[action] use cosign to sign over goreleaser artifacts

This commit is contained in:
max furman 2021-08-30 16:52:40 -07:00
parent 08115f584c
commit d6203eb251
3 changed files with 20 additions and 1 deletions

View file

@ -100,14 +100,24 @@ jobs:
uses: actions/setup-go@v2
with:
go-version: 1.16
-
name: Install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.1.0'
-
name: Write cosign key to disk
id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # v2.4.1
uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
with:
version: latest
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.PAT }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
release_deb:
name: Build & Upload Debian Package To Github

View file

@ -111,6 +111,11 @@ source:
name_template: '{{ .ProjectName }}_{{ .Version }}'
checksum:
name_template: 'checksums.txt'
signs:
- cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}'
args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"]
artifacts: all
snapshot:
name_template: "{{ .Tag }}-next"
release:

4
cosign.pub Normal file
View file

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs+6THbAiXx4bja5ARQFNZmPwZjlD
GRvt5H+9ZFDhrcFPR1E7eB2rt1B/DhobANdHGKjvEBZEf0v4X/7S+SHrIw==
-----END PUBLIC KEY-----