Sign our releases (#1347)

* Sign our releases * Use secrets instead of artifacts * And the universal * Apparently we can’t use secrets like that? * Minor fixes to doc * Private key requires untrusted comment * Dogfood one deeper
2025-05-13 07:20:02 +00:00 · 2023-09-23 20:07:19 +12:00 · 2023-09-23 20:07:19 +12:00 · ee7fcb3210
commit ee7fcb3210
parent 32beba507b
5 changed files with 88 additions and 14 deletions
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@ -16,6 +16,10 @@ on:
        description: "Set to override default release profile codegen-units settings"
        required: false
        type: string
+    secrets:
+      signingkey:
+        description: "Minisign private key. Required when publishing"
+        required: false

 env:
  CARGO_TERM_COLOR: always
@ -84,6 +88,14 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

+    - if: inputs.publish
+      uses: cargo-bins/cargo-binstall@main
+
+    - if: inputs.publish
+      env:
+        SIGNING_KEY: ${{ secrets.signingkey }}
+      run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-*
+
    - if: inputs.publish
      name: Upload to release
      uses: svenstaro/upload-release-action@v2
@ -140,6 +152,14 @@ jobs:
    - run: just repackage-lipo
    - run: ls -shal packages/

+    - if: inputs.publish
+      uses: cargo-bins/cargo-binstall@main
+
+    - if: inputs.publish
+      env:
+        SIGNING_KEY: ${{ secrets.signingkey }}
+      run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-universal-*
+
    - if: inputs.publish
      name: Upload to release
      uses: svenstaro/upload-release-action@v2