From b795d31b612ffae6498c36c3858153e7a1ae544b Mon Sep 17 00:00:00 2001 From: killertcell428 Date: Mon, 18 May 2026 03:15:51 +0900 Subject: [PATCH 1/2] ci: fix cosign sign-blob args for cosign v3 (--bundle replaces --output-signature/--output-certificate) The Release workflow's "Sign distributions with cosign" step was failing the v1.1.4 release run with: Flag --output-signature has been deprecated, please use --bundle Flag --output-certificate has been deprecated, please use --bundle Error: signing dist/pyaigis-1.1.4-py3-none-any.whl: create bundle file: open : no such file or directory cosign v3 removed the two legacy output flags and now requires a single --bundle that contains both the signature and the Sigstore certificate. Replace the two-file flow with a per-artifact .cosign.bundle. The bundle file is uploaded to the GitHub Release artifacts step (softprops/action-gh-release with `files: dist/*`) so downstream verifiers can still fetch the signature material from the release page; verification with `cosign verify-blob --bundle ...` is the documented v3 flow. Signed-off-by: killertcell428 --- .github/workflows/release.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f76dbf..063bf30 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,10 +76,13 @@ jobs: env: COSIGN_EXPERIMENTAL: "1" run: | + # cosign v3 deprecated --output-signature / --output-certificate in + # favour of a single --bundle file containing both the signature and + # the Sigstore certificate. The v1.1.4 release run failed on the + # legacy flags ("create bundle file: open : no such file or directory"). for artifact in dist/*; do cosign sign-blob --yes \ - --output-signature "${artifact}.sig" \ - --output-certificate "${artifact}.crt" \ + --bundle "${artifact}.cosign.bundle" \ "${artifact}" done From 9fbaa88f73470cd2a10e2ae89a2f49d75a9fc3e0 Mon Sep 17 00:00:00 2001 From: killertcell428 Date: Mon, 18 May 2026 03:22:56 +0900 Subject: [PATCH 2/2] ci: keep cosign bundles outside dist/ so PyPI publish does not reject them MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v1.1.4 release run (after the cosign v3 --bundle fix in #59) failed in the Publish → PyPI step with: Checking dist/pyaigis-1.1.4-py3-none-any.whl: PASSED Checking dist/pyaigis-1.1.4-py3-none-any.whl.cosign.bundle: ERROR InvalidDistribution: Unknown distribution format: 'pyaigis-1.1.4-py3-none-any.whl.cosign.bundle' pypa/gh-action-pypi-publish runs metadata verification across every file in dist/ and rejects extensions it does not recognise. The cosign bundle is not a PEP 740 attestation and does not belong in dist/. Changes: - Sign step writes bundles to dist-signatures/ (separate dir) instead of next to the wheel/sdist. - Add a second upload-artifact for python-package-signatures so the bundles survive to the GitHub Release job. - Release job downloads BOTH artifacts into a release-files/ directory and uploads everything together to the GitHub Release. PyPI publish keeps reading from dist/ unchanged, so the verification step now sees only wheels and sdists. Signed-off-by: killertcell428 --- .github/workflows/release.yml | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 063bf30..1f72fa1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -77,12 +77,16 @@ jobs: COSIGN_EXPERIMENTAL: "1" run: | # cosign v3 deprecated --output-signature / --output-certificate in - # favour of a single --bundle file containing both the signature and - # the Sigstore certificate. The v1.1.4 release run failed on the - # legacy flags ("create bundle file: open : no such file or directory"). + # favour of a single --bundle file. The bundles MUST live outside + # dist/ — pypa/gh-action-pypi-publish runs metadata verification on + # every file in dist/ and rejects unknown extensions (the v1.1.4 + # first re-run failed with "InvalidDistribution: Unknown + # distribution format: pyaigis-1.1.4-py3-none-any.whl.cosign.bundle"). + mkdir -p dist-signatures for artifact in dist/*; do + base=$(basename "${artifact}") cosign sign-blob --yes \ - --bundle "${artifact}.cosign.bundle" \ + --bundle "dist-signatures/${base}.cosign.bundle" \ "${artifact}" done @@ -92,6 +96,12 @@ jobs: name: python-package-distributions path: dist/ + - name: Upload signatures + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: python-package-signatures + path: dist-signatures/ + # ── 2. Publish to PyPI ──────────────────────────────────────────────────── publish-pypi: name: Publish → PyPI @@ -180,13 +190,19 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: python-package-distributions - path: dist/ + path: release-files/ + + - name: Download signatures + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: python-package-signatures + path: release-files/ - name: Create GitHub Release uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: name: "aigis ${{ github.ref_name }}" body: ${{ steps.changelog.outputs.body }} - files: dist/* + files: release-files/* make_latest: true generate_release_notes: true # appends GitHub auto-notes after our body