harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

Merge pull request #396 from fettpl/fix/365-release-signatures

Browse source 
ci: add cosign keyless signing for release artifacts
This commit is contained in:
Chummy 2026-02-17 01:11:06 +08:00 committed by GitHub
commit ec39009048
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
.github/workflows/release.yml vendored
View file

@ -6,6 +6,7 @@ on:
permissions: permissions:
contents: write contents: write
id-token: write # Required for cosign keyless signing via OIDC
env: env:
CARGO_TERM_COLOR: always CARGO_TERM_COLOR: always
@ -84,6 +85,20 @@ jobs:
with: with:
path: artifacts path: artifacts
- name: Install cosign
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- name: Sign artifacts with cosign (keyless)
run: |
for file in artifacts/**/*; do
[ -f "$file" ] || continue
cosign sign-blob --yes \
--oidc-issuer=https://token.actions.githubusercontent.com \
--output-signature="${file}.sig" \
--output-certificate="${file}.pem" \
"$file"
done
- name: Create GitHub Release - name: Create GitHub Release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
with: with: