22# Set a tag, then push it to trigger the release workflow:
33# git tag v0.1.0
44# git push origin v0.1.0
5+ #
6+ # Prerequisites:
7+ # - Commits must be signed by a maintainer listed in .auths/allowed_signers
8+ # - No signing secrets needed — CI verifies commits, then signs artifacts with ephemeral keys
59
610name : Release
711
@@ -14,7 +18,19 @@ permissions:
1418 contents : write
1519
1620jobs :
21+ verify :
22+ runs-on : ubuntu-latest
23+ steps :
24+ - name : Checkout repository
25+ uses : actions/checkout@v4
26+ with :
27+ fetch-depth : 0
28+
29+ - name : Verify commit signatures
30+ uses : auths-dev/verify@v1
31+
1732 build :
33+ needs : verify
1834 strategy :
1935 fail-fast : false
2036 matrix :
@@ -97,14 +113,28 @@ jobs:
97113 $hash = (Get-FileHash ${{ matrix.asset_name }}${{ matrix.ext }} -Algorithm SHA256).Hash.ToLower()
98114 "$hash ${{ matrix.asset_name }}${{ matrix.ext }}" | Out-File -Encoding ascii ${{ matrix.asset_name }}${{ matrix.ext }}.sha256
99115
100- name : Sign artifact ( Unix)
116+ name : Sign artifact and log to Sigstore (ephemeral, Unix)
101117 if : matrix.ext == '.tar.gz'
102- uses : auths-dev/sign@v1
103- with :
104- token : ${{ secrets.AUTHS_CI_TOKEN }}
105- files : ${{ matrix.asset_name }}${{ matrix.ext }}
106- verify : true
107- note : ' GitHub Actions release — ${{ github.ref_name }}'
118+ run : |
119+ FILE="${{ matrix.asset_name }}${{ matrix.ext }}"
120+ ./staging/auths artifact sign "$FILE" \
121+ --ci \
122+ --commit "${{ github.sha }}" \
123+ --ci-platform github \
124+ --log sigstore-rekor \
125+ --note "Release ${{ github.ref_name }}"
126+
127+ name : Sign artifact and log to Sigstore (ephemeral, Windows)
128+ if : matrix.ext == '.zip'
129+ shell : pwsh
130+ run : |
131+ $file = "${{ matrix.asset_name }}${{ matrix.ext }}"
132+ .\staging\auths.exe artifact sign $file `
133+ --ci `
134+ --commit $env:GITHUB_SHA `
135+ --ci-platform github `
136+ --log sigstore-rekor `
137+ --note "Release ${{ github.ref_name }}"
108138
109139name : Upload artifact
110140 uses : actions/upload-artifact@v4
@@ -142,7 +172,7 @@ jobs:
142172 for asset in auths-macos-aarch64 auths-linux-x86_64 auths-linux-aarch64; do
143173 curl -sL "${BASE}/${asset}.tar.gz.auths.json" -o "${asset}.auths.json"
144174 done
145- extract_hash() { python3 -c "import json; d=json.load(open('$1')); print(d[' payload'][' digest'][' hex']) "; }
175+ extract_hash() { jq -r '. payload. digest. hex' "$1 "; }
146176 {
147177 echo "version=${VERSION}"
148178 echo "macos_aarch64=$(extract_hash auths-macos-aarch64.auths.json)"
@@ -207,6 +237,6 @@ jobs:
207237 body : |
208238 Automated formula update from [release v${{ steps.hashes.outputs.version }}](https://github.com/auths-dev/auths/releases/tag/v${{ steps.hashes.outputs.version }}).
209239
210- SHA256 hashes extracted from `.auths.json` attestation files (dogfooding) .
240+ SHA256 hashes extracted from `.auths.json` provenance files.
211241branch : " update-${{ steps.hashes.outputs.version }}"
212242 base : main
0 commit comments