Harden CI artifact verification with checksums and optional Windows signature reports by dill-lk · Pull Request #21 · at-las-research/Gravity-Lang

dill-lk · 2026-02-28T11:14:58Z

Provide reproducible verification metadata for CI-produced executables so consumers can validate artifacts even when code-signing is not available.
Avoid failing or blocking releases when Windows Authenticode signatures are missing or signature tooling is not present on the runner.
Make verification outputs discoverable by uploading checksums and signature status files as CI artifacts.

Added a POSIX step to generate a SHA-256 manifest dist/SHA256SUMS.txt using shasum -a 256 for packaged binaries.
Added a Windows PowerShell step that computes Get-FileHash -Algorithm SHA256 for each *.exe, appends entries to SHA256SUMS.txt, and writes a per-exe *.signature.txt report using Get-AuthenticodeSignature when available while gracefully handling missing signer data.
Added an artifact upload step to publish dist/SHA256SUMS.txt and dist/*.signature.txt under verification-${{ matrix.os }} so checksum and signature metadata are available alongside binary artifacts.

Parsed the updated workflow YAML with Ruby using YAML.load_file('.github/workflows/build.yml'), which succeeded.
Attempted to parse with Python via yaml.safe_load() but the environment lacked PyYAML, so that check was skipped.
No full CI matrix run was executed in this change; behavior will be validated in CI when the workflow runs and publishes dist/* artifacts.

Harden build workflow with checksum and optional signature metadata

62bd35e

dill-lk added the codex label Feb 28, 2026 — with ChatGPT Codex Connector

Fix cross-platform build breaks in CI verification and interpreter

02c356e

dill-lk closed this Feb 28, 2026

dill-lk deleted the codex/fix-build-yaml-verifications branch March 11, 2026 07:23

Provide feedback