Skip to content

Commit 4315ff2

Browse files
authored
[CI] Use cosign to sign nightly builds (#20034)
Enable artifact signing with sigstore/cosign in CI. This ensures that the builds were built exactly by the sycl-nightly workflow.
1 parent 466de9c commit 4315ff2

1 file changed

Lines changed: 12 additions & 0 deletions

File tree

.github/workflows/sycl-nightly.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -332,20 +332,30 @@ jobs:
332332
toolchain_artifact_filename: ${{ needs.build-win.outputs.toolchain_artifact_filename }}
333333
sycl_cts_artifact: sycl_cts_bin_win
334334

335+
# Verification example:
336+
# cosign-windows-amd64.exe verify-blob sycl_linux.tar.gz \
337+
# --bundle sycl_linux.tar.gz.sigstore.json \
338+
# --certificate-oidc-issuer https://token.actions.githubusercontent.com \
339+
# --certificate-identity https://github.com/intel/llvm/.github/workflows/sycl-nightly.yml@refs/heads/sycl
335340
nightly_build_upload:
336341
name: Nightly Build Upload
337342
if: ${{ github.ref_name == 'sycl' }}
338343
needs: [ubuntu2204_build, build-win]
339344
runs-on: ubuntu-latest
340345
permissions:
341346
contents: write
347+
id-token: write
342348
steps:
343349
- uses: actions/download-artifact@v4
344350
with:
345351
name: sycl_linux_default
346352
- uses: actions/download-artifact@v4
347353
with:
348354
name: sycl_windows_default
355+
- name: Sign with sigstore/cosign
356+
uses: sigstore/gh-action-sigstore-python@v3.0.1
357+
with:
358+
inputs: sycl_linux.tar.gz sycl_windows.tar.gz
349359
- name: Compute tag
350360
id: tag
351361
run: |
@@ -361,6 +371,8 @@ jobs:
361371
files: |
362372
sycl_linux.tar.gz
363373
sycl_windows.tar.gz
374+
sycl_linux.tar.gz.sigstore.json
375+
sycl_windows.tar.gz.sigstore.json
364376
tag_name: nightly-${{ steps.tag.outputs.TAG }}
365377
name: DPC++ daily ${{ steps.tag.outputs.TAG }}
366378
prerelease: true

0 commit comments

Comments
 (0)