ci(github): Sign releases and upload them along with their signatures

This makes ORT pass the OSSF Scorecard check at [1]. [1]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
oss-review-toolkit · May 17, 2024 · 37ec96b · 37ec96b
1 parent fc60edc
commit 37ec96b
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,15 +40,13 @@ jobs:
           ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_PASSWORD }}
         run: ./gradlew --no-configuration-cache publishAndReleaseToMavenCentral
       - name: Build ORT Distributions
-        run: ./gradlew :cli:distTar :cli:distZip :helper-cli:distTar :helper-cli:distZip
+        run: ./gradlew :cli:signDistTar :cli:signDistZip :helper-cli:signDistTar :helper-cli:signDistZip
       - name: Generate Release Notes
         run: ./gradlew -q printChangeLog > RELEASE_NOTES.md
       - name: Create GitHub Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release create $ORT_VERSION --notes-file RELEASE_NOTES.md \
-              ./cli/build/distributions/ort-$ORT_VERSION.tgz \
-              ./cli/build/distributions/ort-$ORT_VERSION.zip \
-              ./helper-cli/build/distributions/orth-$ORT_VERSION.tgz \
-              ./helper-cli/build/distributions/orth-$ORT_VERSION.zip
+              ./cli/build/distributions/ort-$ORT_VERSION.{tgz,zip}* \
+              ./helper-cli/build/distributions/orth-$ORT_VERSION.{tgz,zip}*