diff --git a/.github/workflows/release-integrity.yml b/.github/workflows/release-integrity.yml new file mode 100644 index 00000000..15c6ea08 --- /dev/null +++ b/.github/workflows/release-integrity.yml @@ -0,0 +1,47 @@ +name: Release integrity + +on: + release: + types: + - published + workflow_dispatch: + inputs: + tag: + description: Release tag to package + required: true + +permissions: + contents: write + +jobs: + package-release: + runs-on: ubuntu-latest + steps: + - name: Check out release ref + uses: actions/checkout@v4 + with: + ref: ${{ github.event.release.tag_name || inputs.tag }} + + - name: Build release archive + run: | + set -euo pipefail + tag="${{ github.event.release.tag_name || inputs.tag }}" + archive="SecuritySkills-${tag}.tar.gz" + mkdir -p dist + git archive --format=tar.gz --prefix="SecuritySkills-${tag}/" -o "dist/${archive}" HEAD + cd dist + sha256sum "${archive}" > SHA256SUMS + + - name: Attach checksum artifacts to release + if: github.event_name == 'release' + env: + GH_TOKEN: ${{ github.token }} + run: | + set -euo pipefail + gh release upload "${{ github.event.release.tag_name }}" dist/* --clobber + + - name: Upload workflow artifacts + uses: actions/upload-artifact@v4 + with: + name: release-integrity-artifacts + path: dist/* diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6fda4fe2..0c0e263b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -180,6 +180,10 @@ If your contribution changes CI/CD examples, update ruby scripts/validate_ci_cd_examples.rb ``` +Release artifacts are checksummed by the GitHub release workflow. See +[docs/release-integrity.md](docs/release-integrity.md) before changing release +packaging. + ### Normalized JSON output Every skill must be able to emit findings as normalized JSON that validates diff --git a/README.md b/README.md index bea4a1b0..e43b98e2 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,10 @@ ruby scripts/validate_framework_registry.rb ruby scripts/validate_framework_registry.rb --stale --max-age-days 365 ``` +Release archives include SHA-256 checksums generated by the release workflow. +See [`docs/release-integrity.md`](docs/release-integrity.md) for verification +steps. + CI/CD examples for GitHub Actions, GitLab CI, Azure DevOps, Jenkins, pre-commit, and local agent usage are available in [`docs/ci-cd-examples.md`](docs/ci-cd-examples.md). Validate those examples diff --git a/docs/release-integrity.md b/docs/release-integrity.md new file mode 100644 index 00000000..0dd815c9 --- /dev/null +++ b/docs/release-integrity.md @@ -0,0 +1,30 @@ +# Release Integrity + +Release artifacts are produced by the `Release integrity` GitHub Actions +workflow. When a GitHub release is published, the workflow creates: + +- `SecuritySkills-.tar.gz`: archive built from the release tag. +- `SHA256SUMS`: SHA-256 checksum file for the archive. + +Both files are attached to the GitHub release. The workflow can also be run +manually with a tag through `workflow_dispatch`; manual runs upload the same +files as workflow artifacts for review. + +## Verify A Release + +Download the release archive and `SHA256SUMS`, then run: + +```bash +sha256sum -c SHA256SUMS +``` + +Expected output: + +```text +SecuritySkills-.tar.gz: OK +``` + +This repository currently provides checksum-based release integrity. If a future +release process adds key-managed artifact signing, keep checksum generation in +place so consumers can verify artifacts even when they do not participate in the +signing trust chain.