Create sign-release.yml

DavidOsipov · web-flow · commit 6b2cc8f4c15c · 2025-03-13T02:54:51.000+04:00
Signed-off-by: David Osipov &lt;personal@david-osipov.vision&gt;
diff --git a/.github/workflows/sign-release.yml b/.github/workflows/sign-release.yml
@@ -0,0 +1,53 @@
+name: Sign Release Artifacts
+
+on:
+  release:
+    types: [created]  # Trigger only when a new release is *created*
+
+permissions:
+  contents: write  # Needed to upload release assets
+  id-token: write  # Needed for OIDC authentication with Sigstore
+
+jobs:
+  sign:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false  # Avoid keeping credentials around longer than needed
+
+      - name: Set up Python  #  This step is CRUCIAL
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10' # Or another supported version, matching your project
+
+      - name: Install dependencies (including your package in editable mode)
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .  # Install your package (so it's available to the signing action)
+
+      - name: Sign Script with Sigstore
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: feldman_vss.py
+            README.md
+            LICENSE
+          # Optional: Sign other files too, e.g., a README or LICENSE
+          # inputs: |
+          #   feldman_vss.py
+          #   README.md
+          #   LICENSE
+          release-signing-artifacts: true # Upload signatures as release assets
+          upload-signing-artifacts: true # Also upload as workflow artifacts (for debugging)
+
+      # Optional: Verify the signature (good practice)
+      - name: Verify Signature
+        if: always()  # Run verification even if signing fails (for diagnostics)
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: feldman_vss_current.py
+          verify: true
+          #  We know the identity because it will be the GitHub Actions bot.
+          #  The format is {actor}@users.noreply.github.com
+          verify-cert-identity: ${{ github.actor }}@users.noreply.github.com
+          verify-oidc-issuer: https://token.actions.githubusercontent.com
