Skip to content

Consider signing release artifacts #2034

New issue
New issue
Open
#2229
Open
Consider signing release artifacts#2034
#2229
Labels
Build IssueIssues related to build or environment problems on any platform.good first issueStandard label for new developers to locate good issues to tackle to learn about OCIO development.help wantedIssues that the TSC has decided are worth implementing, but don't currently have the dev resources.
@cary-ilm

Description

@cary-ilm
cary-ilm
opened on Sep 2, 2024

The OpenSSF Best Practices Badge suggests signing release artifacts, using OpenEXR's release-sign.yml workflow as a template. It's triggered on release creation and does these steps:

  1. Runs get archive to generate a <release>.tar.gz artifact
  2. Signs the <release>.tar.gz via sigstore
  3. Uploads the resulting sigstore signature file along with the tarball.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Build IssueIssues related to build or environment problems on any platform.good first issueStandard label for new developers to locate good issues to tackle to learn about OCIO development.help wantedIssues that the TSC has decided are worth implementing, but don't currently have the dev resources.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions