|
50 | 50 | name: Build - ${{ matrix.runner }} - ${{ matrix.target }} |
51 | 51 | runs-on: ${{ matrix.runner }} |
52 | 52 | timeout-minutes: 30 |
| 53 | + permissions: |
| 54 | + contents: read |
| 55 | + id-token: write |
53 | 56 | defaults: |
54 | 57 | run: |
55 | 58 | working-directory: codex-rs |
@@ -100,6 +103,52 @@ jobs: |
100 | 103 | - name: Cargo build |
101 | 104 | run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy |
102 | 105 |
|
| 106 | + - if: ${{ contains(matrix.target, 'linux') }} |
| 107 | + name: Install cosign |
| 108 | + uses: sigstore/cosign-installer@v3.7.0 |
| 109 | + |
| 110 | + - if: ${{ contains(matrix.target, 'linux') }} |
| 111 | + name: Cosign Linux artifacts |
| 112 | + shell: bash |
| 113 | + env: |
| 114 | + COSIGN_EXPERIMENTAL: "1" |
| 115 | + COSIGN_YES: "true" |
| 116 | + COSIGN_OIDC_CLIENT_ID: "sigstore" |
| 117 | + COSIGN_OIDC_ISSUER: "https://oauth2.sigstore.dev/auth" |
| 118 | + run: | |
| 119 | + set -euo pipefail |
| 120 | +
|
| 121 | + dest="dist/${{ matrix.target }}" |
| 122 | + if [[ ! -d "$dest" ]]; then |
| 123 | + echo "Destination $dest does not exist" |
| 124 | + exit 1 |
| 125 | + fi |
| 126 | +
|
| 127 | + shopt -s nullglob |
| 128 | + for artifact in "$dest"/*; do |
| 129 | + if [[ -f "$artifact" ]]; then |
| 130 | + cosign sign-blob \ |
| 131 | + --yes \ |
| 132 | + --output-signature "${artifact}.sig" \ |
| 133 | + --output-certificate "${artifact}.pem" \ |
| 134 | + "$artifact" |
| 135 | + fi |
| 136 | + done |
| 137 | +
|
| 138 | + - if: ${{ contains(matrix.target, 'windows') }} |
| 139 | + name: Sign Windows binaries with Azure Trusted Signing |
| 140 | + uses: azure/trusted-signing-action@v0 |
| 141 | + with: |
| 142 | + endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }} |
| 143 | + code-signing-account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }} |
| 144 | + certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }} |
| 145 | + app-registration-client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }} |
| 146 | + app-registration-tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }} |
| 147 | + app-registration-client-secret: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_SECRET }} |
| 148 | + files: | |
| 149 | + ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release/codex.exe |
| 150 | + ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release/codex-responses-api-proxy.exe |
| 151 | +
|
103 | 152 | - if: ${{ matrix.runner == 'macos-15-xlarge' }} |
104 | 153 | name: Configure Apple code signing |
105 | 154 | shell: bash |
@@ -283,6 +332,11 @@ jobs: |
283 | 332 | cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}" |
284 | 333 | fi |
285 | 334 |
|
| 335 | + if [[ "${{ matrix.target }}" == *linux* ]]; then |
| 336 | + cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore" |
| 337 | + cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore" |
| 338 | + fi |
| 339 | +
|
286 | 340 | - if: ${{ matrix.runner == 'windows-11-arm' }} |
287 | 341 | name: Install zstd |
288 | 342 | shell: powershell |
@@ -321,6 +375,11 @@ jobs: |
321 | 375 | continue |
322 | 376 | fi |
323 | 377 |
|
| 378 | + # Don't try to compress signature bundles. |
| 379 | + if [[ "$base" == *.sigstore ]]; then |
| 380 | + continue |
| 381 | + fi |
| 382 | +
|
324 | 383 | # Create per-binary tar.gz |
325 | 384 | tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base" |
326 | 385 |
|
|
0 commit comments