From 1039888536fdd3e4eae590a17de93a628ffe9550 Mon Sep 17 00:00:00 2001
From: Oleg Smirnov <oleg31101996@gmail.com>
Date: Tue, 4 Mar 2025 10:26:50 +0100
Subject: [PATCH 1/2] Add sigstore gradle plugin

---
 buildSrc/build.gradle.kts                                  | 1 +
 buildSrc/src/main/kotlin/convention.publication.gradle.kts | 1 +
 gradle/libs.versions.toml                                  | 1 +
 3 files changed, 3 insertions(+)

diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
index cedccb31..35ab926e 100644
--- a/buildSrc/build.gradle.kts
+++ b/buildSrc/build.gradle.kts
@@ -8,4 +8,5 @@ repositories {
 
 dependencies {
   implementation(libs.kotlin.gradle.plugin)
+  implementation(libs.sigstore.gradle.plugin)
 }
\ No newline at end of file
diff --git a/buildSrc/src/main/kotlin/convention.publication.gradle.kts b/buildSrc/src/main/kotlin/convention.publication.gradle.kts
index 2832963f..be453dfc 100644
--- a/buildSrc/src/main/kotlin/convention.publication.gradle.kts
+++ b/buildSrc/src/main/kotlin/convention.publication.gradle.kts
@@ -1,6 +1,7 @@
 plugins {
   `maven-publish`
   signing
+  id("dev.sigstore.sign")
 }
 
 val javadocJar by tasks.registering(Jar::class) {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index f3b25052..12572d5f 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -42,6 +42,7 @@ kotlin-codepoints = { group = "de.cketti.unicode", name = "kotlin-codepoints", v
 normalize = { group = "com.doist.x", name = "normalize", version = "1.1.1" }
 karacteristics = { group = "io.github.optimumcode", name = "karacteristics", version = "0.0.4" }
 kotlin-gradle-plugin = { module = "org.jetbrains.kotlin:kotlin-gradle-plugin", version.ref = "kotlin" }
+sigstore-gradle-plugin = { module = "dev.sigstore:sigstore-gradle-sign-plugin", version = "1.3.0"}
 
 [bundles]
 openapi = ["openapi-validator", "openapi-interfaces", "openapi-jackson"]

From 2c0c2ec35ee0f8728557160288af6e9299fe3906 Mon Sep 17 00:00:00 2001
From: Oleg Smirnov <oleg31101996@gmail.com>
Date: Tue, 4 Mar 2025 10:28:34 +0100
Subject: [PATCH 2/2] Add required permissions to release and snapshot
 workflows

---
 .github/workflows/release.yml          | 4 ++++
 .github/workflows/snapshot_release.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c5124f2f..9d35fb1d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,6 +27,10 @@ jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml
   publish_artifacts:
+    # permissions required for sigstore signature
+    permissions:
+      id-token: write
+      contents: read
     needs:
       - version
       - build-and-test
diff --git a/.github/workflows/snapshot_release.yml b/.github/workflows/snapshot_release.yml
index 365c147b..b8b02e2b 100644
--- a/.github/workflows/snapshot_release.yml
+++ b/.github/workflows/snapshot_release.yml
@@ -21,6 +21,10 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   publish:
+    # permissions required for sigstore signature
+    permissions:
+      id-token: write
+      contents: read
     needs:
       - build-and-test
     runs-on: macos-latest