[all-commits] [llvm/llvm-project] da0e53: workflows: Add a new job for packaging release sou...
Tom Stellard via All-commits
all-commits at lists.llvm.org
Tue Jun 18 08:27:56 PDT 2024
Branch: refs/heads/main
Home: https://github.com/llvm/llvm-project
Commit: da0e5359fc1a5bf1749306440f9dad089046d772
https://github.com/llvm/llvm-project/commit/da0e5359fc1a5bf1749306440f9dad089046d772
Author: Tom Stellard <tstellar at redhat.com>
Date: 2024-06-18 (Tue, 18 Jun 2024)
Changed paths:
A .github/workflows/release-sources.yml
M .github/workflows/release-tasks.yml
M llvm/docs/HowToReleaseLLVM.rst
Log Message:
-----------
workflows: Add a new job for packaging release sources (#91834)
This job uses the new artifact attestations:
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
This will allow users to verify that the sources came from a specific
workflow run in the llvm-project repository. Currently, this job does
not automatically upload sources to the release page, but rather it
attaches them the workflow run as artifacts. The release manager is
expected to download, verify, and sign the sources before uploading them
to the release page.
We may be able to automatically upload them in the future once we have a
process for signing the binaries within the github workflow.
Technically, though, the binaries are being signed as part of the
attestation process, but the only way to verify the signatures is using
the gh command line tool, and I don't think it is best to rely on that,
since the tool may not be easily available on all systems.
To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications
More information about the All-commits
mailing list