step-kms-plugin icon indicating copy to clipboard operation
step-kms-plugin copied to clipboard
verified publisher icon smallstep

Please add a source code archive to the github release assets

Open wodev opened this issue 1 year ago • 0 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The rgithub elease assets for the step-kms-plugin does not contain a source code archive (step-kms-plugin_<VERSION>.tar.gz) including a Cosign signature like the releases for step-cli and step-certificates (step-ca)

Why is this needed?

The GitHub archives based on the tag does not produce a stable checksum hash which causes from time to time issues during the rebuild of alpine packages, Adding ithe source code archive file to the release artifacts provides a source code archive with a stable checksum which can be used a a source for packaging (for examle Apline Linux packages). Adding it to the checksumtxt and adding a cosign signatures improves the validation of the source code archive for the release.

wodev avatar Nov 30 '24 12:11 wodev