Skip to content

[CI] Use cosign to sign nightly builds #20034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 11, 2025
Merged

[CI] Use cosign to sign nightly builds #20034

merged 1 commit into from
Sep 11, 2025

Conversation

@KornevNikita
Copy link
Contributor

@KornevNikita KornevNikita commented Sep 10, 2025

Enable artifact signing with sigstore/cosign in CI. This ensures that the builds were built exactly by the sycl-nightly workflow.

@KornevNikita
[CI] Use cosign to sign nightly builds
62166f9 
Enable artifact signing with sigstore/cosign in CI.
This ensures that the builds were built exactly by the sycl-nightly
workflow.
@KornevNikita KornevNikita requested a review from a team as a code owner September 10, 2025 10:26
aelovikov-intel
aelovikov-intel approved these changes Sep 10, 2025
View reviewed changes
Copy link
Contributor

@aelovikov-intel aelovikov-intel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not an expert, so feel free to gather extra feedback, but I don't see anything bad here.

sarnex
sarnex reviewed Sep 10, 2025
View reviewed changes
.github/workflows/sycl-nightly.yml
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
Copy link
Contributor

@sarnex sarnex Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any idea why we need write for this?

Copy link
Contributor Author

@KornevNikita KornevNikita Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.sigstore.dev/quickstart/quickstart-ci/#signing-files-using-your-ci-system says:
'id-token' needs write permission to retrieve the OIDC token, which is required for authentication.

Copy link
Contributor

@sarnex sarnex Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment makes no sense to me, retrieve seems like a read operation, but seems their problem not ours

Copy link
Contributor Author

@KornevNikita KornevNikita Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can try to remove this just in case

sarnex
sarnex approved these changes Sep 10, 2025
View reviewed changes
Copy link
Contributor

@sarnex sarnex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cant provide in depth technical review but no flags

@KornevNikita KornevNikita mentioned this pull request Sep 11, 2025
Closed
@AlexeySachkov AlexeySachkov merged commit 4315ff2 into intel:sycl Sep 11, 2025
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sarnex sarnex sarnex approved these changes

@aelovikov-intel aelovikov-intel aelovikov-intel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KornevNikita @sarnex @aelovikov-intel @AlexeySachkov