Update sigstore release signing action (#435)

* Update sigstore release signing action The default behavior of sigstore/gh-action-sigstore-python has changed. Disable the automatic uploading of signed artifacts, since this now includes artifacts named with just the tag, without the "Imath-" prefix. Also, the signature file now has a .json suffix. Signed-off-by: Cary Phillips <cary@ilm.com> * pin action to sha; use TAG instead of ref_name Signed-off-by: Cary Phillips <cary@ilm.com> --------- Signed-off-by: Cary Phillips <cary@ilm.com>
AcademySoftwareFoundation · Sep 24, 2024 · 07ba86f · 07ba86f
1 parent 6d97ae2
commit 07ba86f
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml
@@ -48,18 +48,20 @@ jobs:
  shell: bash
 
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
  - name: Create archive
  run: git archive --format=tar.gz -o ${IMATH_TARBALL} --prefix ${IMATH_PREFIX} ${TAG}
 
  - name: Sign archive with Sigstore
- uses: sigstore/gh-action-sigstore-python@v3.0.0
+ uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
  with:
  inputs: ${{ env.IMATH_TARBALL }}
+ upload-signing-artifacts: false
+ release-signing-artifacts: false
 
  - name: Upload release archive
  env:
  GH_TOKEN: ${{ github.token }}
- run: gh release upload ${{ github.ref_name }} ${IMATH_TARBALL} ${IMATH_TARBALL}.sigstore
+ run: gh release upload ${TAG} ${IMATH_TARBALL} ${IMATH_TARBALL}.sigstore.json