Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-685438: Sign artifacts before publish #522

Merged
merged 1 commit into from
Aug 8, 2024
Merged

SNOW-685438: Sign artifacts before publish #522

merged 1 commit into from
Aug 8, 2024

Conversation

sfc-gh-anavalos
Copy link
Contributor

Please answer these questions before submitting your pull requests. Thanks!

  1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

    Fixes #NNNN

  2. Fill out the following pre-review checklist:

    • I am adding a new automated test(s) to verify correctness of my new code
    • I am adding new logging messages
    • I am adding new credentials
    • I am adding a new dependency

  3. Please describe how your code solves the related issue.

    Please write a short description of how your code change solves the related issue.
    Signing artifacts with cosign before publishing them. The signing has the next steps:

  • sign artifacts
  • verify signature using bundle file
  • verify signature using public certificate and public key
  • copy artifacts to the release tag

sfc-gh-pmikosz
sfc-gh-pmikosz reviewed Jul 23, 2024
View reviewed changes
.github/workflows/python-publish.yml
@@ -13,7 +13,8 @@ on:
types: [published]

permissions:
contents: read
contents: write
id-token: write
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please explain this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id-token is required for signing the artifacts for cosign.
This github action will sign the artifacts using keyless process, verify signature using bundle file and certificate and sig files. Finally will copy the signing files to the release tag.

@sfc-gh-anavalos sfc-gh-anavalos marked this pull request as ready for review August 8, 2024 21:52
@sfc-gh-anavalos sfc-gh-anavalos requested a review from a team as a code owner August 8, 2024 21:52
@sfc-gh-anavalos sfc-gh-anavalos merged commit dd7fc8a into main Aug 8, 2024
45 of 47 checks passed
@sfc-gh-anavalos sfc-gh-anavalos deleted the sfc-anavalos-sign-before-publish branch August 8, 2024 21:53
@github-actions github-actions bot locked and limited conversation to collaborators Aug 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sfc-gh-pmikosz sfc-gh-pmikosz sfc-gh-pmikosz approved these changes

@sfc-gh-nsfard sfc-gh-nsfard sfc-gh-nsfard approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sfc-gh-anavalos @sfc-gh-nsfard @sfc-gh-pmikosz