Skip to content

Sign Release

Sign Release #5

Workflow file for this run

# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) Contributors to the OpenFX Project.
#
# Releases are signed via https://github.com/sigstore/sigstore-python.
# See https://docs.sigstore.dev for information about sigstore.
#
# This action creates a .tar.gz of the complete OpenFX source tree at
# the given release tag, signs it via sigstore, and uploads the
# .tar.gz and the associated .tar.gz.sigstore credential bundle.
#
# To verify a downloaded release at a given tag:
#
# % pip install sigstore
# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openfx/.github/workflows/release-sign.yml@refs/tags/<tag> openfx-<tag>.tar.gz
#
name: Sign Release
on:
release:
types: [published]
workflow_dispatch:
permissions:
contents: read
jobs:
release:
name: Sign & upload release artifacts
runs-on: ubuntu-latest
env:
TAG: ${{ github.ref_name == 'main' && 'OFX_Release_1.5' || github.ref_name }}
permissions:
contents: write
id-token: write
repository-projects: write
steps:
- name: Set Prefix
# The tag name begins with a 'v', e.g. "v3.2.4", but the prefix
# should omit the 'v', so the tarball "openfx-3.2.4.tar.gz"
# extracts files into "openfx-v3.2.4/...". This matches
# the GitHub release page autogenerated artifact conventions.
run: |
echo OPENFX_PREFIX=openfx-${TAG//OFX_Release_}/ >> $GITHUB_ENV
echo OPENFX_TARBALL=openfx-${TAG//OFX_Release_}.tar.gz >> $GITHUB_ENV
shell: bash
- name: Checkout
uses: actions/[email protected]
fetch-depth: 10 # use this if tag is older than current head

Check failure on line 54 in .github/workflows/release-sign.yml

View workflow run for this annotation

GitHub Actions / Sign Release

Invalid workflow file

The workflow is not valid. .github/workflows/release-sign.yml (Line: 54, Col: 9): Unexpected value 'fetch-depth' .github/workflows/release-sign.yml (Line: 55, Col: 9): Unexpected value 'fetch-tags'
fetch-tags: true
- name: Create archive
run: git archive --format=tar.gz -o ${OPENFX_TARBALL} --prefix ${OPENFX_PREFIX} ${TAG}
- name: Sign archive with Sigstore
uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
with:
inputs: ${{ env.OPENFX_TARBALL }}
upload-signing-artifacts: false
release-signing-artifacts: false
- name: Upload release archive
env:
GH_TOKEN: ${{ github.token }}
run: gh release upload ${TAG} ${OPENFX_TARBALL} ${OPENFX_TARBALL}.sigstore.json