ci: sign OpenUPM package via Unity UPM CLI on release#776
Merged
Conversation
Adds a `sign-and-publish-upm` job to .github/workflows/release.yml that runs Unity's `upm pack` with service-account credentials on every successful version-bump release. The signed .tgz (containing the required `package/.attestation.p7m` attestation) is attached to the GitHub Release alongside the existing Unity package and server zip assets so OpenUPM can serve a signed tarball once its listing is flipped to `trackingMode: githubRelease`. The job is `continue-on-error: true` and short-circuits with a warning when the three required repo secrets (`UPM_SERVICE_ACCOUNT_KEY_ID`, `UPM_SERVICE_ACCOUNT_KEY_SECRET`, `UPM_ORG_ID`) are absent, so the existing release pipeline keeps shipping unchanged until the maintainer configures a Unity-organization service account. docs/openupm-signing.md captures the one-time setup (Unity org + service account, GitHub secrets, and the cross-repo PR against openupm/openupm to flip `trackingMode`), the verification procedure, and troubleshooting notes. Linked from docs/_sidebar.md under "Development". Closes #414
Contributor
Test Results 12 files 564 suites 45m 41s ⏱️ Results for commit c0fc102. |
…m job; recommend OpenUPM asset prefix unconditionally Apply 03a review-pass findings against the new sign-and-publish-upm job and the OpenUPM signing docs. release.yml: - Drop dead PACKAGE_NAME / PACKAGE_VERSION exports in the metadata step; keep printf as log-only. - Wire the existing PACKAGE_ARCHIVE env export through to the attach step so the exact verified archive is uploaded (was globbing /tmp/signed-upm-dist/*.tgz). - Include archive paths in the 'wrong count' error so a future failure is debuggable from the log alone. docs/openupm-signing.md: - Recommend githubReleaseAssetName unconditionally for the openupm/openupm listing PR; the release already ships multiple asset types and adding a prefix guard is a one-line future-proof. simplify-pass: 1
Address pass-2 review findings on the sign-and-publish-upm job's verify step: - Assert the signed archive basename begins with the documented `com.ivanmurzak.unity.mcp-` prefix that docs/openupm-signing.md tells OpenUPM to consume via `githubReleaseAssetName`. Without this guard, a future `upm pack` naming change would let CI pass while OpenUPM silently failed to pick up the signed tarball. - Capture `tar -tzf` output into a single variable, then grep it twice locally. Saves one tarball walk per release; cosmetic but removes a duplicated traversal. simplify-pass: 2
This was referenced May 23, 2026
IvanMurzak
added a commit
that referenced
this pull request
May 23, 2026
…ing success (#778) Restructured Unity-MCP's release.yml so the GitHub Release is the atomic publish point gated on every prerequisite (tests, builds, signed UPM tarball, release notes); reverted #776's soft-fail signing to a hard gate; removed three post-release publish jobs; rewrote docs/openupm-signing.md to reflect blocking semantics. Pass-1 simplify hardened the atomic publish.\n\nCloses #777
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sign-and-publish-upmjob to.github/workflows/release.ymlthat signscom.ivanmurzak.unity.mcpwith Unity's UPM CLI on every release and attaches the signed.tgz(containingpackage/.attestation.p7m) to the GitHub Release.continue-on-error: trueand exits early with a::warning::when the three required repo secrets (UPM_SERVICE_ACCOUNT_KEY_ID,UPM_SERVICE_ACCOUNT_KEY_SECRET,UPM_ORG_ID) are missing, so the existing release pipeline keeps shipping unchanged until they are configured.docs/openupm-signing.mddocuments the one-time setup (Unity org + service account + GitHub secrets), the cross-repo PR needed onopenupm/openupmto flip the listing'strackingMode: git→trackingMode: githubRelease, the verification procedure, and troubleshooting. Linked fromdocs/_sidebar.mdunder "Development".Implements the procedure documented at https://openupm.com/docs/signing-upm-packages.html and https://openupm.com/blog/signing-upm-packages-with-openupm/, modeled on the OpenUPM example repo https://github.com/openupm/com.example.signed-upm.
Operational follow-up (out of scope for this PR — see docs/openupm-signing.md)
UPM_*repo secrets.openupm/openupm(data/packages/com.ivanmurzak.unity.mcp.yml) changingtrackingMode: git→trackingMode: githubRelease. Per the OpenUPM blog this should land before the first signed release ships so OpenUPM does not race-publish the unsigned git tag.Test plan
release.ymlis parseable YAML (validated with PyYAML).needs:,if:,continue-on-error:,env:structure follows the same shape as the existingpublish-unity-installer/publish-mcp-serverjobs.Verify signing secretsstep short-circuits the job (exit non-zero → continue-on-error keeps workflow green) when secrets are absent, so the PR is safe to merge even before the Unity-org credentials are provisioned..github/workflows/YAML + docs (zero.cs/ Unity asset changes). The worktree's first-timeunity-mcp-server.exebinary download failed during setup, leaving the local MCP gate atlocalhost:5940unreachable; the profile does not document a recovery path for this case. CI's full matrix is the authoritative gate for these files. See the iteration report's pipeline-improvement brief.Closes #414