diff --git a/.github/workflows/ci-prepare-release.yml b/.github/workflows/ci-prepare-release.yml index 29a747281f7f..3b3c06652663 100644 --- a/.github/workflows/ci-prepare-release.yml +++ b/.github/workflows/ci-prepare-release.yml @@ -92,27 +92,27 @@ jobs: working-directory: artifacts env: version: ${{ inputs.version }} - run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../artifacts/pulumi-${version}-checksums.txt" + run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt" - name: Checksums with BLAKE3 working-directory: artifacts - run: b3sum ./* | sed 's/.\///' | tee ../artifacts/B3SUMS + run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS - name: Checksums with SHA512 working-directory: artifacts - run: sha512sum ./* | sed 's/.\///' | tee ../artifacts/SHA512SUMS + run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS - name: Sign binaries and checksums - working-directory: artifacts shell: bash env: version: ${{ inputs.version }} run: | ls -la - for file in *; do + # Sign all artifacts and checksums: + for file in ./{artifacts,sums.tmp}/*; do echo "$file" COSIGN_EXPERIMENTAL=1 cosign sign-blob \ - --bundle="${file}".sig \ + --bundle="./sums.tmp/${file}".sig \ "${file}" done @@ -121,10 +121,7 @@ jobs: name: artifacts-signatures retention-days: 1 path: | - artifacts/*.sig - artifacts/B3SUMS - artifacts/SHA512SUMS - artifacts/pulumi-*-checksums.txt + sums.tmp/* if-no-files-found: error publish: @@ -168,6 +165,7 @@ jobs: - name: Flatten artifact directories run: | mkdir -p ./artifacts + mkdir -p ./sums.tmp mv ./artifacts.tmp/artifacts-*/* ./artifacts - uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a with: