diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 3477f6591..b54a9209e 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -18,6 +18,8 @@ on: jobs: release-packager: + permissions: + id-token: write name: Release Packager runs-on: ubuntu-latest steps: @@ -94,6 +96,18 @@ jobs: repo_path: ./local_kernel source_path: ./ + # 1. Install cosign tool + - name: Install Cosign + uses: sigstore/cosign-installer@v3.8.1 + + # 2. Sign the sbom.spdx file using cosign. Two files are produced: sbom.sig and sbom.crt, stored in the same directory as sbom.spdx + - name: Attest SBOM + working-directory: ./local_kernel + run: | + cosign sign-blob sbom.spdx --output-certificate='sbom.crt' --output-signature='sbom.sig' -y + # The following is a sanity check. After signing, we verify the image to check that everything is OK + cosign verify-blob --signature='sbom.sig' --certificate='sbom.crt' --certificate-identity-regexp=.* --certificate-oidc-issuer-regexp='https://github.com' ./sbom.spdx + - name: commit SBOM file env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} @@ -117,6 +131,14 @@ jobs: ./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER" exit $? + - name: Backup Release Asset + uses: FreeRTOS/CI-CD-Github-Actions/artifact-backup@main + with: + # This is dependent on the release script putting this zip file + # in this exact location. + artifact_path: ./tools/.github/scripts/FreeRTOS-KernelV${{ github.event.inputs.version_number }}.zip + release_tag: ${{ github.event.inputs.version_number }} + - name: Cleanup env: VERSION_NUMBER: ${{ github.event.inputs.version_number }}