Lets test out linux code sign

2026-04-24 22:54:54 +00:00 · 2025-10-22 13:22:23 -07:00
parent 4cd6b01494
commit 8c0d728461
1 changed files with 59 additions and 13 deletions
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -10,6 +10,10 @@ on:
  push:
    tags:
      - "rust-v*.*.*"
+  pull_request:
+    paths:
+      - ".github/workflows/rust-release.yml"
+      - "codex-rs/**"

 concurrency:
  group: ${{ github.workflow }}
@@ -27,6 +31,11 @@ jobs:
          set -euo pipefail
          echo "::group::Tag validation"

+          if [[ "${GITHUB_EVENT_NAME}" != "push" || "${GITHUB_REF_TYPE}" != "tag" ]]; then
+            echo "ℹ️  Skipping tag validation for ${GITHUB_EVENT_NAME} event"
+            exit 0
+          fi
+
          # 1. Must be a tag and match the regex
          [[ "${GITHUB_REF_TYPE}" == "tag" ]] \
            || { echo "❌  Not a tag push"; exit 1; }
@@ -49,6 +58,9 @@ jobs:
    needs: tag-check
    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      id-token: write
    timeout-minutes: 30
    defaults:
      run:
@@ -58,10 +70,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-          - runner: macos-15-xlarge
-            target: x86_64-apple-darwin
+          # - runner: macos-15-xlarge
+          #   target: aarch64-apple-darwin
+          # - runner: macos-15-xlarge
+          #   target: x86_64-apple-darwin
          - runner: ubuntu-24.04
            target: x86_64-unknown-linux-musl
          - runner: ubuntu-24.04
@@ -70,10 +82,10 @@ jobs:
            target: aarch64-unknown-linux-musl
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-gnu
-          - runner: windows-latest
-            target: x86_64-pc-windows-msvc
-          - runner: windows-11-arm
-            target: aarch64-pc-windows-msvc
+          # - runner: windows-latest
+          #   target: x86_64-pc-windows-msvc
+          # - runner: windows-11-arm
+          #   target: aarch64-pc-windows-msvc

    steps:
      - uses: actions/checkout@v5
@@ -100,7 +112,7 @@ jobs:
      - name: Cargo build
        run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy

-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-15-xlarge' && github.event_name == 'push' }}
        name: Configure Apple code signing
        shell: bash
        env:
@@ -185,7 +197,7 @@ jobs:
          echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
          echo "::add-mask::$APPLE_CODESIGN_IDENTITY"

-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-15-xlarge' && github.event_name == 'push' }}
        name: Sign macOS binaries
        shell: bash
        run: |
@@ -206,7 +218,7 @@ jobs:
            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
          done

-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-15-xlarge' && github.event_name == 'push' }}
        name: Notarize macOS binaries
        shell: bash
        env:
@@ -327,8 +339,40 @@ jobs:
            zstd -T0 -19 --rm "$dest/$base"
          done

+      - if: ${{ contains(matrix.target, 'unknown-linux') && github.event_name == 'push' }}
+        name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
+
+      - if: ${{ contains(matrix.target, 'unknown-linux') && github.event_name == 'push' }}
+        name: Cosign Linux artifacts
+        shell: bash
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+          COSIGN_YES: "true"
+          COSIGN_OIDC_CLIENT_ID: "sigstore"
+          COSIGN_OIDC_ISSUER: "https://oauth2.sigstore.dev/auth"
+        run: |
+          set -euo pipefail
+
+          dest="dist/${{ matrix.target }}"
+          if [[ ! -d "$dest" ]]; then
+            echo "Destination $dest does not exist"
+            exit 1
+          fi
+
+          shopt -s nullglob
+          for artifact in "$dest"/*; do
+            if [[ -f "$artifact" ]]; then
+              cosign sign-blob \
+                --yes \
+                --output-signature "${artifact}.sig" \
+                --output-certificate "${artifact}.pem" \
+                "$artifact"
+            fi
+          done
+
      - name: Remove signing keychain
-        if: ${{ always() && matrix.runner == 'macos-15-xlarge' }}
+        if: ${{ always() && matrix.runner == 'macos-15-xlarge' && github.event_name == 'push' }}
        shell: bash
        env:
          APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
@@ -359,6 +403,7 @@ jobs:
            codex-rs/dist/${{ matrix.target }}/*

  release:
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/rust-v') }}
    needs: build
    name: release
    runs-on: ubuntu-latest
@@ -455,8 +500,8 @@ jobs:
  # July 31, 2025: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
  # npm docs: https://docs.npmjs.com/trusted-publishers
  publish-npm:
-    # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
    if: ${{ needs.release.outputs.should_publish_npm == 'true' }}
+    # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
    name: publish-npm
    needs: release
    runs-on: ubuntu-latest
@@ -520,6 +565,7 @@ jobs:
          done

  update-branch:
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/rust-v') }}
    name: Update latest-alpha-cli branch
    permissions:
      contents: write