Skip to content

feat(release): attest artifacts and require signed tags#207

Open
TFT444 wants to merge 1 commit into
devfrom
feat/204-signed-releases
Open

feat(release): attest artifacts and require signed tags#207
TFT444 wants to merge 1 commit into
devfrom
feat/204-signed-releases

Conversation

@TFT444

@TFT444 TFT444 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implements #204 with an identity-bound, keyless signed-release process.

  • rejects lightweight and GitHub-unverified release tags
  • requires signed annotated v* tags
  • creates a deterministic source archive using git archive and timestamp-free gzip
  • generates a CycloneDX SBOM and SHA-256 checksum manifest
  • creates GitHub/Sigstore provenance attestations for the archive, SBOM, and checksum manifest
  • publishes all artifacts in the GitHub Release
  • consolidates the old post-release SBOM workflow to avoid unsigned/duplicate assets
  • documents maintainer signing and user verification commands
  • adds workflow safety regression tests

Validation

  • signed release workflow YAML parses successfully
  • 4 workflow safety tests pass
  • Ruff passes
  • git diff --check passes

The next real release must use a signed annotated tag and complete the workflow before the OpenSSF signed-release criterion is marked Met.

Closes #204

@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

  • .github/workflows/sbom-release.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

release: sign release artifacts and important version tags

1 participant