[Infra] Add release workflow and cosign public key

Add create-release.yml workflow triggered via workflow_dispatch to create GitHub releases with auto-generated notes. Add cosign public key for container image signature verification. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 14:30:27 -07:00 · 2026-03-31 14:30:27 -07:00 · 0112e53046
commit 0112e53046
parent 7066c895f6
2 changed files with 64 additions and 0 deletions
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@ -0,0 +1,60 @@
 name: Create Release
 on:
  workflow_dispatch:
    inputs:
      tag:
        description: "Release tag (e.g. v1.83.0-stable)"
        required: true
        type: string
      commit_hash:
        description: "Full 40-char commit SHA to target"
        required: true
        type: string
 permissions: {}
 jobs:
  release:
    name: Create Release
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Validate inputs
        env:
          TAG: ${{ inputs.tag }}
          COMMIT_HASH: ${{ inputs.commit_hash }}
        run: |
          if ! echo "${COMMIT_HASH}" | grep -qE '^[0-9a-f]{40}$'; then
            echo "::error::commit_hash must be a full 40-character commit SHA"
            exit 1
          fi
          if ! echo "${TAG}" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+'; then
            echo "::error::tag must start with vX.Y.Z"
            exit 1
          fi
      - name: Create release
        env:
          TAG: ${{ inputs.tag }}
          COMMIT_HASH: ${{ inputs.commit_hash }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const tag = process.env.TAG;
            const commitHash = process.env.COMMIT_HASH;
            try {
              await github.rest.repos.createRelease({
                draft: false,
                generate_release_notes: true,
                target_commitish: commitHash,
                name: tag,
                owner: context.repo.owner,
                prerelease: false,
                repo: context.repo.repo,
                tag_name: tag,
              });
            } catch (error) {
              core.setFailed(error.message);
            }
--- a/cosign.pub
+++ b/cosign.pub
@ -0,0 +1,4 @@
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKi4ivqGpE231OGH50PKbqy1Y1Kkb
 POJC8+i2Wko82gBOUCe3M0Vw86H/4rhUhfoYEti4gdJ9wZbYmK0I2EE96g==
 -----END PUBLIC KEY-----