Commit 06350ac
committed
ci: reorder release pipeline — sign first, then publish to GitHub
Fixes OpenSSF Scorecard "Signed-Releases" finding: release artifacts
uploaded to GitHub were unsigned. The pipeline now publishes to Maven
Central first (GPG-signed via maven-gpg-plugin), collects the signed
JARs and .asc files from target/, then attaches them to the GitHub
Release so every release asset has a verifiable signature.
For java-llama.cpp the release_to_maven_central flag is preserved:
- When true: publish-release signs + deploys to Central, then
github-release-signed uploads the signed assets to GitHub.
- When false/absent: github-release uploads unsigned jars as before.1 parent ac84fe0 commit 06350ac
1 file changed
Lines changed: 31 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
740 | 740 | | |
741 | 741 | | |
742 | 742 | | |
743 | | - | |
| 743 | + | |
744 | 744 | | |
745 | | - | |
| 745 | + | |
746 | 746 | | |
747 | 747 | | |
748 | 748 | | |
| |||
759 | 759 | | |
760 | 760 | | |
761 | 761 | | |
762 | | - | |
| 762 | + | |
763 | 763 | | |
764 | 764 | | |
| 765 | + | |
| 766 | + | |
765 | 767 | | |
766 | 768 | | |
767 | 769 | | |
| |||
790 | 792 | | |
791 | 793 | | |
792 | 794 | | |
| 795 | + | |
| 796 | + | |
| 797 | + | |
| 798 | + | |
| 799 | + | |
| 800 | + | |
| 801 | + | |
| 802 | + | |
| 803 | + | |
| 804 | + | |
| 805 | + | |
| 806 | + | |
| 807 | + | |
| 808 | + | |
| 809 | + | |
| 810 | + | |
| 811 | + | |
| 812 | + | |
| 813 | + | |
| 814 | + | |
| 815 | + | |
| 816 | + | |
| 817 | + | |
| 818 | + | |
| 819 | + | |
| 820 | + | |
0 commit comments