Open rwgk opened 4 months ago
@henryiii RFC @junyer FYI
I basically do that (with a single generated file instead of a zip) here: https://github.com/CLIUtils/CLI11/blob/main/.github/workflows/build.yml
Tangentially, I asked SLSA folks for a workflow here so that any project could trivially publish source code archives as release assets with signature and provenance, but it's unclear if/when that would ever actually be implemented. (Obviously, GitHub itself should directly support doing so, but...)
@rickeylev had this suggestion:
The github
/archive/
urls aren't guaranteed to have stable hashes. Github has changed their hashing twice and plans to do it again in the next year or so. It does violate a best practice to ensure remote artifacts aren't being tampered with.There are probably github docs about how to do this somewhere. What it means is, when creating a "github release", a file of the source is attached to it, much like you'd attach some built library you wanted to make directly download.
In rules_python, we do this automatically using an action:
https://github.com/bazelbuild/rules_python/blob/677fb53a16d65082729be927dafd3a45fafa04c5/.github/workflows/release.yml#L40-L46
The prior "create_archive_and_notes.sh" creates the tar.gz file, and that
action-gh-release
action uploads the file into the "github release".If you're doing manual releases, then it means you edit the release, and upload/attach the file to it.