Skip to content

[CI] Sign nightly linux build #19945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[CI] Sign nightly linux build #19945

wants to merge 1 commit into from

Conversation

KornevNikita
Copy link
Contributor

This PR adds an optional step in sycl-linux-build to sign a build using the sigstore/cosign action.

We should sign our release binaries. Currently we're performing it manually outside CI due to security reasons. But in future we'd like to switch to cosign instead. Therefore we're introducing this as part of nightly for now to test it in advance.
Cosign ensures that a blob was signed exactly by the specific workflow.

Test run: https://github.com/intel/llvm/actions/runs/17404358377
To verify:

cosign-windows-amd64.exe verify-blob \
--bundle /path_to/sycl_linux.tar.gz.sigstore.json /path_to/sycl_linux.tar.gz \
--certificate-identity https://github.com/intel/llvm/.github/workflows/sycl-linux-build.yml@refs/heads/BRANCH_NAME

@KornevNikita
[CI] Sign nightly linux build
5f29777 
This PR adds an optional step in sycl-linux-build to sign a build using
the sigstore/cosign action.

We should sign our release binaries. Currently we're performing it
manually outside CI due to security reasons. But in future we'd like to
switch to cosign instead. Therefore we're introducing this as part of
nightly for now to test it in advance.
Cosign insures that a blob was signed exactly by the specific workflow.

Test run: https://github.com/intel/llvm/actions/runs/17404358377
To verify:
cosign-windows-amd64.exe verify-blob \
--bundle /path_to/sycl_linux.tar.gz.sigstore.json /path_to/sycl_linux.tar.gz \
--certificate-identity https://github.com/intel/llvm/.github/workflows/sycl-linux-build.yml@refs/heads/BRANCH_NAME
@KornevNikita KornevNikita requested a review from a team as a code owner September 2, 2025 14:41
@KornevNikita
Copy link
Contributor Author

Oops, now all workflows using sycl-linux-build need to grant additional permissions. Complicated + I don't think I really want to change the required permissions in sycl-linux-build. Probably I'll proceed with a dedicated workflow&job in nightly.

@KornevNikita KornevNikita marked this pull request as draft September 2, 2025 14:56
@KornevNikita
Copy link
Contributor Author

Closing in favor of #20008

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@KornevNikita