From d452d41fd750f7bb4c02e9cc88ea0bd20f4992c3 Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Mon, 19 Feb 2024 14:55:49 -0800
Subject: [PATCH] Switch to GPG keys from GSM (#112)

I copied the `release.yml` from `tf-apko` and `s/apko/cosign/g`

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
---
 .github/workflows/release.yml | 39 ++++++++++++++++++++++-------------
 .gitignore                    |  3 +++
 2 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 992ea412..b0490086 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,37 +1,48 @@
-name: Release
-
+name: release
 on:
   push:
     tags:
       - 'v*'
 
-
 jobs:
-  release:
-    runs-on: ubuntu-latest
-
+  goreleaser:
     permissions:
-      contents: write
+      contents: write # To publish the release.
+      id-token: write # To federate for the GPG key.
 
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
       - run: git fetch --prune --unshallow
-
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version-file: ./go.mod
+          go-version-file: 'go.mod'
+          cache: true
+
+      # This is provisioned here: https://github.com/chainguard-dev/secrets/blob/main/terraform-provider-cosign.tf
+      - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
+        id: auth
+        with:
+          workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+          service_account: "terraform-provider-cosign@chainguard-github-secrets.iam.gserviceaccount.com"
+      - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1
+        with:
+          project_id: "chainguard-github-secrets"
+      - uses: google-github-actions/get-secretmanager-secrets@ae0d4054c32840e2ced71207a9df55161ae3debc # v2.0.0
+        id: secrets
+        with:
+          secrets: |-
+            token:chainguard-github-secrets/terraform-provider-cosign-signing-key
 
       - id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
         with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.PASSPHRASE }}
+          gpg_private_key: ${{ steps.secrets.outputs.token }}
 
       - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
           version: latest
-          args: release --clean
+          args: release --rm-dist
         env:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
index e2c3ab4a..849f04c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,6 +25,9 @@ website/node_modules
 *.test
 *.iml
 
+# Ignore federated GCP credentials.
+gha-creds-*.json
+
 website/vendor
 
 # Test exclusions