From 1f23756ed3d8dcab6e1315273fa0e4ac2e41edbb Mon Sep 17 00:00:00 2001
From: lefosg <47362786+lefosg@users.noreply.github.com>
Date: Thu, 5 Jun 2025 15:40:00 +0300
Subject: [PATCH 1/2] sign sbom

---
 .github/workflows/auto-release.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 3477f6591..3274b565f 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -94,6 +94,18 @@ jobs:
           repo_path: ./local_kernel
           source_path: ./
 
+      # 1. Install cosign tool
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.8.1
+        
+      # 2. Sign the sbom.spdx file using cosign. Two files are produced: sbom.sig and sbom.crt, stored in the same directory as sbom.spdx
+      - name: Attest SBOM
+        working-directory: ./local_kernel
+        run: |
+          cosign sign-blob sbom.spdx --output-certificate='sbom.crt' --output-signature='sbom.sig' -y
+          # The following is a sanity check. After signing, we verify the image to check that everything is OK
+          cosign verify-blob --signature='sbom.sig' --certificate='sbom.crt' --certificate-identity-regexp=.* --certificate-oidc-issuer-regexp='https://github.com' ./sbom.spdx
+
       - name: commit SBOM file
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}

From e3a362b1d1e41bcc02c02f3ef05f4d3b30cbbc17 Mon Sep 17 00:00:00 2001
From: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com>
Date: Mon, 7 Jul 2025 05:45:46 -0700
Subject: [PATCH 2/2] Add artifact backup action (#1290)

---
 .github/workflows/auto-release.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 3477f6591..19f6c0167 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -18,6 +18,8 @@ on:
 
 jobs:
   release-packager:
+    permissions:
+      id-token: write
     name: Release Packager
     runs-on: ubuntu-latest
     steps:
@@ -117,6 +119,14 @@ jobs:
           ./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
           exit $?
 
+      - name: Backup Release Asset
+        uses: FreeRTOS/CI-CD-Github-Actions/artifact-backup@main
+        with:
+          # This is dependent on the release script putting this zip file
+          # in this exact location.
+          artifact_path: ./tools/.github/scripts/FreeRTOS-KernelV${{ github.event.inputs.version_number }}.zip
+          release_tag: ${{ github.event.inputs.version_number }}
+
       - name: Cleanup
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}