Merge pull request #143 from jacksonpradolima/codex/add-release-verification-workflow-steps

Add release signing and lockfile checks

Author: jacksonpradolima

.github/workflows/code_quality.yml

@@ -27,6 +27,9 @@ jobs:
         run: |
           uv sync --frozen --extra dev
 
+      - name: Check lockfile freshness
+        run: uv lock --check
+
       - name: Run tests with coverage
         run: |
           uv run pytest --cov=gsppy --cov-branch --cov-report=term-missing:skip-covered --cov-report=xml

.github/workflows/publish.yml

@@ -12,6 +12,7 @@ jobs:
       name: pypi
       url: https://pypi.org/project/gsppy/
     permissions:
+      contents: write
       id-token: write
     steps:
       - uses: actions/checkout@v6
@@ -30,5 +31,31 @@ jobs:
         run: |
           python -m build
 
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@v0.17.0
+
+      - name: Generate SBOM (CycloneDX)
+        run: syft packages dist -o cyclonedx-json=dist/sbom.json
+
+      - name: Install sigstore
+        run: python -m pip install sigstore==3.5.1
+
+      - name: Sign distributions
+        run: |
+          cd dist
+          sigstore sign *.whl *.tar.gz
+
+      - name: Upload release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/*.whl
+            dist/*.tar.gz
+            dist/*.whl.sig
+            dist/*.tar.gz.sig
+            dist/*.whl.pem
+            dist/*.tar.gz.pem
+            dist/sbom.json
+
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@v1.13.0

README.md

@@ -202,6 +202,28 @@ make bench-big           # run large benchmark
 > [!NOTE]
 > Tox in this project uses the "tox-uv" plugin. When running `make tox` or `tox`, missing Python interpreters can be provisioned automatically via uv (no need to pre-install all versions). This makes local setup faster.
 
+## 🔏 Release assets and verification
+
+Every GitHub release bundles artifacts to help you validate what you download:
+
+- Built wheels and source distributions produced by the automated publish workflow.
+- `sbom.json` (CycloneDX) generated with [Syft](https://github.com/anchore/syft).
+- Sigstore-generated `.sig` and `.pem` files for each artifact, created using GitHub OIDC identity.
+
+To verify a downloaded artifact from a release:
+
+```bash
+python -m pip install sigstore  # installs the CLI
+sigstore verify identity \
+  --certificate gsppy-<version>-py3-none-any.whl.pem \
+  --signature gsppy-<version>-py3-none-any.whl.sig \
+  --cert-identity "https://github.com/jacksonpradolima/gsp-py/.github/workflows/publish.yml@refs/tags/v<version>" \
+  --cert-oidc-issuer https://token.actions.githubusercontent.com \
+  gsppy-<version>-py3-none-any.whl
+```
+
+Replace `<version>` with the numeric package version (for example, `3.1.1`) in the filenames; in `--cert-identity`, this becomes `v<version>` (for example, `v3.1.1`). Adjust the filenames for the sdist (`.tar.gz`) if preferred. The same release page also hosts `sbom.json` for supply-chain inspection.
+
 ## 📖 Documentation
 
 - **Live site:** https://jacksonpradolima.github.io/gsp-py/