From 07ba86f14dbc685a7916e2eff74ed8a8003e7825 Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Tue, 24 Sep 2024 09:30:40 -0700 Subject: [PATCH] Update sigstore release signing action (#435) * Update sigstore release signing action The default behavior of sigstore/gh-action-sigstore-python has changed. Disable the automatic uploading of signed artifacts, since this now includes artifacts named with just the tag, without the "Imath-" prefix. Also, the signature file now has a .json suffix. Signed-off-by: Cary Phillips * pin action to sha; use TAG instead of ref_name Signed-off-by: Cary Phillips --------- Signed-off-by: Cary Phillips --- .github/workflows/release-sign.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml index 38663e81..18b2a128 100644 --- a/.github/workflows/release-sign.yml +++ b/.github/workflows/release-sign.yml @@ -48,18 +48,20 @@ jobs: shell: bash - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Create archive run: git archive --format=tar.gz -o ${IMATH_TARBALL} --prefix ${IMATH_PREFIX} ${TAG} - name: Sign archive with Sigstore - uses: sigstore/gh-action-sigstore-python@v3.0.0 + uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 with: inputs: ${{ env.IMATH_TARBALL }} + upload-signing-artifacts: false + release-signing-artifacts: false - name: Upload release archive env: GH_TOKEN: ${{ github.token }} - run: gh release upload ${{ github.ref_name }} ${IMATH_TARBALL} ${IMATH_TARBALL}.sigstore + run: gh release upload ${TAG} ${IMATH_TARBALL} ${IMATH_TARBALL}.sigstore.json