Skip to content

Add release signing and lockfile checks #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacksonpradolima merged 6 commits into from
Jan 1, 2026
Merged

Add release signing and lockfile checks #143

jacksonpradolima merged 6 commits into from
Jan 1, 2026

Conversation

@jacksonpradolima
Copy link
Owner

@jacksonpradolima jacksonpradolima commented Dec 28, 2025

Summary

  • add a uv lock freshness check to the code quality workflow
  • extend the publish workflow to generate a CycloneDX SBOM, sign distributions with Sigstore, and upload the new assets to releases
  • document the release assets and how to verify signatures

Testing

  • not run (not requested)

Codex Task

Copilot AI review requested due to automatic review settings December 28, 2025 03:13
Copilot AI reviewed Dec 28, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the release process with supply chain security features and adds lockfile validation to the CI pipeline. It introduces Sigstore-based signing for release artifacts, SBOM generation for dependency tracking, and automated upload of these assets to GitHub releases. Additionally, it adds a lockfile freshness check to ensure the uv.lock file stays in sync with dependencies.

Key Changes:

  • Added lockfile freshness validation to the code quality workflow
  • Extended publish workflow with SBOM generation (CycloneDX format) and Sigstore signing
  • Automated upload of wheels, source distributions, signatures, certificates, and SBOM to GitHub releases
  • Documented the new release assets and signature verification process in README

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/code_quality.yml Adds uv lock --check step to verify lockfile is up-to-date with pyproject.toml
.github/workflows/publish.yml Extends workflow with Syft SBOM generation, Sigstore signing, and automated release asset uploads; adds contents: write permission
README.md Documents release assets (SBOM, signatures, certificates) and provides verification instructions using Sigstore CLI

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jacksonpradolima jacksonpradolima self-assigned this Dec 31, 2025
jacksonpradolima and others added 2 commits January 1, 2026 11:37
@jacksonpradolima
Merge branch 'master' into codex/add-release-verification-workflow-steps
e80b763 
Signed-off-by: Jackson Antonio do Prado Lima <jacksonpradolima@users.noreply.github.com>
@jacksonpradolima
Update .github/workflows/publish.yml
b174bdb 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Jackson Antonio do Prado Lima <jacksonpradolima@users.noreply.github.com>
Copilot AI mentioned this pull request Jan 1, 2026
Merged
Copy link
Contributor

Copilot AI commented Jan 1, 2026

@jacksonpradolima I've opened a new pull request, #150, to work on those changes. Once the pull request is ready, I'll request review from you.

Copy link
Contributor

Copilot AI commented Jan 1, 2026

@jacksonpradolima I've opened a new pull request, #151, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Jan 1, 2026
Merged
Copilot AI and others added 2 commits January 1, 2026 11:45
@jacksonpradolima
Update lockfile to sync with pyproject.toml
af7329e 
Co-authored-by: jacksonpradolima <7774063+jacksonpradolima@users.noreply.github.com>
@jacksonpradolima
Fix sigstore signature file output location
e1971fa 
Change to dist/ directory before signing to ensure .sig and .pem files are created in the correct location for the upload step.

Co-authored-by: jacksonpradolima <7774063+jacksonpradolima@users.noreply.github.com>
Copy link
Contributor

Copilot AI commented Jan 1, 2026

@jacksonpradolima I've opened a new pull request, #152, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Jan 1, 2026
Merged
@jacksonpradolima
Move SBOM generation to dist directory for consistency
f2e2998 
Co-authored-by: jacksonpradolima <7774063+jacksonpradolima@users.noreply.github.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jacksonpradolima jacksonpradolima merged commit a8f6c86 into master Jan 1, 2026
12 checks passed
@jacksonpradolima jacksonpradolima deleted the codex/add-release-verification-workflow-steps branch January 1, 2026 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@jacksonpradolima jacksonpradolima

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacksonpradolima