-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ci): add cosign to sign the released binaries #459
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not super familiar with cosign but did a bit of reading and this seems like it is using the approach suggested in the docs.
Could we add a doc on how to run the verification after downloading the files?
make dist-${{ needs.parse.outputs.runtime }} | ||
# Check if there's any files to archive as tar fails otherwise | ||
if stat dist/bin/* >/dev/null 2>&1; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the scenario where there are no files after running make dist-*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You meant afer make build-*
?
If we release containerd-shim-wasm-test-modules
, I think there will be no files in disk/bin
.
Sure, I also intend to add the verification doc on the release page. |
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
@jeremyrickard could you please take a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, it would be nice to have one more set of eyes on this PR since I am fairly new to cosign
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This draft PR adds cosign signing for the released binaries. It is WIP.
I am testing releases in my own forked repo: https://github.com/Mossaka/runwasi/actions/runs/7634841458
Related to #417