From 7e4a66e5a34a313dc3c0eade698548febd1431ed Mon Sep 17 00:00:00 2001
From: Ben Ashbaugh <ben.ashbaugh@intel.com>
Date: Wed, 19 Nov 2025 18:30:41 -0800
Subject: [PATCH 1/2] add sigstore release signing

---
 .github/workflows/release.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cefdbd83..23102f86 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,7 @@ jobs:
 
     permissions:
       contents: write
+      id-token: write
 
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -59,6 +60,24 @@ jobs:
       shell: bash
       run: cmake --build . --parallel --config $BUILD_TYPE --target package
 
+    - name: Sign (Windows zip
+      if: |
+        startsWith(github.ref, 'refs/tags/') &&
+        matrix.os == 'windows-latest'
+      uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c #v3.1.0
+      with:
+        inputs: |
+          ./build/clintercept-*.zip
+
+    - name: Sign (Linux tgz)
+      if: |
+        startsWith(github.ref, 'refs/tags/') &&
+        matrix.os == 'ubuntu-latest'
+      uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c #v3.1.0
+      with:
+        inputs: |
+          ./build/clintercept-*.tar.gz
+
     - name: Release (Windows zip)
       if: |
         startsWith(github.ref, 'refs/tags/') &&

From dd84b4e9edd0d9c388afbcd2bead41afdac2c962 Mon Sep 17 00:00:00 2001
From: Ben Ashbaugh <ben.ashbaugh@intel.com>
Date: Wed, 19 Nov 2025 18:57:45 -0800
Subject: [PATCH 2/2] explicitly update python for Windows

---
 .github/workflows/release.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 23102f86..ce3f192e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -60,7 +60,13 @@ jobs:
       shell: bash
       run: cmake --build . --parallel --config $BUILD_TYPE --target package
 
-    - name: Sign (Windows zip
+    - name: Update Python (Windows)
+      if: matrix.os == 'windows-latest'
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      with:
+        python-version: '3.12'
+
+    - name: Sign (Windows zip)
       if: |
         startsWith(github.ref, 'refs/tags/') &&
         matrix.os == 'windows-latest'