diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 91f4037a2e2..32c7751b09a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: write # to create GitHub release entry + id-token: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -30,6 +31,10 @@ jobs: with: args: spdx -o zephyr-${{ steps.get_version.outputs.VERSION }}.spdx + - uses: anchore/sbom-action@v0 + with: + artifact-name: zephyr-sbom-${{ steps.get_version.outputs.VERSION }}.spdx + - name: upload-results uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 continue-on-error: true @@ -53,8 +58,15 @@ jobs: draft: true prerelease: true - - name: Upload Release Assets - id: upload-release-asset + + # This step uses 'gh-action-sigstore-python' to sign the file designated in the inputs field. + - name: Sign + uses: sigstore/gh-action-sigstore-python@v3.0.0 + with: + inputs: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx + + - name: Upload Release Assets (SPDX) + id: upload-release-asset_1 uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -63,3 +75,17 @@ jobs: asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx asset_content_type: text/plain + + - name: Rename + run: | + mv zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.sigstore.json zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.intoto.jsonl + - name: Upload Release Assets (Sig) + id: upload-release-asset_2 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.intoto.jsonl + asset_name: zephyr-${{ steps.get_version.outputs.VERSION }}.spdx.intoto.jsonl + asset_content_type: application/json diff --git a/doc/requirements.txt b/doc/requirements.txt index c10b390651a..e297e9038b6 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -1,6 +1,10 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal --python-version 3.10 --generate-hashes requirements.in --output-file requirements.txt -alabaster==1.0.0 \ +alabaster==0.7.16 ; python_full_version < '3.10' \ + --hash=sha256:75a8b99c28a5dad50dd7f8ccdd447a121ddb3892da9e53d1ca5cca3106d58d65 \ + --hash=sha256:b46733c07dce03ae4e150330b975c75737fa60f0a7c591b6c8bf4928a28e2c92 + # via sphinx +alabaster==1.0.0 ; python_full_version >= '3.10' \ --hash=sha256:c00dca57bca26fa62a6d7d0a9fcce65f3e026e9bfe33e9c538fd3fbb2144fd9e \ --hash=sha256:fc6786402dc3fcb2de3cabd5fe455a2db534b371124f1f21de8731783dec828b # via sphinx @@ -10,9 +14,9 @@ anyio==4.9.0 \ # via # starlette # watchfiles -anytree==2.12.1 \ - --hash=sha256:244def434ccf31b668ed282954e5d315b4e066c4940b94aff4a7962d85947830 \ - --hash=sha256:5ea9e61caf96db1e5b3d0a914378d2cd83c269dfce1fb8242ce96589fa3382f0 +anytree==2.13.0 \ + --hash=sha256:4cbcf10df36b1f1cba131b7e487ff3edafc9d6e932a3c70071b5b768bab901ff \ + --hash=sha256:c9d3aa6825fdd06af7ebb05b4ef291d2db63e62bb1f9b7d9b71354be9d362714 # via -r requirements.in babel==2.17.0 \ --hash=sha256:0c54cffb19f690cdcc52a3b50bcbf71e07a808d1c80d549f2459b9d2cf0afb9d \ @@ -165,6 +169,10 @@ imagesize==1.4.1 \ --hash=sha256:0d8d18d08f840c19d0ee7ca1fd82490fdc3729b7ac93f49870406ddde8ef8d8b \ --hash=sha256:69150444affb9cb0d5cc5a92b3676f0b2fb7cd9ae39e947a5e11a36b4497cd4a # via sphinx +importlib-metadata==8.7.0 ; python_full_version < '3.10' \ + --hash=sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000 \ + --hash=sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd + # via sphinx iniconfig==2.1.0 \ --hash=sha256:3abbd2e30b36733fee78f9c7f7308f2d0050e88f0087fd25c2645f63c773e1c7 \ --hash=sha256:9deba5723312380e77435581c6bf4935c94cbfab9b1ed33ef8d238ea168eb760 @@ -532,7 +540,6 @@ six==1.17.0 \ --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 # via - # anytree # doxmlparser # python-dateutil sniffio==1.3.1 \ @@ -543,7 +550,21 @@ snowballstemmer==2.2.0 \ --hash=sha256:09b16deb8547d3412ad7b590689584cd0fe25ec8db3be37788be3810cbf19cb1 \ --hash=sha256:c8e1716e83cc398ae16824e5572ae04e0d9fc2c6b985fb0f900f5f0c96ecba1a # via sphinx -sphinx==8.1.3 ; python_full_version < '3.11' \ +sphinx==7.4.7 ; python_full_version < '3.10' \ + --hash=sha256:242f92a7ea7e6c5b406fdc2615413890ba9f699114a9c09192d7dfead2ee9cfe \ + --hash=sha256:c2419e2135d11f1951cd994d6eb18a1835bd8fdd8429f9ca375dc1f3281bd239 + # via + # -r requirements.in + # sphinx-autobuild + # sphinx-copybutton + # sphinx-notfound-page + # sphinx-rtd-theme + # sphinx-sitemap + # sphinx-tabs + # sphinx-togglebutton + # sphinxcontrib-jquery + # sphinxcontrib-svg2pdfconverter +sphinx==8.1.3 ; python_full_version == '3.10.*' \ --hash=sha256:09719015511837b76bf6e03e42eb7595ac8c2e41eeb9c29c5b755c6b677992a2 \ --hash=sha256:43c1911eecb0d3e161ad78611bc905d1ad0e523e4ddc202a58a821773dc4c927 # via @@ -676,6 +697,7 @@ typing-extensions==4.13.0 ; python_full_version < '3.13' \ --hash=sha256:c8dd92cc0d6425a97c18fbb9d1954e5ff92c1ca881a309c45f06ebc0b79058e5 # via # anyio + # starlette # uvicorn urllib3==2.3.0 \ --hash=sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df \ @@ -833,3 +855,7 @@ wheel==0.45.1 \ --hash=sha256:661e1abd9198507b1409a20c02106d9670b2576e916d58f520316666abca6729 \ --hash=sha256:708e7481cc80179af0e556bbf0cc00b8444c7321e2700b8d8580231d13017248 # via sphinx-togglebutton +zipp==3.21.0 ; python_full_version < '3.10' \ + --hash=sha256:2c9958f6430a2040341a52eb608ed6dd93ef4392e02ffe219417c1b28b5dd1f4 \ + --hash=sha256:ac1bbe05fd2991f160ebce24ffbac5f6d11d83dc90891255885223d42b3cd931 + # via importlib-metadata