Merge pull request #690 from smallstep/max/cosign
[action] use cosign to sign over goreleaser artifacts
This commit is contained in:
commit
72e365a7ac
3 changed files with 20 additions and 1 deletions
12
.github/workflows/release.yml
vendored
12
.github/workflows/release.yml
vendored
|
@ -100,14 +100,24 @@ jobs:
|
||||||
uses: actions/setup-go@v2
|
uses: actions/setup-go@v2
|
||||||
with:
|
with:
|
||||||
go-version: 1.16
|
go-version: 1.16
|
||||||
|
-
|
||||||
|
name: Install cosign
|
||||||
|
uses: sigstore/cosign-installer@main
|
||||||
|
with:
|
||||||
|
cosign-release: 'v1.1.0'
|
||||||
|
-
|
||||||
|
name: Write cosign key to disk
|
||||||
|
id: write_key
|
||||||
|
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
||||||
-
|
-
|
||||||
name: Run GoReleaser
|
name: Run GoReleaser
|
||||||
uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # v2.4.1
|
uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
|
||||||
with:
|
with:
|
||||||
version: latest
|
version: latest
|
||||||
args: release --rm-dist
|
args: release --rm-dist
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.PAT }}
|
GITHUB_TOKEN: ${{ secrets.PAT }}
|
||||||
|
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
||||||
|
|
||||||
release_deb:
|
release_deb:
|
||||||
name: Build & Upload Debian Package To Github
|
name: Build & Upload Debian Package To Github
|
||||||
|
|
|
@ -111,6 +111,11 @@ source:
|
||||||
name_template: '{{ .ProjectName }}_{{ .Version }}'
|
name_template: '{{ .ProjectName }}_{{ .Version }}'
|
||||||
checksum:
|
checksum:
|
||||||
name_template: 'checksums.txt'
|
name_template: 'checksums.txt'
|
||||||
|
signs:
|
||||||
|
- cmd: cosign
|
||||||
|
stdin: '{{ .Env.COSIGN_PWD }}'
|
||||||
|
args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"]
|
||||||
|
artifacts: all
|
||||||
snapshot:
|
snapshot:
|
||||||
name_template: "{{ .Tag }}-next"
|
name_template: "{{ .Tag }}-next"
|
||||||
release:
|
release:
|
||||||
|
|
4
cosign.pub
Normal file
4
cosign.pub
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs+6THbAiXx4bja5ARQFNZmPwZjlD
|
||||||
|
GRvt5H+9ZFDhrcFPR1E7eB2rt1B/DhobANdHGKjvEBZEf0v4X/7S+SHrIw==
|
||||||
|
-----END PUBLIC KEY-----
|
Loading…
Reference in a new issue