Hash release files after signing (#14085)

maennchen · web-flow · commit e4c86d4b5f91 · 2024-12-20T11:29:29.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -55,7 +55,6 @@ jobs:
           git push origin $ref_name --force
 
   build:
-    needs: create_draft_release
     strategy:
       fail-fast: true
       matrix:
@@ -80,6 +79,22 @@ jobs:
           otp: ${{ matrix.otp }}
           build_docs: ${{ matrix.build_docs }}
 
+      - name: "Sign files with Trusted Signing"
+        if: github.repository == 'elixir-lang/elixir'
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: trusted-signing-elixir
+          certificate-profile-name: Elixir
+          files-folder: ${{ github.workspace }}
+          files-folder-filter: exe
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+
       - name: "Attest release .exe provenance"
         uses: actions/attest-build-provenance@v2
         id: attest-exe-provenance
@@ -112,6 +127,18 @@ jobs:
         env:
           ATTESTATION: "${{ steps.attest-docs-provenance.outputs.bundle-path }}"
 
+      - name: Create Release Hashes
+        run: |
+          shasum -a 1   elixir-otp-${{ matrix.otp }}.zip > elixir-otp-${{ matrix.otp }}.zip.sha1sum
+          shasum -a 256 elixir-otp-${{ matrix.otp }}.zip > elixir-otp-${{ matrix.otp }}.zip.sha256sum
+          shasum -a 1   elixir-otp-${{ matrix.otp }}.exe > elixir-otp-${{ matrix.otp }}.exe.sha1sum
+          shasum -a 256 elixir-otp-${{ matrix.otp }}.exe > elixir-otp-${{ matrix.otp }}.exe.sha256sum
+      - name: Create Docs Hashes
+        if: ${{ matrix.build_docs }}
+        run: |
+          shasum -a 1   Docs.zip > Docs.zip.sha1sum
+          shasum -a 256 Docs.zip > Docs.zip.sha256sum
+
       - name: "Upload release artifacts"
         uses: actions/upload-artifact@v4
         with:
@@ -126,7 +153,7 @@ jobs:
           path: Docs.zip*
 
   upload-release:
-    needs: build
+    needs: [build, create_draft_release]
     runs-on: windows-2022
 
     steps:
@@ -137,22 +164,6 @@ jobs:
           mv Docs/* .
         shell: bash
 
-      - name: "Sign files with Trusted Signing"
-        if: github.repository == 'elixir-lang/elixir'
-        uses: azure/trusted-signing-action@v0.5.0
-        with:
-          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-          endpoint: https://eus.codesigning.azure.net/
-          trusted-signing-account-name: trusted-signing-elixir
-          certificate-profile-name: Elixir
-          files-folder: ${{ github.workspace }}
-          files-folder-filter: exe
-          file-digest: SHA256
-          timestamp-rfc3161: http://timestamp.acs.microsoft.com
-          timestamp-digest: SHA256
-
       - name: Upload Pre-built
         shell: bash
         env:
diff --git a/.github/workflows/release_pre_built/action.yml b/.github/workflows/release_pre_built/action.yml
@@ -19,8 +19,6 @@ runs:
       run: |
         make Precompiled.zip
         mv Precompiled.zip elixir-otp-${{ inputs.otp }}.zip
-        shasum -a 1 elixir-otp-${{ inputs.otp }}.zip > elixir-otp-${{ inputs.otp }}.zip.sha1sum
-        shasum -a 256 elixir-otp-${{ inputs.otp }}.zip > elixir-otp-${{ inputs.otp }}.zip.sha256sum
         echo "$PWD/bin" >> $GITHUB_PATH
     - name: Install NSIS
       shell: bash
@@ -34,8 +32,6 @@ runs:
         export ELIXIR_ZIP=$PWD/elixir-otp-${{ inputs.otp }}.zip
         (cd lib/elixir/scripts/windows_installer && ./build.sh)
         mv lib/elixir/scripts/windows_installer/tmp/elixir-otp-${{ inputs.otp }}.exe .
-        shasum -a 1   elixir-otp-${{ inputs.otp }}.exe > elixir-otp-${{ inputs.otp }}.exe.sha1sum
-        shasum -a 256 elixir-otp-${{ inputs.otp }}.exe > elixir-otp-${{ inputs.otp }}.exe.sha256sum
     - name: Get ExDoc ref
       if: ${{ inputs.build_docs }}
       shell: bash
@@ -66,5 +62,3 @@ runs:
       run: |
         git fetch --tags
         make Docs.zip
-        shasum -a 1 Docs.zip > Docs.zip.sha1sum
-        shasum -a 256 Docs.zip > Docs.zip.sha256sum
