sign

Signed-off-by: Anas Nashif <[email protected]>

Author: nashif

.github/workflows/release.yml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       contents: write # to create GitHub release entry
+    	# 'id-token' needs write permission to retrieve the OIDC token, which is required for authentication.
+      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -57,6 +59,12 @@ jobs:
           draft: true
           prerelease: true
 
+
+      # This step uses 'gh-action-sigstore-python' to sign the file designated in the inputs field.
+      - uses: sigstore/[email protected]
+        with:
+          inputs: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx
+
       - name: Upload Release Assets (SPDX)
         id: upload-release-asset
         uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
@@ -67,14 +75,3 @@ jobs:
           asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx
           asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx
           asset_content_type: text/plain
-
-      - name: Upload Release Assets (SBOM)
-        id: upload-release-asset-sbom
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx
-          asset_name: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx
-          asset_content_type: text/plain