From 6e893693d9784bf03a99f54dfe4fb01b582ad0ed Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Tue, 15 Nov 2022 01:25:57 +0900 Subject: [PATCH] Add signatures for keyless signing (#217) --- .github/workflows/goreleaser.yml | 2 +- .github/workflows/release.yml | 8 +++++++- .goreleaser.yml | 13 +++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 7e2fe01f..cba447bc 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -23,5 +23,5 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v3 with: - version: v0.178.0 + version: v1.12.3 args: check diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0f885308..06b60653 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,10 @@ on: tags: - v*.*.* +permissions: + contents: write + id-token: write + jobs: goreleaser: runs-on: ubuntu-latest @@ -19,10 +23,12 @@ jobs: uses: actions/setup-go@v3 with: go-version-file: 'go.mod' + - name: Install Cosign + uses: sigstore/cosign-installer@v2 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v3 with: - version: v0.178.0 + version: v1.12.3 args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.goreleaser.yml b/.goreleaser.yml index b52b4fc1..8c04dbbe 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -22,6 +22,19 @@ changelog: skip: true checksum: name_template: 'checksums.txt' +signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + signature: '${artifact}.keyless.sig' + certificate: '${artifact}.pem' + output: true + artifacts: checksum + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' release: github: owner: terraform-linters