Skip to content

[CI] Use cosign to sign nightly builds #20034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 11, 2025
Merged

[CI] Use cosign to sign nightly builds #20034

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/workflows/sycl-nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,20 +332,30 @@ jobs:
toolchain_artifact_filename: ${{ needs.build-win.outputs.toolchain_artifact_filename }}
sycl_cts_artifact: sycl_cts_bin_win

# Verification example:
# cosign-windows-amd64.exe verify-blob sycl_linux.tar.gz \
# --bundle sycl_linux.tar.gz.sigstore.json \
# --certificate-oidc-issuer https://token.actions.githubusercontent.com \
# --certificate-identity https://github.com/intel/llvm/.github/workflows/sycl-nightly.yml@refs/heads/sycl
nightly_build_upload:
name: Nightly Build Upload
if: ${{ github.ref_name == 'sycl' }}
needs: [ubuntu2204_build, build-win]
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
Copy link
Contributor

@sarnex sarnex Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any idea why we need write for this?

Copy link
Contributor Author

@KornevNikita KornevNikita Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.sigstore.dev/quickstart/quickstart-ci/#signing-files-using-your-ci-system says:
'id-token' needs write permission to retrieve the OIDC token, which is required for authentication.

Copy link
Contributor

@sarnex sarnex Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment makes no sense to me, retrieve seems like a read operation, but seems their problem not ours

Copy link
Contributor Author

@KornevNikita KornevNikita Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can try to remove this just in case

steps:
- uses: actions/download-artifact@v4
with:
name: sycl_linux_default
- uses: actions/download-artifact@v4
with:
name: sycl_windows_default
- name: Sign with sigstore/cosign
uses: sigstore/gh-action-sigstore-python@v3.0.1
with:
inputs: sycl_linux.tar.gz sycl_windows.tar.gz
- name: Compute tag
id: tag
run: |
Expand All @@ -361,6 +371,8 @@ jobs:
files: |
sycl_linux.tar.gz
sycl_windows.tar.gz
sycl_linux.tar.gz.sigstore.json
sycl_windows.tar.gz.sigstore.json
tag_name: nightly-${{ steps.tag.outputs.TAG }}
name: DPC++ daily ${{ steps.tag.outputs.TAG }}
prerelease: true
Expand Down