Merge pull request #690 from smallstep/max/cosign

[action] use cosign to sign over goreleaser artifacts
2021-08-30 20:48:06 -07:00 · 2021-08-30 20:48:06 -07:00 · 72e365a7ac
commit 72e365a7ac
parent bcc6ed9a8c d6203eb251
3 changed files with 20 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -100,14 +100,24 @@ jobs:
        uses: actions/setup-go@v2
        with:
          go-version: 1.16
      -
        name: Install cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.1.0'
      -
        name: Write cosign key to disk
        id: write_key
        run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
      -
        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # v2.4.1
+        uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
        with:
          version: latest
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.PAT }}
          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
  release_deb:
    name: Build & Upload Debian Package To Github
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -111,6 +111,11 @@ source:
  name_template: '{{ .ProjectName }}_{{ .Version }}'
 checksum:
  name_template: 'checksums.txt'
 signs:
 - cmd: cosign
  stdin: '{{ .Env.COSIGN_PWD }}'
  args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"]
  artifacts: all
 snapshot:
  name_template: "{{ .Tag }}-next"
 release:
--- a/cosign.pub
+++ b/cosign.pub
@ -0,0 +1,4 @@
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs+6THbAiXx4bja5ARQFNZmPwZjlD
 GRvt5H+9ZFDhrcFPR1E7eB2rt1B/DhobANdHGKjvEBZEf0v4X/7S+SHrIw==
 -----END PUBLIC KEY-----