Skip to content

Commit 06350ac

Browse files
ci: reorder release pipeline — sign first, then publish to GitHub
Fixes OpenSSF Scorecard "Signed-Releases" finding: release artifacts uploaded to GitHub were unsigned. The pipeline now publishes to Maven Central first (GPG-signed via maven-gpg-plugin), collects the signed JARs and .asc files from target/, then attaches them to the GitHub Release so every release asset has a verifiable signature. For java-llama.cpp the release_to_maven_central flag is preserved: - When true: publish-release signs + deploys to Central, then github-release-signed uploads the signed assets to GitHub. - When false/absent: github-release uploads unsigned jars as before.
1 parent ac84fe0 commit 06350ac

1 file changed

Lines changed: 31 additions & 3 deletions

File tree

.github/workflows/publish.yml

Lines changed: 31 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -740,9 +740,9 @@ jobs:
740740
MAVEN_PASSWORD: ${{ secrets.CENTRAL_TOKEN }}
741741

742742
github-release:
743-
name: Attach Binaries to GitHub Release
743+
name: Attach Binaries to GitHub Release (Unsigned)
744744
needs: [check-tag]
745-
if: needs.check-tag.result == 'success'
745+
if: needs.check-tag.result == 'success' && github.event.inputs.release_to_maven_central != 'true'
746746
runs-on: ubuntu-latest
747747
permissions:
748748
contents: write
@@ -759,9 +759,11 @@ jobs:
759759
publish-release:
760760
name: Publish Release to Central
761761
if: needs.check-tag.result == 'success' && github.event.inputs.release_to_maven_central == 'true'
762-
needs: [github-release, check-tag, crosscompile-linux-x86_64-cuda]
762+
needs: [check-tag, crosscompile-linux-x86_64-cuda]
763763
runs-on: ubuntu-latest
764764
environment: maven-central
765+
permissions:
766+
contents: write
765767
steps:
766768
- uses: actions/checkout@v6
767769
- uses: actions/download-artifact@v8
@@ -790,3 +792,29 @@ jobs:
790792
MAVEN_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
791793
MAVEN_PASSWORD: ${{ secrets.CENTRAL_TOKEN }}
792794
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
795+
- name: Collect signed artifacts
796+
run: |
797+
mkdir -p signed-release-assets
798+
cp target/*.jar signed-release-assets/ 2>/dev/null || true
799+
cp target/*.jar.asc signed-release-assets/ 2>/dev/null || true
800+
- uses: actions/upload-artifact@v7
801+
with:
802+
name: signed-release-assets
803+
path: signed-release-assets/
804+
805+
github-release-signed:
806+
name: Attach Signed Binaries to GitHub Release
807+
needs: [publish-release]
808+
if: needs.publish-release.result == 'success'
809+
runs-on: ubuntu-latest
810+
permissions:
811+
contents: write
812+
steps:
813+
- uses: actions/download-artifact@v8
814+
with:
815+
name: signed-release-assets
816+
path: release-assets/
817+
- name: Upload release assets
818+
uses: softprops/action-gh-release@v3
819+
with:
820+
files: release-assets/*

0 commit comments

Comments
 (0)