKG_SIG="release_artifacts/webvulkan-package.zip.sig"
182+ PKG_PEM="release_artifacts/webvulkan-package.zip.pem"
183+ PKG_NOTES="release_notes/webvulkan-package-latest.md"
142184 if gh release view "${PACKAGE_RELEASE_TAG}" >/dev/null 2>&1; then
143- gh release upload "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" --clobber
185+ gh release upload "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" "${PKG_SIG}" "${PKG_PEM}" --clobber
144186 gh release edit "${PACKAGE_RELEASE_TAG}" \
145187 --title "WebVulkan package latest" \
146- --notes "Auto-refreshed from ${GITHUB_SHA}. "
188+ --notes-file "${PKG_NOTES} "
147189 else
148- gh release create "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" \
190+ gh release create "${PACKAGE_RELEASE_TAG}" "${PKG_ZIP}" "${PKG_SHA}" "${PKG_SIG}" "${PKG_PEM}" \
149191 --title "WebVulkan package latest" \
150- --notes "Auto-refreshed from ${GITHUB_SHA}. "
192+ --notes-file "${PKG_NOTES} "
151193 fi
152194
153195 - name : Update repository variables
154196 env :
155197 GH_TOKEN : ${{ github.token }}
198+ continue-on-error : true
199+ shell : bash
156200 run : |
157201 LLVM_SHA="$(cut -d' ' -f1 release_artifacts/llvm-wasm-install.zip.sha256)"
158202 LLVM_URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/${LLVM_RELEASE_TAG}/llvm-wasm-install.zip"
159203 PKG_SHA="$(cut -d' ' -f1 release_artifacts/webvulkan-package.zip.sha256)"
160204 PKG_URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/${PACKAGE_RELEASE_TAG}/webvulkan-package.zip"
161205
206+ set +e
162207 gh variable set WEBVULKAN_LLVM_PREBUILT_URL --repo "${GITHUB_REPOSITORY}" --body "${LLVM_URL}"
208+ STATUS_A=$?
163209 gh variable set WEBVULKAN_LLVM_PREBUILT_SHA256 --repo "${GITHUB_REPOSITORY}" --body "${LLVM_SHA}"
210+ STATUS_B=$?
164211 gh variable set WEBVULKAN_PACKAGE_URL --repo "${GITHUB_REPOSITORY}" --body "${PKG_URL}"
212+ STATUS_C=$?
165213 gh variable set WEBVULKAN_PACKAGE_SHA256 --repo "${GITHUB_REPOSITORY}" --body "${PKG_SHA}"
214+ STATUS_D=$?
215+ set -e
216+
217+ if [ "${STATUS_A}" -ne 0 ] || [ "${STATUS_B}" -ne 0 ] || [ "${STATUS_C}" -ne 0 ] || [ "${STATUS_D}" -ne 0 ]; then
218+ echo "::warning::Repository variable update was skipped due to permission policy. Releases were still updated."
219+ fi
166220
167221 - name : Save refresh build cache
168222 if : always() && steps.cache_build.outputs.cache-hit != 'true'
0 commit comments