move action to old workflow file

janfb · janfb · commit 92002a78bb94 · 2025-09-05T17:33:02.000+02:00
diff --git a/.github/workflows/sign-release-assets.yml b/.github/workflows/sign-release-assets.yml
@@ -4,20 +4,20 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: Git tag of the existing release
+        description: Git tag of the existing release (e.g., v0.25.0)
         required: true
         type: string
 
 permissions:
   contents: write
   id-token: write
+  attestations: write
 
 jobs:
-  sign-and-upload:
-    name: Sign and upload Sigstore bundles for release assets
+  attest:
     runs-on: ubuntu-latest
     steps:
-      - name: Create dist directory
+      - name: Prepare dist directory
         run: mkdir -p dist
 
       - name: Download assets from GitHub Release
@@ -28,76 +28,14 @@ jobs:
           '${{ inputs.tag }}'
           --repo '${{ github.repository }}'
           -D dist/
+          -p '*.whl' -p '*.tar.gz'
 
       - name: List downloaded files
         run: ls -lah dist || true
 
-      - name: Collect files to sign
-        id: find
-        shell: bash
-        run: |
-          set -euo pipefail
-          shopt -s nullglob
-          # Gather candidate distribution files
-          candidates=(dist/*.whl dist/*.tar.gz)
-          if [ ${#candidates[@]} -eq 0 ]; then
-            echo "No distribution files found in dist/." >&2
-            # Nothing to do; expose empty outputs
-            echo 'inputs=' >> "$GITHUB_OUTPUT"
-            echo 'bundles=' >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # Filter to only those missing their .sigstore.json bundle
-          to_sign=()
-          bundles=()
-          for f in "${candidates[@]}"; do
-            b="${f}.sigstore.json"
-            if [ ! -f "$b" ]; then
-              to_sign+=("$f")
-              bundles+=("$b")
-            fi
-          done
-          if [ ${#to_sign[@]} -eq 0 ]; then
-            echo "All bundles already present; nothing to sign."
-            echo 'inputs=' >> "$GITHUB_OUTPUT"
-            echo 'bundles=' >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          printf 'Will sign %d file(s):\n' "${#to_sign[@]}"
-          printf '%s\n' "${to_sign[@]}"
-          # Emit multiline outputs for subsequent steps
-          {
-            echo 'inputs<<EOF'
-            printf '%s\n' "${to_sign[@]}"
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
-          {
-            echo 'bundles<<EOF'
-            printf '%s\n' "${bundles[@]}"
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Sign assets with Sigstore
-        if: ${{ steps.find.outputs.inputs != '' }}
-        uses: sigstore/gh-action-sigstore-python@v3.0.0
+      - name: Generate build provenance attestations
+        uses: actions/attest-build-provenance@v1
         with:
-          inputs: ${{ steps.find.outputs.inputs }}
-
-      - name: Upload signatures to GitHub Release
-        if: ${{ steps.find.outputs.bundles != '' }}
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-          # Read bundle list from the step output and upload only new ones
-          mapfile -t paths < <(printf '%s\n' "${{ steps.find.outputs.bundles }}")
-          # Filter out any empty lines
-          cleaned=()
-          for p in "${paths[@]}"; do
-            [ -n "$p" ] && cleaned+=("$p")
-          done
-          if [ ${#cleaned[@]} -gt 0 ]; then
-            gh release upload "${{ inputs.tag }}" "${cleaned[@]}" --repo "${{ github.repository }}"
-          else
-            echo "No new bundles to upload."
-          fi
+          subject-path: |
+            dist/*.tar.gz
+            dist/*.whl
