OpenColorIO icon indicating copy to clipboard operation
OpenColorIO copied to clipboard
verified publisher icon AcademySoftwareFoundation

Consider signing release artifacts

Open cary-ilm opened this issue 1 year ago • 0 comments

The OpenSSF Best Practices Badge suggests signing release artifacts, using OpenEXR's release-sign.yml workflow as a template. It's triggered on release creation and does these steps:

  1. Runs get archive to generate a <release>.tar.gz artifact
  2. Signs the <release>.tar.gz via sigstore
  3. Uploads the resulting sigstore signature file along with the tarball.

cary-ilm avatar Sep 02 '24 22:09 cary-ilm