-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publish cosign binaries to Sonatype OSSRH #74
Comments
I think this makes the most sense. I wonder if we can write the action here and execute on cosign releases? |
I have not explored how cosign is released, however, I just assumed that publishing cosign-as-jar would be easier from Gradle-based project (it could include Gradle Metadata for easier usage by consumers), and adding Gradle build to cosign might sound strange |
Yeah I don't mind doing it here if we can trigger by watching for new "releases" from cosign |
I guess it implies the current project should becomes multi-module one |
It could also just be multiple projects (or a new repo) |
I'm inclined that co-locating into a single repo might be easier to manage. For instance, what if people want to have rekor-api and fulcio-api as separate dependencies? Frankly speaking, I think it might be fine to have both low-level Java libraries, Gradle, and maybe even Maven plugins within a single repository. |
It turns out https://github.com/sigstore/cosign/releases/tag/v1.12.0
|
probably not doing this in the near future |
Description
I suggest adding a module to publish cosign binaries to Central.
That would enable consumers to download the needed binaries and execute
cosign
CLI.See how protobuf plugin locates
protoc
binary: https://github.com/google/protobuf-gradle-plugin#locate-external-executablesAn alternative option is to add publishing to
cosign
project itself.The text was updated successfully, but these errors were encountered: