harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

ci: add cosign keyless signing for release artifacts

Browse source 
- Add sigstore/cosign keyless signing to the release workflow
- Each artifact gets a detached .sig signature and .pem certificate
- Uses GitHub Actions OIDC for keyless signing (no secret management)
- Adds id-token: write permission for OIDC token generation
- Signatures and certificates are uploaded alongside binaries

Users can verify artifacts with:
  cosign verify-blob --certificate <file>.pem --signature <file>.sig \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity-regexp="github.com/zeroclaw-labs/zeroclaw" \
    <file>

Closes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl 2026-02-16 17:55:40 +01:00
parent de3ec87d16
commit fed1997f62
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
.github/workflows/release.yml vendored
View file

@ -6,6 +6,7 @@ on:
permissions: permissions:
contents: write contents: write
id-token: write # Required for cosign keyless signing via OIDC
env: env:
CARGO_TERM_COLOR: always CARGO_TERM_COLOR: always
@ -84,6 +85,20 @@ jobs:
with: with:
path: artifacts path: artifacts
- name: Install cosign
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- name: Sign artifacts with cosign (keyless)
run: |
for file in artifacts/**/*; do
[ -f "$file" ] || continue
cosign sign-blob --yes \
--oidc-issuer=https://token.actions.githubusercontent.com \
--output-signature="${file}.sig" \
--output-certificate="${file}.pem" \
"$file"
done
- name: Create GitHub Release - name: Create GitHub Release
uses: softprops/action-gh-release@v2 uses: softprops/action-gh-release@v2
with: with: