workflows/release: upload assets, dogfood verification (#116)

* workflows/release: upload assets, dogfood verification Signed-off-by: William Woodruff <william@trailofbits.com> * sigstore: 0.5.1rc1 Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: typo Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: disambiguate CLI invocations Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: put sigs and certs in their own directory To avoid confusing twine. Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: include sigs and certs in assets Signed-off-by: William Woodruff <william@trailofbits.com> * sigstore: 0.5.1rc2 Signed-off-by: William Woodruff <william@trailofbits.com> * Update sigstore/__init__.py Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * workflows/release: document signing artifact directory Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
sigstore · Jun 6, 2022 · fc1ed42 · fc1ed42
1 parent d79de22
commit fc1ed42
Showing 1 changed file with 37 additions and 4 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,10 +5,13 @@ on:
 
 name: release
 
-# Needed to access the workflow's OIDC identity.
 permissions:
+  # Needed to access the workflow's OIDC identity.
   id-token: write
 
+  # Needed to upload release assets.
+  contents: write
+
 jobs:
   pypi:
     name: Build, sign and publish release to PyPI
@@ -26,14 +29,32 @@ jobs:
 
     - name: sign
       run: |
+        mkdir -p smoketest-artifacts
+
         # we smoke-test sigstore by installing each of the distributions
-        # we've built in a fresh environment and using each to sign for itself,
-        # using the ambient OIDC identity
+        # we've built in a fresh environment and using each to sign and
+        # verify for itself, using the ambient OIDC identity
         for dist in dist/*; do
+          dist_base="$(basename "${dist}")"
+
           python -m venv smoketest-env
 
           ./smoketest-env/bin/python -m pip install "${dist}"
-          ./smoketest-env/bin/python -m sigstore sign "${dist}"
+
+          # NOTE: signing artifacts currently go in a separate directory,
+          # to avoid confusing the package uploader (which otherwise tries
+          # to upload them to PyPI and fails). Future versions of twine
+          # and the gh-action-pypi-publish action should support these artifacts.
+          ./smoketest-env/bin/python -m \
+            sigstore sign "${dist}" \
+            --output-signature smoketest-artifacts/"${dist_base}.sig" \
+            --output-certificate smoketest-artifacts/"${dist_base}.crt"
+
+          ./smoketest-env/bin/python -m \
+            sigstore verify "${dist}" \
+            --cert "smoketest-artifacts/${dist_base}.crt" \
+            --signature "smoketest-artifacts/${dist_base}.sig" \
+            --cert-oidc-issuer https://token.actions.githubusercontent.com \
 
           rm -rf smoketest-env
         done
@@ -43,3 +64,15 @@ jobs:
       with:
         user: __token__
         password: ${{ secrets.PYPI_TOKEN }}
+
+    - name: upload artifacts to github
+      # Confusingly, this action also supports updating releases, not
+      # just creating them. This is what we want here, since we've manually
+      # created the release that triggered the action.
+      uses: softprops/action-gh-release@v1
+      with:
+        # dist/ contains the built packages, which smoketest-artifacts/
+        # contains the signatures and certificates.
+        files: |
+          dist/*
+          smoketest-artifacts/*