From 2fa36e102a7702fafcba13578e5ea79435c4e130 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Sun, 22 Jun 2025 14:22:29 +0200 Subject: [PATCH 1/2] chore(ci): Add sigstore bundle to release --- .github/workflows/release.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 65dab382d8..31ea31a5f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -74,3 +74,20 @@ jobs: for f in $(find . -name '*.zip'); do gh release upload $tag_name $f done + - name: Attach attestation + if: ${{ steps.release.outputs.releases_created == 'true' }} + env: + ATTESTATION_BUNDLE: ${{ steps.attest.outputs.bundle-path }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG_NAME: ${{ steps.release.outputs.tag_name }} + ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }} + run: | + # rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore + # OpenSSF expects the attestation bundle to be named in this format (*.sigstore) + SIGSTORE_BUNDLE="github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore" + mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE + if [ -z "$SIGSTORE_BUNDLE" ]; then + echo "No attestation bundle found, skipping attachment." + exit 0 + fi + gh release upload $tag_name "$SIGSTORE_BUNDLE" From 7263098d68aa08b6925b04eb2667aabf98b0f958 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 23 Jun 2025 09:10:12 +0200 Subject: [PATCH 2/2] chore(ci): Add sigstore bundle to release --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 31ea31a5f2..c45fe5a5f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -84,7 +84,7 @@ jobs: run: | # rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore # OpenSSF expects the attestation bundle to be named in this format (*.sigstore) - SIGSTORE_BUNDLE="github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore" + SIGSTORE_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE if [ -z "$SIGSTORE_BUNDLE" ]; then echo "No attestation bundle found, skipping attachment."