Version tags trigger .github/workflows/release.yml, which creates GitHub
release notes. Published releases trigger .github/workflows/sbom-release.yml,
which generates and uploads a CycloneDX SBOM. Release actions are pinned to
specific commits.
OpenShield must not mark the OpenSSF signed_releases criterion Met until the
following process is implemented and exercised for a real release:
- Build a deterministic source or distribution archive from the reviewed tag.
- Generate SHA-256 checksums and a cryptographic signature or keyless Sigstore attestation for each distributed artifact and its SBOM.
- Keep signing authority separate from the public download location. A keyless workflow must bind the identity, repository, workflow and commit in the transparency record.
- Upload artifacts, checksums, signatures/attestations and verification instructions to the release.
- Verify the published artifacts in a separate CI step before announcing the release.
- Create important release tags as signed annotated tags, or document why the artifact-attestation mechanism provides the authoritative release identity.
The project lead must approve the signing model and access policy before this is
automated. Existing v0.1.0 and v0.3.0 tags are lightweight tags and do not
by themselves satisfy signed-release requirements.
The final workflow must provide copyable verification commands that validate the artifact digest, signer identity, repository and workflow identity. Those commands will replace this section once the signing mechanism is selected and tested.