Skip to content
Sign Release

v1.2.5 #3

Sign in to view logs

v1.2.5

v1.2.5 #3

Workflow file for this run

.github/workflows/release-sign.yml at 58142bf
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) Contributors to the OpenEXR Project.
#
# Releases are signed via https://github.com/sigstore/sigstore-python.
# See https://docs.sigstore.dev for information about sigstore.
#
# This action creates a .tar.gz of the complete OpenEXR source tree at
# the given release tag, signs it via sigstore, and uploads the
# .tar.gz and the associated .tar.gz.sigstore credential bundle.
#
# To verify a downloaded release at a given tag:
#
# % pip install sigstore
# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/<tag> openexr-<tag>.tar.gz
#
name: Sign Release
on:
release:
types: [published]
permissions:
contents: write
id-token: write
repository-projects: write
jobs:
release:
name: Sign & upload release artifacts
runs-on: ubuntu-latest
env:
TAG: ${{ github.ref_name }}
steps:
- name: Set Prefix
# The tag name begins with a 'v', e.g. "v3.2.4", but the prefix
# should omit the 'v', so the tarball "openexr-3.2.4.tar.gz"
# extracts files into "openexr-v3.2.4/...". This matches
# the GitHub release page autogenerated artifact conventions.
run: |
echo OPENEXR_PREFIX=openexr-${TAG//v}/ >> $GITHUB_ENV
echo OPENEXR_TARBALL=openexr-${TAG//v}.tar.gz >> $GITHUB_ENV
shell: bash
- name: Checkout
uses: actions/checkout@v2
- name: Create archive
run: git archive --format=tar.gz -o ${OPENEXR_TARBALL} --prefix ${OPENEXR_PREFIX} ${TAG}
- name: Sign archive with Sigstore
uses: sigstore/[email protected]
with:
inputs: ${}
- name: Upload release archive
env:
GH_TOKEN: ${{ github.token }}
run: gh release upload ${{ github.ref_name }} ${OPENEXR_TARBALL} ${OPENEXR_TARBALL}.sigstore