Skip to content

chore(ci): add cosign signing and provenance attestation to multi-OS release workflow #5369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Ludy87 wants to merge 4 commits into from
Closed

chore(ci): add cosign signing and provenance attestation to multi-OS release workflow #5369

Ludy87 wants to merge 4 commits into from

Conversation

@Ludy87
Copy link
Collaborator

@Ludy87 Ludy87 commented Dec 30, 2025

Motivation

  • Move signing to Cosign v3 bundle output so signatures are produced as Sigstore-compatible bundles.
  • Ensure provenance and attestations are published alongside release artifacts for supply-chain verification.
  • Provide the necessary GitHub Actions permissions to allow attestation and OIDC-based signing.
  • Upload signature bundles and provenance files with release artifacts so downstream tools can find them.

Description

  • Install cosign via sigstore/cosign-installer@v3.7.0 and sign artifacts using cosign sign-blob --bundle to write .sigstore.json files.
  • Replace the previous *.sig/*.pem outputs with ./artifacts/**/*.sigstore.json in the softprops/action-gh-release files list and include ./artifacts/**/*.intoto.jsonl.
  • Add an inline Python step that computes SHA-256 digests for artifacts and writes artifacts/provenance.intoto.jsonl containing an in-toto/SLSA provenance statement.
  • Add job permissions attestations: write and id-token: write and run actions/attest-build-provenance@v2 with the artifact subject-path patterns.

Testing

  • No automated tests were executed because this is a workflow-only change.

Codex Task

Copilot AI review requested due to automatic review settings December 30, 2025 22:08
@Ludy87 Ludy87 added the codex null label Dec 30, 2025 — with ChatGPT Codex Connector
@dosubot dosubot bot added size:M This PR changes 30-99 lines ignoring generated files. enhancement New feature or request labels Dec 30, 2025
@stirlingbot stirlingbot bot added Github and removed enhancement New feature or request labels Dec 30, 2025
Copilot AI reviewed Dec 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request modernizes the release signing workflow by migrating from legacy signature formats to Sigstore-compatible bundles. It introduces cosign v3 bundle-based signing, generates SLSA provenance statements, and integrates GitHub's native attestation capabilities to enhance supply-chain security for release artifacts.

Key changes:

  • Implements cosign bundle signing (.sigstore.json files) for all release artifacts using keyless OIDC-based signing
  • Adds a Python script to generate custom in-toto provenance statements and integrates GitHub's attest-build-provenance action
  • Updates the release workflow to upload signature bundles and provenance files alongside artifacts

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ludy87 Ludy87 changed the title Use cosign bundles for release signatures and include Sigstore bundles in releases chore(ci): add cosign signing and provenance attestation to multi-OS release workflow Dec 30, 2025
@Ludy87
Remove provenance statement generation step
37a7a11 
Removed the generation of provenance statements from the workflow.
@dosubot dosubot bot added size:S This PR changes 10-29 lines ignoring generated files. and removed size:M This PR changes 30-99 lines ignoring generated files. labels Dec 30, 2025
@stirlingbot stirlingbot bot added chore Routine tasks or maintenance that don't modify src or test files ci Changes to CI configuration files and scripts labels Dec 30, 2025
@Ludy87 Ludy87 closed this Jan 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@reecebrowne reecebrowne Awaiting requested review from reecebrowne reecebrowne is a code owner

@ConnorYoh ConnorYoh Awaiting requested review from ConnorYoh ConnorYoh is a code owner

@EthanHealy01 EthanHealy01 Awaiting requested review from EthanHealy01 EthanHealy01 is a code owner

@DarioGii DarioGii Awaiting requested review from DarioGii DarioGii is a code owner

@jbrunton96 jbrunton96 Awaiting requested review from jbrunton96 jbrunton96 is a code owner

@Frooodle Frooodle Awaiting requested review from Frooodle Frooodle is a code owner

Assignees

No one assigned

Labels

chore Routine tasks or maintenance that don't modify src or test files ci Changes to CI configuration files and scripts codex null Github size:S This PR changes 10-29 lines ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ludy87