Skip to content

Ensure sigstore signatures are created in dist/ directory #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacksonpradolima merged 2 commits into from
Jan 1, 2026
Merged

Ensure sigstore signatures are created in dist/ directory #150

jacksonpradolima merged 2 commits into from
Jan 1, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 1, 2026
edited
Loading

The sigstore sign command in the publish workflow may create signature files in the current working directory instead of adjacent to the distribution files, causing the upload step to fail when looking for dist/*.sig and dist/*.pem files.

Changes

  • Changed to dist/ directory before running sigstore sign to ensure .sig and .pem files are created in the expected location
- name: Sign distributions
  run: |
    cd dist
    sigstore sign *.whl *.tar.gz

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI self-assigned this Jan 1, 2026
Copilot AI mentioned this pull request Jan 1, 2026
Merged
@jacksonpradolima
Fix sigstore signature file output location
098e8f4 
Change to dist/ directory before signing to ensure .sig and .pem files are created in the correct location for the upload step.

Co-authored-by: jacksonpradolima <[email protected]>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI changed the title [WIP] WIP address feedback on release signing and lockfile checks Ensure sigstore signatures are created in dist/ directory Jan 1, 2026
Copilot AI requested a review from jacksonpradolima January 1, 2026 14:44
@jacksonpradolima jacksonpradolima marked this pull request as ready for review January 1, 2026 14:45
Copilot AI review requested due to automatic review settings January 1, 2026 14:46
@jacksonpradolima jacksonpradolima merged commit e1971fa into codex/add-release-verification-workflow-steps Jan 1, 2026
23 of 39 checks passed
@jacksonpradolima jacksonpradolima deleted the copilot/sub-pr-143 branch January 1, 2026 14:46
Copilot AI reviewed Jan 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug in the publish workflow where sigstore signature files were potentially being created in the wrong directory, causing the upload step to fail when looking for signature and certificate files.

Key Changes:

  • Modified the "Sign distributions" step to change into the dist/ directory before running sigstore sign, ensuring .sig and .pem files are created adjacent to the distribution files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jacksonpradolima jacksonpradolima Awaiting requested review from jacksonpradolima

Assignees

@jacksonpradolima jacksonpradolima

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacksonpradolima