Skip to content
Sign Release

v1.2.9 #7

Sign in to view logs

v1.2.9

v1.2.9 #7

Workflow file for this run

.github/workflows/release-sign.yml at 1923a47
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) Contributors to the OpenEXR Project.
#
# Releases are signed via https://github.com/sigstore/sigstore-python.
# See https://docs.sigstore.dev for information about sigstore.
#
# This action creates a .tar.gz of the complete Imath source tree at
# the given release tag, signs it via sigstore, and uploads the
# .tar.gz and the associated .tar.gz.sigstore credential bundle.
#
# To verify a downloaded release at a given tag:
#
# % pip install sigstore
# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/Imath/.github/workflows/release-sign.yml@refs/tags/<tag> Imath-<tag>.tar.gz
#
name: Sign Release
on:
release:
types: [published]
permissions:
contents: read
jobs:
release:
name: Sign & upload release artifacts
runs-on: ubuntu-latest
env:
RELEASE_TAG: ${{ github.ref_name }}
permissions:
contents: write
id-token: write
repository-projects: write
steps:
- name: Sync Repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Create Archive Name
run: echo "IMATH_ARCHIVE=Imath-${RELEASE_TAG//v}" >> $GITHUB_ENV
- name: Generate Archives
run: |
git archive --prefix ${IMATH_ARCHIVE}/ --output ${IMATH_ARCHIVE}.zip ${RELEASE_TAG}
git archive --prefix ${IMATH_ARCHIVE}/ --output ${IMATH_ARCHIVE}.tar.gz ${RELEASE_TAG}
- name: Sign and Upload Archives
uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: |
${{ env.IMATH_ARCHIVE }}.zip
${{ env.IMATH_ARCHIVE }}.tar.gz
upload-signing-artifacts: true
release-signing-artifacts: false