Update to use the correct path

shijie-oai · shijie-oai · commit 680284240609 · 2025-12-06T13:11:58.000-08:00
diff --git a/.github/actions/linux-code-sign/action.yml b/.github/actions/linux-code-sign/action.yml
@@ -4,6 +4,9 @@ inputs:
   target:
     description: Target triple for the artifacts to sign.
     required: true
+  artifacts-dir:
+    description: Absolute path to the directory containing built binaries to sign.
+    required: true
 
 runs:
   using: composite
@@ -21,19 +24,21 @@ runs:
       run: |
         set -euo pipefail
 
-        dest="dist/${{ inputs.target }}"
+        dest="${{ inputs.artifacts-dir }}"
         if [[ ! -d "$dest" ]]; then
           echo "Destination $dest does not exist"
           exit 1
         fi
 
-        shopt -s nullglob
-        for artifact in "$dest"/*; do
-          if [[ -f "$artifact" ]]; then
-            cosign sign-blob \
-              --yes \
-              --output-signature "${artifact}.sig" \
-              --output-certificate "${artifact}.pem" \
-              "$artifact"
+        for binary in codex codex-responses-api-proxy; do
+          artifact="${dest}/${binary}"
+          if [[ ! -f "$artifact" ]]; then
+            echo "Binary $artifact not found"
+            exit 1
           fi
+
+          cosign sign-blob \
+            --yes \
+            --bundle "${artifact}.sigstore" \
+            "$artifact"
         done
diff --git a/.github/workflows/rust-release.yml b/.github/workflows/rust-release.yml
@@ -107,11 +107,12 @@ jobs:
       - name: Cargo build
         run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
 
-      - if: ${{ contains(matrix.target, 'linux') }}
+      - if: ${{ contains(matrix.target, 'linux') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}
         name: Cosign Linux artifacts
         uses: ./.github/actions/linux-code-sign
         with:
           target: ${{ matrix.target }}
+          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
 
       # - if: ${{ contains(matrix.target, 'windows') }}
       #   name: Sign Windows binaries with Azure Trusted Signing
