From cb1dab97982722cff3c146926da1519c848f5b0f Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 11:12:22 -0400 Subject: [PATCH 01/15] Test cosign --- .github/workflows/build.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4e12b8a..83b2df1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -165,12 +165,22 @@ jobs: name: Package assets for Craft runs-on: ubuntu-latest needs: [build_for_pypi, build_assets, build_linux_assets] + permissions: + id-token: write # needed for signing binaries with OIDC token via Cosign steps: - name: Download artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: "{sentry-prevent-,codecov-,codecov}cli*" + - name: Install Cosign + uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + + - name: Sign sentry-prevent-cli binaries + run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos.bundle --yes + + - run: ls + - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -180,3 +190,4 @@ jobs: sentry-prevent-cli_wheel/* codecovcli* codecov-cli_wheel/* + *.bundle From 92714adf0bce22c0cf048ab13ed55df5d4a92e0f Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 11:34:50 -0400 Subject: [PATCH 02/15] Test verification --- .github/workflows/build.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 83b2df1..fabb431 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,10 +177,13 @@ jobs: uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - name: Sign sentry-prevent-cli binaries - run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos.bundle --yes + run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes - run: ls + - name: test verification + run: cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: From 815c5815bf533da14650760fad591d00e8147513 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 12:50:17 -0400 Subject: [PATCH 03/15] sign the rest of em --- .github/workflows/build.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fabb431..098cc3a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,12 +177,25 @@ jobs: uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - name: Sign sentry-prevent-cli binaries - run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes + run: | + cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes + cosign sign-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes + cosign sign-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes + cosign sign-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes + cosign sign-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes + cosign sign-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes - - run: ls + - run: ls -R - name: test verification - run: cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + run: | + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From 6fd872c87412ceb661f1ef8dcca3fda79a14f9e3 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:05:20 -0400 Subject: [PATCH 04/15] Make prevent linux have x86_64 suffix --- scripts/build_linux.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh index 446596b..88403a5 100755 --- a/scripts/build_linux.sh +++ b/scripts/build_linux.sh @@ -14,9 +14,8 @@ cd ../codecov-cli uv run pyinstaller -F codecov_cli/main.py mv ./dist/main ./dist/codecovcli_$1 -# linux binary should be just codecovcli_linux +# codecov linux binary should be just codecovcli_linux if [ $1 = "linux_x86_64" ]; then cd .. - mv ./prevent-cli/dist/sentry-prevent-cli_$1 ./prevent-cli/dist/sentry-prevent-cli_linux mv ./codecov-cli/dist/codecovcli_$1 ./codecov-cli/dist/codecovcli_linux fi From 0b855cadde9b442b727efae32cc102a46b1e7aa2 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:08:19 -0400 Subject: [PATCH 05/15] Remove accidental flag --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 098cc3a..b32a0e1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -190,12 +190,12 @@ jobs: - name: test verification run: | cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From f8394a4ff13a577ca2d1055b9ce24ad568353cdc Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:23:13 -0400 Subject: [PATCH 06/15] Tweak craft comment --- .craft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.craft.yml b/.craft.yml index d7a4b10..996b6f1 100644 --- a/.craft.yml +++ b/.craft.yml @@ -5,7 +5,7 @@ github: changelogPolicy: auto targets: - # For direct binary downloads + shasum + shasum.sig + # For direct binary downloads + cosign bundles - name: github tagPrefix: v checksums: From 8ec6cd81e50cb694c70c4c962bdf806cf2f2ad1c Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:26:20 -0400 Subject: [PATCH 07/15] Try ref name in verify --- .github/workflows/build.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b32a0e1..4346697 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -185,17 +185,15 @@ jobs: cosign sign-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes cosign sign-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes - - run: ls -R - - - name: test verification + - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From e7792a73650c8d9566f46af7e1be059f887ad94a Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:27:15 -0400 Subject: [PATCH 08/15] oops --- .github/workflows/build.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4346697..94b994a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -187,13 +187,13 @@ jobs: - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From d9eaef3ceba7e512b9bd86750f261d1a934e4824 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:30:38 -0400 Subject: [PATCH 09/15] Remove extra verify --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 94b994a..e99e291 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -187,7 +187,6 @@ jobs: - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com From a14dfa29579503e662d8f5c465177d8ba66bd55a Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:43:45 -0400 Subject: [PATCH 10/15] Use regex for cert identity --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e99e291..cc3ffbb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -187,12 +187,12 @@ jobs: - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From faf4b5d232cf6eb43dd3e9398fa617160c352bd5 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:16:02 -0400 Subject: [PATCH 11/15] Rewrite installation section of README --- README.md | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3cec659..cf1a2c3 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,32 @@ The Sentry Prevent CLI is responsible for uploading code coverage and test resul # Installing -As of today, you are not able to install the Sentry Prevent CLI. We are planning to release it on the PyPI and for direct download in the near future. - -If you're determined, you can build the CLI yourself from source by running `uv build` in the `prevent-cli` directory. +### PyPI + +``` +pip install sentry-prevent-cli +``` + +### Binary + +We build and publish binaries for Linux, MacOS, and Windows. See our GitHub Releases for the full list of OS/architecture combos we build for. We'll use our macos binary for demonstration purposes here: +``` +curl -o sentry-prevent-cli -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos" +chmod +x sentry-prevent-cli +``` + +#### Verifying the binary +If you'd like, you may use Sigstore's Cosign to verify the integrity of your download against our provided Cosign bundles and identity details. For more information on Cosign along with installation instructions, see their [documentation](https://docs.sigstore.dev/cosign/system_config/installation). + +First get the appropriate Cosign bundle from our GitHub Release assets. Appending `.bundle` to the binary URL will get you the right file. +``` +curl -O -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos.bundle" +``` +Then, use `cosign` to verify the binary: +``` +cosign verify-blob sentry-prevent-cli --bundle sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli --certificate-oidc-issuer=https://token.actions.githubusercontent.com +``` +The OIDC identity here is associated with the specific workflow run that signs the binary. If this command says the binary is verified, you can trust you've recieved the same binary we built in our GitHub Actions workflow. # Usage From 70193b47ed499307dac0dba96c24dcc3e1b8ad86 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:22:34 -0400 Subject: [PATCH 12/15] Tweaks to readme --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cf1a2c3..f8c30a8 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ pip install sentry-prevent-cli ### Binary -We build and publish binaries for Linux, MacOS, and Windows. See our GitHub Releases for the full list of OS/architecture combos we build for. We'll use our macos binary for demonstration purposes here: +We build and publish binaries for Linux, MacOS, and Windows. See our GitHub Releases for the full list of OS/architecture combinations we build for. We'll use our macos binary for demonstration purposes here: ``` curl -o sentry-prevent-cli -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos" chmod +x sentry-prevent-cli @@ -37,9 +37,12 @@ curl -O -L "https://github.com/getsentry/prevent-cli/releases/latest/download/se ``` Then, use `cosign` to verify the binary: ``` -cosign verify-blob sentry-prevent-cli --bundle sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli --certificate-oidc-issuer=https://token.actions.githubusercontent.com +cosign verify-blob sentry-prevent-cli \ + --bundle sentry-prevent-cli_macos.bundle \ + --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` -The OIDC identity here is associated with the specific workflow run that signs the binary. If this command says the binary is verified, you can trust you've recieved the same binary we built in our GitHub Actions workflow. +The OIDC identity here is associated with the specific workflow run that signs the binary. If the verification succeeds, you can trust you've recieved the same binary we built in our GitHub Actions workflow. # Usage From 5884039e3fa76ef2dd3fb5d6995a41b674b37b60 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:24:45 -0400 Subject: [PATCH 13/15] Oops --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f8c30a8..4304df9 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ curl -O -L "https://github.com/getsentry/prevent-cli/releases/latest/download/se ``` Then, use `cosign` to verify the binary: ``` -cosign verify-blob sentry-prevent-cli \ +cosign verify-blob sentry-prevent-cli \ --bundle sentry-prevent-cli_macos.bundle \ - --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \ + --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` The OIDC identity here is associated with the specific workflow run that signs the binary. If the verification succeeds, you can trust you've recieved the same binary we built in our GitHub Actions workflow. From b547ba4ad445dae6efdee0805e78981dd4f6c229 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:54:29 -0400 Subject: [PATCH 14/15] Simplify signing with for loop --- .github/workflows/build.yml | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc3ffbb..d4977d4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -178,21 +178,12 @@ jobs: - name: Sign sentry-prevent-cli binaries run: | - cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes - cosign sign-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes - cosign sign-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes - cosign sign-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes - cosign sign-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes - cosign sign-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes - - - name: Test verification - run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + # Glob matches all prevent-cli binaries, not python wheel nor anything else. + for file in sentry-prevent-cli_*/sentry-prevent-cli_*; do + cosign sign-blob $file --bundle "$file.bundle" --yes; + # Test verification because why not + cosign verify-blob $file --bundle "$file.bundle" --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + done - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From cbf5bcdc9c7d80ec728732102af183e57de5cd3b Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Tue, 26 Aug 2025 14:23:01 -0400 Subject: [PATCH 15/15] Address mdtro feedback --- .github/workflows/build.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d4977d4..de9ba8e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -182,7 +182,7 @@ jobs: for file in sentry-prevent-cli_*/sentry-prevent-cli_*; do cosign sign-blob $file --bundle "$file.bundle" --yes; # Test verification because why not - cosign verify-blob $file --bundle "$file.bundle" --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob $file --bundle "$file.bundle" --certificate-identity-regexp="^https://github\.com/getsentry/prevent-cli/\.github/workflows/build\.yml@refs/heads/release/[0-9]+\.[0-9]+\.[0-9]+" --certificate-oidc-issuer=https://token.actions.githubusercontent.com done - name: Upload release artifact diff --git a/README.md b/README.md index 4304df9..0d785c6 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Then, use `cosign` to verify the binary: ``` cosign verify-blob sentry-prevent-cli \ --bundle sentry-prevent-cli_macos.bundle \ - --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \ + --certificate-identity-regexp="^https://github\.com/getsentry/prevent-cli/\.github/workflows/build\.yml@refs/heads/release/[0-9]+\.[0-9]+\.[0-9]+" \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` The OIDC identity here is associated with the specific workflow run that signs the binary. If the verification succeeds, you can trust you've recieved the same binary we built in our GitHub Actions workflow.