Skip to content

ci: add Verify Release workflow to gate release artifacts#124

Merged
ashishkurmi merged 2 commits into
step-security:mainfrom
ashishkurmi:verify-release-workflow
May 29, 2026
Merged

ci: add Verify Release workflow to gate release artifacts#124
ashishkurmi merged 2 commits into
step-security:mainfrom
ashishkurmi:verify-release-workflow

Conversation

@ashishkurmi

@ashishkurmi ashishkurmi commented May 29, 2026

Copy link
Copy Markdown
Member

Adds a manually-triggered (workflow_dispatch) gate that verifies a draft or published release meets all publishing requirements before it is made public:

  • Windows .exe (agent + launcher) and .msi installers are Authenticode-signed with a valid signature and an RFC3161 timestamp.
  • The macOS darwin binary is codesigned (Step Security Developer ID + hardened runtime) and notarized (Gatekeeper accepted / Notarized Developer ID).
  • Every relevant distributable binary has a corresponding signed checksum (.sha256.sig) that verifies against the release operator's Ed25519 public key and matches the artifact's actual SHA-256, mirroring the loader's verification scheme exactly.

A final gate job fails the run unless all checks pass. Accepts a tag and an optional repository input so it can be pointed at an upstream published release to confirm the workflow itself works.

What does this PR do?

Type of change

  • Bug fix
  • Enhancement
  • Documentation

Testing

  • Tested on macOS (version: ___)
  • Binary runs without errors: ./stepsecurity-dev-machine-guard --verbose
  • JSON output is valid: ./stepsecurity-dev-machine-guard --json | python3 -m json.tool
  • No secrets or credentials included
  • Lint passes: make lint
  • Tests pass: make test

Related Issues

@ashishkurmi @claude
ci: add Verify Release workflow to gate release artifacts
59f76bc 
Adds a manually-triggered (workflow_dispatch) gate that verifies a draft or
published release meets all publishing requirements before it is made public:

- Windows .exe (agent + launcher) and .msi installers are Authenticode-signed
  with a valid signature and an RFC3161 timestamp.
- The macOS darwin binary is codesigned (Step Security Developer ID + hardened
  runtime) and notarized (Gatekeeper accepted / Notarized Developer ID).
- Every relevant distributable binary has a corresponding signed checksum
  (<artifact>.sha256.sig) that verifies against the release operator's Ed25519
  public key and matches the artifact's actual SHA-256, mirroring the loader's
  verification scheme exactly.

A final gate job fails the run unless all checks pass. Accepts a tag and an
optional repository input so it can be pointed at an upstream published release
to confirm the workflow itself works.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ashishkurmi ashishkurmi merged commit a583b8a into step-security:main May 29, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varunsh-coder varunsh-coder varunsh-coder approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashishkurmi @varunsh-coder