Add release signing workflow using Sigstore

pmady · pmady · commit fb609a6f1736 · 2025-12-26T14:59:57.000-06:00
This adds a GitHub Actions workflow that signs release artifacts using Sigstore, following the OpenSSF Best Practices Badge recommendations. The workflow is triggered on release publication and: 1. Creates a .tar.gz archive of the source tree 2. Signs the archive using sigstore/gh-action-sigstore-python 3. Uploads both the tarball and .sigstore.json credential bundle Based on the OpenEXR release-sign.yml workflow template. Closes #2034 Signed-off-by: pmady <pavan4devops@gmail.com>
diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml
@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright Contributors to the OpenColorIO Project.
+
+#
+# Releases are signed via https://github.com/sigstore/sigstore-python.
+# See https://docs.sigstore.dev for information about sigstore.
+#
+# This action creates a .tar.gz of the complete OpenColorIO source tree at
+# the given release tag, signs it via sigstore, and uploads the
+# .tar.gz and the associated .tar.gz.sigstore credential bundle.
+#
+# To verify a downloaded release at a given tag:
+#
+#   % pip install sigstore
+#   % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/OpenColorIO/.github/workflows/release-sign.yml@refs/tags/<tag> OpenColorIO-<tag>.tar.gz
+#
+
+name: Sign Release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Sign & upload release artifacts
+    runs-on: ubuntu-latest
+
+    env:
+      TAG: ${{ github.ref_name }}
+    permissions:
+      contents: write
+      id-token: write
+      repository-projects: write
+
+    steps:
+
+      - name: Set Prefix
+        # The tag name begins with a 'v', e.g. "v2.4.0", but the prefix
+        # should omit the 'v', so the tarball "OpenColorIO-2.4.0.tar.gz"
+        # extracts files into "OpenColorIO-2.4.0/...". This matches
+        # the GitHub release page autogenerated artifact conventions.
+        run: |
+          echo OCIO_PREFIX=OpenColorIO-${TAG//v}/ >> $GITHUB_ENV
+          echo OCIO_TARBALL=OpenColorIO-${TAG//v}.tar.gz >> $GITHUB_ENV
+        shell: bash
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Create archive
+        run: git archive --format=tar.gz -o ${OCIO_TARBALL} --prefix ${OCIO_PREFIX} ${TAG}
+
+      - name: Sign archive with Sigstore
+        uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d # v3.2.0
+        with:
+          inputs: ${{ env.OCIO_TARBALL }}
+          upload-signing-artifacts: false
+          release-signing-artifacts: false
+
+      - name: Upload release archive
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release upload ${TAG} ${OCIO_TARBALL} ${OCIO_TARBALL}.sigstore.json
