From 38158b9342a2616d11896e310c4fb9a21abf28e8 Mon Sep 17 00:00:00 2001 From: mendhak Date: Wed, 6 Nov 2024 22:31:28 +0000 Subject: [PATCH] Add a cosign command to release notes --- .github/workflows/generate-release-apk.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/generate-release-apk.yml b/.github/workflows/generate-release-apk.yml index cd82e717e..ff4f17a4f 100644 --- a/.github/workflows/generate-release-apk.yml +++ b/.github/workflows/generate-release-apk.yml @@ -52,6 +52,8 @@ jobs: id: attest with: subject-path: gpslogger/gpslogger-*.apk + - name: Copy cosign bundle + run: cp ${{ steps.attest.outputs.bundle-path }} gpslogger/cosign.bundle - name: Upload uses: actions/upload-artifact@v4 with: @@ -60,6 +62,11 @@ jobs: gpslogger/gpslogger-*.apk gpslogger/gpslogger-*.apk.asc gpslogger/gpslogger-*.apk.SHA256 + gpslogger/cosign.bundle + - name: Get APK file name + run: | + APK_FILE_NAME=$(find gpslogger/ -maxdepth 1 -name "gpslogger-*.apk" -print -quit | xargs basename) + echo "APK_FILE_NAME=$APK_FILE_NAME" >> $GITHUB_ENV - name: Create a Release id: create-release uses: softprops/action-gh-release@v2 @@ -67,7 +74,14 @@ jobs: with: prerelease: ${{ contains(github.ref, '-rc') && startsWith(github.ref, 'refs/tags/') }} make_latest: true + body: | + Verification: + ``` + cosign verify-blob $APK_FILE_NAME --bundle cosign.bundle --new-bundle-format --cert-oidc-issuer https://token.actions.githubusercontent.com --cert-identity https://github.com/${GITHUB_WORKFLOW_REF} + ``` + files: | gpslogger/gpslogger-*.apk gpslogger/gpslogger-*.apk.asc - gpslogger/gpslogger-*.apk.SHA256 \ No newline at end of file + gpslogger/gpslogger-*.apk.SHA256 + gpslogger/cosign.bundle \ No newline at end of file