-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
action: download default release assets to sign #46
Conversation
Signed-off-by: Andrew Pan <a@tny.town>
Doing this also significantly increases the number of assets attached to a release by default: https://github.com/tnytown/gh-action-sigstore-python/releases/tag/TEST_RELEASE |
Signed-off-by: Andrew Pan <a@tny.town>
98c68ba
to
e752fbe
Compare
What happens if we name it
Yep, the README is good -- this action isn't documented at all on the main Sigstore website. That's something we should consider in the future, though!
Yeah -- the Then, with a 2.0 release, we can switch that setting to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall! Two small nitpicks.
Just to clarify: We can do this with a follow-up PR. I'll make an issue to track that. |
I swapped it to |
Cool! If it doesn't, we could always do something generic like |
Signed-off-by: Andrew Pan <a@tny.town>
6edbe5e
to
77a8ee7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Small tweaks but I'll merge those in and get this merged.
Signed-off-by: William Woodruff <william@yossarian.net>
CI is broken because of third-party PRs not having access to OIDC, sigh. I'll tweak |
Summary
This PR resolves #44. We now do the following on releases if
release-signing-artifacts
is enabled:{{ref}}.tar.gz
and{{ref}}.zip
;{{ref}}-signed.{{extension}}
, along with their signatures.Release Note
The
release-signing-artifacts
setting was extended to re-upload and sign default assets. Previously, the stability of default asset hashes were not guaranteed, as they are generated on-the-fly by GitHub.Documentation
https://docs.sigstore.dev does not seem to include documentation on the actions, but I will add a commit documenting the change to
release-signing-artifacts
in this repo's README.