-
Notifications
You must be signed in to change notification settings - Fork 77
87 lines (83 loc) · 3.1 KB
/
cross-os.yml
File metadata and controls
87 lines (83 loc) · 3.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Copyright 2025 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Cross-platform sign and verify
on:
push:
branches:
- main
- series/*
pull_request:
workflow_dispatch:
permissions: {}
defaults:
run:
shell: bash
jobs:
sign:
name: Sign on ${{ matrix.os }}
runs-on: ${{ matrix.os }}-latest
strategy:
fail-fast: false
matrix:
os: [ubuntu, macos, windows]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.x"
cache: "pip"
cache-dependency-path: pyproject.toml
- run: pip install .
- name: Fetch testing oidc token
uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
- name: Sign
run: python -m sigstore --staging sign --identity-token $(cat oidc-token.txt) test/assets/a.txt
- name: upload signature bundle
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: ${{ matrix.os }}-bundle
path: test/assets/a.txt.sigstore.json
if-no-files-found: error
retention-days: 1
verify:
name: Verify ${{ matrix.signed-with-os }} bundle on ${{ matrix.os }}
if: ${{ always() }} # don't stop some verification if one of the signing jobs failed
needs: [sign]
runs-on: ${{ matrix.os }}-latest
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu, macos, windows]
signed-with-os: [ubuntu, macos, windows]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.x"
cache: "pip"
cache-dependency-path: pyproject.toml
- run: pip install .
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: ${{ matrix.signed-with-os }}-bundle
- name: Verify
run: |
python -m sigstore --staging verify github --verbose \
--cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \
--bundle a.txt.sigstore.json \
test/assets/a.txt