Create GitHub Action for upstream releases#2383
Conversation
This commit updates the upstream release process and introduces a GitHub Action that performs the upstream release and creates tarball automatically. Having an automated, ephemeral and isolated release pipeline significantly reduces risk of releasing a compromised release. It helps ensure that the release tarballs don't contain unwanted artifacts and aren't affected by compromised environment.
|
To test that the new GitHub action works I have created a new throwaway fork https://github.com/jan-cerny/openscap-throwaway. I have pushed this commit to the main branch there and I pushed there a commit updating the NEWS file. I have published a new release in that repo, which triggered this action: https://github.com/jan-cerny/openscap-throwaway/actions/runs/29000787475 In the release page you can see that the tarball has been attached https://github.com/jan-cerny/openscap-throwaway/releases/tag/1.4.5 It also added an attestation to https://github.com/jan-cerny/openscap-throwaway/attestations |
| with: | ||
| submodules: recursive | ||
| - name: Build source tarball | ||
| run: | |
There was a problem hiding this comment.
Can we use working-directory here?
|
|
I have add the working directory option. See the new action in the throwaway fork for that commit https://github.com/jan-cerny/openscap-throwaway/actions/runs/29077488756 and the release https://github.com/jan-cerny/openscap-throwaway/releases/tag/1.4.51 |



This commit updates the upstream release process and introduces a GitHub Action that performs the upstream release and creates tarball automatically.
Having an automated, ephemeral and isolated release pipeline significantly reduces risk of releasing a compromised release. It helps ensure that the release tarballs don't contain unwanted artifacts and aren't affected by compromised environment.