name: Sign permissions: # To sign artifacts. id-token: write on: workflow_call: inputs: ref: required: true description: "GitHub ref to use" type: string version: required: true description: "Version to produce" type: string jobs: sign: name: sign runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: ref: ${{ inputs.ref }} - name: Install b3sum uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0 with: crate: b3sum version: 1.3.0 - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - name: Download all artifacts uses: actions/download-artifact@v2 with: path: artifacts.tmp - name: Rename SDKs # This step must match the rename SDKs step in the "publish" job below. run: | ( cd artifacts.tmp/artifacts-python-sdk for file in *.whl ; do mv -vT "$file" "sdk-python-$file" done ) ( cd artifacts.tmp/artifacts-nodejs-sdk for file in *.tgz ; do mv -vT "$file" "sdk-nodejs-$file" done ) - name: Flatten artifact directories run: | mkdir -p ./artifacts mv ./artifacts.tmp/artifacts-*/* ./artifacts - name: Ensure coverage not enabled on release run: | # Extract pulumi binary to bintest rather than pollute artifacts directory. mkdir './bintest' && tar -xvf ./artifacts/pulumi-*-linux-x64.tar.gz -C './bintest/.' # Ensure pulumi binary exists. stat './bintest/pulumi/pulumi' || exit 1 # Check binary not built with coverage. if ./bintest/pulumi/pulumi version 2>&1 | grep coverage; then echo 'Aborting! Pulumi binary built with coverage data.' exit 2 else echo 'Pulumi binary OK!' fi - name: Create sums.tmp run: mkdir -p ./sums.tmp ./sigs.tmp # Each of these commands strips the ./ prefix to match existing (<=3.39) formatting. - name: Checksums with SHA256 working-directory: artifacts env: version: ${{ inputs.version }} run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt" - name: Checksums with BLAKE3 working-directory: artifacts run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS - name: Checksums with SHA512 working-directory: artifacts run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS - name: Sign binaries and checksums shell: bash env: version: ${{ inputs.version }} run: | ls -la # Sign all artifacts and checksums: for dir in "artifacts" "sums.tmp"; do pushd "$dir" for file in ./*; do echo "$file" COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes \ --bundle="../sigs.tmp/${file}".sig \ "${file}" done popd done # flatten to a single directory to upload: mv sums.tmp/* sigs.tmp - uses: actions/upload-artifact@v2 with: name: artifacts-signatures retention-days: 1 path: | sigs.tmp/* if-no-files-found: error