Add signed UPM example package

Author: favoyang

.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+name: Sign and release
+
+on:
+  push:
+    tags:
+      - "*"
+
+permissions:
+  contents: write
+
+jobs:
+  sign:
+    name: Sign UPM package
+    runs-on: ubuntu-latest
+    env:
+      UPM_SERVICE_ACCOUNT_KEY_ID: ${{ secrets.UPM_SERVICE_ACCOUNT_KEY_ID }}
+      UPM_SERVICE_ACCOUNT_KEY_SECRET: ${{ secrets.UPM_SERVICE_ACCOUNT_KEY_SECRET }}
+      UPM_ORG_ID: ${{ secrets.UPM_ORG_ID }}
+      PACKAGE_NAME: com.example.signed-upm
+      PACKAGE_VERSION: 1.0.0
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Unity UPM CLI
+        run: |
+          curl -fsSL https://cdn.packages.unity.com/upm-cli/install.sh -o install.sh
+          bash install.sh
+          echo "$HOME/.upm/bin" >> "$GITHUB_PATH"
+
+      - name: Verify Unity UPM CLI
+        run: upm --help
+
+      - name: Sign package
+        run: |
+          upm pack ./package --organization-id "$UPM_ORG_ID" --destination ./dist
+
+      - name: Verify signed archive
+        run: |
+          shopt -s nullglob
+          archives=(dist/*.tgz dist/*.tar.gz)
+          if [ "${#archives[@]}" -ne 1 ]; then
+            printf 'Expected exactly one package archive in dist, found %s\n' "${#archives[@]}" >&2
+            exit 1
+          fi
+
+          archive="${archives[0]}"
+          expected="dist/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
+          if [ "$archive" != "$expected" ]; then
+            printf 'Expected archive %s, found %s\n' "$expected" "$archive" >&2
+            exit 1
+          fi
+
+          tar -tzf "$archive" | grep -qx 'package/package.json'
+          actual="$(tar -xOzf "$archive" package/package.json | jq -r '.name + "@" + .version')"
+          if [ "$actual" != "${PACKAGE_NAME}@${PACKAGE_VERSION}" ]; then
+            printf 'Expected %s@%s, found %s\n' "$PACKAGE_NAME" "$PACKAGE_VERSION" "$actual" >&2
+            exit 1
+          fi
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/com.example.signed-upm-1.0.0.tgz

.gitignore

@@ -0,0 +1,2 @@
+dist/
+install.sh

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 OpenUPM
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,63 @@
+# Signed UPM Example
+
+This repository demonstrates a minimal Unity Package Manager package that is
+packed and signed in GitHub Actions, then published as a GitHub Release asset.
+It is intentionally small so package authors can copy the workflow into their
+own repositories without carrying unrelated project structure.
+
+Unity 6.3 checks digital signatures on tarball packages. The `upm pack`
+command creates a `.tgz` archive from the package folder and signs it with a
+Unity organization through service account credentials. The signed tarball can
+then be distributed directly, uploaded to a release, or submitted to a registry
+workflow that consumes release assets.
+
+## Package Layout
+
+- `package/package.json` is the Unity package manifest.
+- `package/package.json.meta` is the Unity meta file for the manifest.
+- `.github/workflows/ci.yml` signs the package only when a tag is pushed.
+
+The package has no runtime code. It exists only to demonstrate release
+automation for signed UPM tarballs.
+
+## GitHub Secrets
+
+Create a Unity service account with package signing permission for the
+organization that should sign the package. Add these GitHub Actions secrets to
+the repository:
+
+- `UPM_SERVICE_ACCOUNT_KEY_ID`
+- `UPM_SERVICE_ACCOUNT_KEY_SECRET`
+- `UPM_ORG_ID`
+
+For a single package, repository secrets are enough. If several repositories in
+the same GitHub organization sign packages for the same Unity organization,
+prefer GitHub organization secrets scoped to only the repositories that need
+them. That keeps credential rotation centralized while avoiding broad access.
+
+## Release Flow
+
+Update `package/package.json`, commit the change, then push a version tag:
+
+```sh
+git tag 1.0.0
+git push origin main 1.0.0
+```
+
+The workflow installs Unity UPM CLI, runs `upm pack ./package`, verifies that
+the archive contains `package/package.json` for `com.example.signed-upm@1.0.0`,
+and attaches the signed tarball to the matching GitHub Release.
+
+## OpenUPM
+
+To publish a signed GitHub Release asset through OpenUPM, submit the package
+metadata with `trackingMode: githubRelease` and set `githubReleaseAssetName` to
+the signed archive filename, for example:
+
+```yaml
+trackingMode: githubRelease
+githubReleaseAssetName: com.example.signed-upm-1.0.0.tgz
+```
+
+OpenUPM will download the public release asset instead of packing from the git
+checkout.

package/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "com.example.signed-upm",
+  "version": "1.0.0",
+  "displayName": "Signed UPM Example",
+  "description": "Minimal Unity package demonstrating Unity UPM code signing with GitHub Releases and OpenUPM.",
+  "unity": "6000.3",
+  "author": {
+    "name": "OpenUPM",
+    "url": "https://openupm.com"
+  },
+  "license": "MIT"
+}