From ca1b487faedb41da37dd25f602d4c76c25bbe375 Mon Sep 17 00:00:00 2001 From: Ned Batchelder Date: Sun, 14 May 2023 20:31:41 -0400 Subject: build: sign artifacts with sigstore --- .github/workflows/kit.yml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/kit.yml b/.github/workflows/kit.yml index 179f7a64..9c46f20e 100644 --- a/.github/workflows/kit.yml +++ b/.github/workflows/kit.yml @@ -149,6 +149,7 @@ jobs: - name: "Install Python 3.8" uses: actions/setup-python@v4 with: + # PYVERSIONS python-version: "3.8" cache: pip cache-dependency-path: 'requirements/*.pip' @@ -175,6 +176,7 @@ jobs: with: name: dist path: wheelhouse/*.whl + retention-days: 7 sdist: name: "Source distribution" @@ -186,6 +188,7 @@ jobs: - name: "Install Python 3.8" uses: actions/setup-python@v4 with: + # PYVERSIONS python-version: "3.8" cache: pip cache-dependency-path: 'requirements/*.pip' @@ -207,6 +210,7 @@ jobs: with: name: dist path: dist/*.tar.gz + retention-days: 7 pypy: name: "PyPy wheel" @@ -241,3 +245,40 @@ jobs: with: name: dist path: dist/*.whl + retention-days: 7 + + sign: + # This signs our artifacts, but we don't use the signatures for anything + # yet. Someday maybe PyPI will have a way to upload and verify them. + name: "Sign artifacts" + needs: + - wheels + - sdist + - pypy + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: "Download artifacts" + uses: actions/download-artifact@v3 + with: + name: dist + + - name: "Sign artifacts" + uses: sigstore/gh-action-sigstore-python@v1.2.3 + with: + inputs: coverage-*.* + + - name: "List files" + run: | + ls -alR + + - name: "Upload signatures" + uses: actions/upload-artifact@v3 + with: + name: signatures + path: | + *.crt + *.sig + *.sigstore + retention-days: 7 -- cgit v1.2.1