search

AcademySoftwareFoundation / OpenTimelineIO

Open Source API and interchange format for editorial timeline information.
http://opentimeline.io
Apache License 2.0
1.47k stars 294 forks source link

Consider signing release artifacts #1791

Open cary-ilm opened 2 months ago

cary-ilm commented 2 months ago

The OpenSSF Best Practices Badge suggests signing release artifacts. Consider using OpenEXR's release-sign.yml workflow as a template. It's triggered on release creation and does these steps:

  1. Runs get archive to generate a <release>.tar.gz artifact
  2. Signs the <release>.tar.gz via sigstore
  3. Uploads the resulting sigstore signature file along with the tarball.
cary-ilm commented 2 months ago

Oops, this duplicates #1782, but with a bit more explicit suggestions!