🔏🧪 Sign the released dists with Sigstore

webknjaz · webknjaz · commit 986988af1b7d · 2024-01-26T18:21:59.000+01:00
The signatures are uploaded to GitHub Releases.
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -1651,6 +1651,7 @@ jobs:
     permissions:
       contents: write
       discussions: write
+      id-token: write  # IMPORTANT: mandatory for Sigstore signing
 
     steps:
     - name: Download all the dists
@@ -1659,16 +1660,28 @@ jobs:
         name: ${{ needs.pre-setup.outputs.dists-artifact-name }}
         path: dist/
 
+    - name: Sign the dists with Sigstore
+      uses: sigstore/gh-action-sigstore-python@v1.2.3
+      with:
+        inputs: >-
+          dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}
+          dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}
+
     - name: >-
         Publish a GitHub Release for
         ${{ needs.pre-setup.outputs.git-tag }}
+        with Sigstore-signed artifacts
       uses: ncipollo/release-action@v1.13.0
       with:
         allowUpdates: false
         artifactErrorsFailBuild: false
         artifacts: |
           dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}
+          dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}.crt
+          dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}.sig
           dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}
+          dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}.crt
+          dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}.sig
         artifactContentType: raw  # Because whl and tgz are of different types
         body: >
           # Release ${{ needs.pre-setup.outputs.git-tag }}
