15ede607a0
Inspired by the work done over in https://github.com/openai/codex-action/pull/74, this tightens up our use of GitHub expressions as shell/environment variables.
45 lines
1.2 KiB
YAML
45 lines
1.2 KiB
YAML
name: linux-code-sign
|
|
description: Sign Linux artifacts with cosign.
|
|
inputs:
|
|
target:
|
|
description: Target triple for the artifacts to sign.
|
|
required: true
|
|
artifacts-dir:
|
|
description: Absolute path to the directory containing built binaries to sign.
|
|
required: true
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3.7.0
|
|
|
|
- name: Cosign Linux artifacts
|
|
shell: bash
|
|
env:
|
|
ARTIFACTS_DIR: ${{ inputs.artifacts-dir }}
|
|
COSIGN_EXPERIMENTAL: "1"
|
|
COSIGN_YES: "true"
|
|
COSIGN_OIDC_CLIENT_ID: "sigstore"
|
|
COSIGN_OIDC_ISSUER: "https://oauth2.sigstore.dev/auth"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
dest="$ARTIFACTS_DIR"
|
|
if [[ ! -d "$dest" ]]; then
|
|
echo "Destination $dest does not exist"
|
|
exit 1
|
|
fi
|
|
|
|
for binary in codex codex-responses-api-proxy; do
|
|
artifact="${dest}/${binary}"
|
|
if [[ ! -f "$artifact" ]]; then
|
|
echo "Binary $artifact not found"
|
|
exit 1
|
|
fi
|
|
|
|
cosign sign-blob \
|
|
--yes \
|
|
--bundle "${artifact}.sigstore" \
|
|
"$artifact"
|
|
done
|