Skip to content

Replace manual sigstore installation with gh-action-sigstore-python #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacksonpradolima merged 2 commits into from
Jan 1, 2026
Merged

Replace manual sigstore installation with gh-action-sigstore-python #159

jacksonpradolima merged 2 commits into from
Jan 1, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 1, 2026
edited
Loading

Migrates the publish workflow from manual sigstore CLI installation to the official GitHub Action.

Changes:

  • Removed manual pip install sigstore==4.1.0 step
  • Removed manual sigstore sign command execution
  • Added sigstore/[email protected] action with equivalent inputs

Before:

- name: Install sigstore
  run: python -m pip install sigstore==4.1.0

- name: Sign distributions
  run: |
    cd dist
    sigstore sign *.whl *.tar.gz

After:

- name: Sign distributions with Sigstore
  uses: sigstore/[email protected]
  with:
    inputs: >-
      dist/*.whl
      dist/*.tar.gz

Artifact outputs (.sig, .pem files) remain unchanged.

Original prompt

replace in https://github.com/jacksonpradolima/gsp-py/blob/master/.github/workflows/publish.yml to use https://github.com/marketplace/actions/gh-action-sigstore-python

full docs: https://sigstore.github.io/sigstore-python/

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 1, 2026
edited
Loading

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI changed the title [WIP] Replace publishing action with sigstore-python Replace manual sigstore installation with gh-action-sigstore-python Jan 1, 2026
Copilot AI requested a review from jacksonpradolima January 1, 2026 18:08
@jacksonpradolima jacksonpradolima marked this pull request as ready for review January 1, 2026 18:08
Copilot AI review requested due to automatic review settings January 1, 2026 18:08
@jacksonpradolima jacksonpradolima merged commit 4f97c8d into master Jan 1, 2026
5 of 9 checks passed
@jacksonpradolima jacksonpradolima deleted the copilot/replace-gh-action-publish branch January 1, 2026 18:08
Copilot AI reviewed Jan 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes the package signing process by replacing manual sigstore CLI installation and invocation with the official sigstore/gh-action-sigstore-python GitHub Action. The change simplifies the workflow while maintaining identical artifact outputs.

Key Changes:

  • Replaced manual pip install sigstore==4.1.0 and CLI command with the official GitHub Action
  • Consolidated two workflow steps into a single action invocation
  • Maintained compatibility with existing release asset structure (.sig and .pem files)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jacksonpradolima jacksonpradolima Awaiting requested review from jacksonpradolima jacksonpradolima is a code owner

Assignees

@jacksonpradolima jacksonpradolima

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacksonpradolima