.github/workflows/release: sign zip before sending pull request

The bazel attestations require a separate step.

Change-Id: I28e05de4ca3391fd9c87189ff3be3aeedea95ac4

Author: rsc

.github/workflows/release-bazel.yml

@@ -16,19 +16,26 @@ on:
       BCR_PUBLISH_TOKEN:
         description: 'Token for pushing to re2-machine/bazel-central-registry'
         required: true
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
 jobs:
-  release:
+  sign:
+    uses: bazel-contrib/.github/.github/workflows/[email protected]
+    with:
+      release_files: re2*.zip
+      prerelease: false
+      tag_name: ${{ inputs.tag_name || github.ref_name }}
+  send-pull-request:
+    needs: sign
     uses: bazel-contrib/publish-to-bcr/.github/workflows/[email protected]
     with:
       tag_name: ${{ inputs.tag_name }}
       # This workflow seems to require keeping a fork of the upstream to open
       # PRs from.
       registry_fork: re2-machine/bazel-central-registry
       attest: true
-    permissions:
-      contents: write
-      id-token: write
-      attestations: write
     secrets:
       # Necessary to push to the BCR fork, and to open a pull request against a registry
       publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}

.github/workflows/release.yml

@@ -33,6 +33,8 @@ jobs:
           # N.B. This is a whitespace-separated string!
           inputs: '*.tar.gz *.zip'
       - run: |
+          cp "re2-${GITHUB_REF_NAME}.zip.sigstore.json" \
+            "re2-${GITHUB_REF_NAME}.zip.intoto.jsonl"; \
           gh release upload "${GITHUB_REF_NAME}" \
             *.tar.gz *.zip *.sigstore* \
             --repo "${GITHUB_REPOSITORY}"