Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add: Cosign Sign #2633

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add: Cosign Sign #2633

wants to merge 6 commits into from

Conversation

Ludy87
Copy link
Contributor

@Ludy87 Ludy87 commented Jan 7, 2025
edited
Loading

Description

@M0NsTeRRR Can you check the correctness

Checklist

  • I have read the Contribution Guidelines
  • I have performed a self-review of my own code
  • I have attached images of the change if it is UI based
  • I have commented my code, particularly in hard-to-understand areas
  • If my code has heavily changed functionality I have updated relevant docs on Stirling-PDFs doc repo
  • My changes generate no new warnings
  • I have read the section Add New Translation Tags (for new translation tags only)

@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Jan 7, 2025
@github-actions github-actions bot added the Github label Jan 7, 2025
@dosubot dosubot bot added the enhancement New feature or request label Jan 7, 2025
M0NsTeRRR
M0NsTeRRR suggested changes Jan 7, 2025
View reviewed changes
.github/workflows/releaseArtifacts.yml Outdated

- name: Upload jar binaries to release
- name: Upload binaries, attestations and signatures to release
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would avoid using an external action to upload binaries. Gh CLI is already available inside GH runner, you can use something like (haven't tested it but should be close to that)
https://cli.github.com/manual/gh_release_upload

 - name: Upload artifact to release
   run: gh release upload ${{ github.ref }} ./build/libs/Stirling-PDF${{ matrix.file_suffix }}.* ./build/launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.*
   env:
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/releaseArtifacts.yml Outdated Show resolved Hide resolved
.github/workflows/releaseArtifacts.yml Outdated Show resolved Hide resolved
@Ludy87
Copy link
Contributor Author

Ludy87 commented Jan 8, 2025

@M0NsTeRRR I have the signature created in the cosign attest-blob

@Ludy87 Ludy87 requested a review from M0NsTeRRR January 8, 2025 09:10
M0NsTeRRR
M0NsTeRRR reviewed Jan 8, 2025
View reviewed changes
Copy link
Contributor

@M0NsTeRRR M0NsTeRRR left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to have at least a single job that verifies every artifact is properly signed using GitHub keyless signing (https://docs.sigstore.dev/cosign/verifying/attestation/).
Otherwise, except for my two other comments that were marked as resolved, it looks good to me! :)

@Ludy87 Ludy87 changed the title Add: Cosign with OIDC Add: Cosign Sign Jan 9, 2025
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Jan 9, 2025
@Ludy87 Ludy87 requested a review from M0NsTeRRR January 9, 2025 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Frooodle Frooodle Awaiting requested review from Frooodle Frooodle is a code owner

@reecebrowne reecebrowne Awaiting requested review from reecebrowne reecebrowne is a code owner

@DarioGii DarioGii Awaiting requested review from DarioGii DarioGii is a code owner

@M0NsTeRRR M0NsTeRRR Awaiting requested review from M0NsTeRRR

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request Github size:L This PR changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Ludy87 @M0NsTeRRR