Add Cosign (#184)

Maxim-Doronin · web-flow · commit a826bd92b5e0 · 2025-10-10T19:19:58.000+01:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -52,6 +52,7 @@ jobs:
       packages: read
       statuses: read
       security-events: write
+      id-token: write
     with:
       os: ubuntu_24_04
       build-runner: ubuntu-latest-32-cores
diff --git a/.github/workflows/job_build_cid.yml b/.github/workflows/job_build_cid.yml
@@ -92,6 +92,7 @@ jobs:
       contents: read
       packages: read
       statuses: read
+      id-token: write
     outputs:
       build-package: ${{ steps.set-build-package-name.outputs.build-package }}
     env:
@@ -109,11 +110,7 @@ jobs:
         run: |
           echo "Event name: ${{ github.event_name }}"
           echo "Full event payload:"
-          echo '${{ toJson(github.event) }}' | jq .
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            echo "Workflow dispatch inputs:"
-            echo '${{ toJson(github.event.inputs) }}' | jq .
-          fi
+          jq . "$GITHUB_EVENT_PATH"
 
       - name: Prepare artifact dir
         run: |
@@ -158,7 +155,7 @@ jobs:
           BASE_PREFIX="${{ steps.package-params.outputs.package-prefix }}"
           PLATFORM="${{ steps.package-params.outputs.package-platform-tag }}"
           VERSION="${{ steps.versions.outputs.npu-compiler-version }}"
-          EXTENSION=${{ steps.package-params.outputs.package-extension }}
+          EXTENSION="${{ steps.package-params.outputs.package-extension }}"
 
           cid_package_base_name="${BASE_PREFIX}_vpux_compiler_l0_${PLATFORM}-${VERSION}-${CMAKE_BUILD_TYPE}"
           cid_package_base_name+="_dyntbb_${CI_CONTEXT}_cid_${{ github.sha }}_${TIME_STAMP}"
@@ -215,7 +212,7 @@ jobs:
       - name: Install python deps
         if: ${{ !steps.cache-restore.outputs.cache-hit }}
         run: |
-          python -m pip install --require-hashes -r ${NPU_COMPILER_REPO}/.github/requirements-dev.txt
+          python -m pip install --require-hashes -r "${NPU_COMPILER_REPO}/.github/requirements-dev.txt"
 
       - name: Setup MSVC env (x64)
         if: ${{ !steps.cache-restore.outputs.cache-hit && env.IS_WINDOWS == '1' }}
@@ -245,7 +242,7 @@ jobs:
         run: |
           cmake \
             -G Ninja \
-            -D CMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} \
+            -D CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}" \
             -D BUILD_SHARED_LIBS=OFF \
             -D OPENVINO_EXTRA_MODULES=$(realpath ${NPU_COMPILER_REPO}) \
             -D ENABLE_LTO=OFF \
@@ -293,9 +290,9 @@ jobs:
         if: ${{ !steps.cache-restore.outputs.cache-hit }}
         run: |
           cmake \
-            --build ${OPENVINO_BUILD_DIR} \
+            --build "${OPENVINO_BUILD_DIR}" \
             --parallel \
-            --config ${CMAKE_BUILD_TYPE} \
+            --config "${CMAKE_BUILD_TYPE}" \
             --target npu_driver_compiler compilerTest profilingTest vpuxCompilerL0Test loaderTest
 
       - name: CMake cpack - CiD target
@@ -325,14 +322,30 @@ jobs:
       - name: Upload CiD package
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          path: ${{ env.CID_PACKAGE_ARTIFACTS_DIR }}/${{ steps.package-name.outputs.cid-package-full-name }}
           name: ${{ steps.package-name.outputs.cid-package-full-name }}
+          path: |
+            ${{ env.CID_PACKAGE_ARTIFACTS_DIR }}/${{ steps.package-name.outputs.cid-package-full-name }}
 
       - name: Set build package name to outputs
         id: set-build-package-name
         run: |
             echo "build-package=${{ steps.package-name.outputs.cid-package-full-name }}" >> $GITHUB_OUTPUT
       
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' && inputs.publish-release-assets }}
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+
+      - name: Sign CiD package with cosign
+        if: ${{ github.event_name != 'pull_request' && inputs.publish-release-assets }}
+        env:
+          ARCHIVE: ${{ env.CID_PACKAGE_ARTIFACTS_DIR }}/${{ steps.package-name.outputs.cid-package-full-name }}
+        run: |
+          cosign sign-blob \
+            --yes \
+            --output-signature "${ARCHIVE}.sig" \
+            --output-certificate "${ARCHIVE}.pem" \
+            "${ARCHIVE}"
+
       - name: Upload asset to existing release tag
         if: ${{ github.event_name != 'pull_request' && inputs.publish-release-assets }}
         env:
@@ -341,6 +354,8 @@ jobs:
           NPU_TAG="${{ steps.versions.outputs.npu-compiler-tag }}"
           NPU_REPO="${{ steps.versions.outputs.npu-compiler-repository }}"
           CID_ASSET="${CID_PACKAGE_ARTIFACTS_DIR}/${{ steps.package-name.outputs.cid-package-full-name }}"
+          CID_SIG="${CID_ASSET}.sig"
+          CID_CERT="${CID_ASSET}.pem"
 
-          gh release upload "$NPU_TAG" "$CID_ASSET" --clobber --repo "$NPU_REPO"
-          echo "Uploaded $CID_ASSET to release $NPU_TAG"
+          gh release upload "$NPU_TAG" "$CID_ASSET" "$CID_SIG" "$CID_CERT" --clobber --repo "$NPU_REPO"
+          echo "Uploaded $CID_ASSET with $CID_SIG and $CID_CERT to release $NPU_TAG"
diff --git a/.github/workflows/job_linux.yml b/.github/workflows/job_linux.yml
@@ -120,6 +120,12 @@ jobs:
     name: CiD / Build
     if: ${{ inputs.build-cid }}
     uses: ./.github/workflows/job_build_cid.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      statuses: read
+      id-token: write
     with:
       os: ${{ inputs.os }}
       build-runner: ${{ inputs.build-runner }}
diff --git a/.github/workflows/job_windows.yml b/.github/workflows/job_windows.yml
@@ -51,6 +51,12 @@ jobs:
     name: CiD / Build
     if: ${{ inputs.build-cid }}
     uses: ./.github/workflows/job_build_cid.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      statuses: read
+      id-token: write
     with:
       os: ${{ inputs.os }}
       build-runner: ${{ inputs.build-runner }}
diff --git a/.github/workflows/ubuntu_22.yml b/.github/workflows/ubuntu_22.yml
@@ -22,6 +22,7 @@ jobs:
       packages: read
       statuses: read
       security-events: write
+      id-token: write
     with:
       os: ubuntu_22_04
       build-runner: ubuntu-22.04-16-cores
diff --git a/.github/workflows/ubuntu_24.yml b/.github/workflows/ubuntu_24.yml
@@ -22,6 +22,7 @@ jobs:
       packages: read
       statuses: read
       security-events: write
+      id-token: write
     with:
       os: ubuntu_24_04
       build-runner: ubuntu-latest-32-cores
diff --git a/.github/workflows/windows_2022.yml b/.github/workflows/windows_2022.yml
@@ -22,6 +22,7 @@ jobs:
       packages: read
       statuses: read
       security-events: write
+      id-token: write
     with:
       os: windows_2022
       build-runner: windows-2022-16-core
