From d6203eb2512de64f9394e08b9b65797c0249a069 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 30 Aug 2021 16:52:40 -0700 Subject: [PATCH] [action] use cosign to sign over goreleaser artifacts --- .github/workflows/release.yml | 12 +++++++++++- .goreleaser.yml | 5 +++++ cosign.pub | 4 ++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 cosign.pub diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 819a470e..a15f893d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -100,14 +100,24 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.16 + - + name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.1.0' + - + name: Write cosign key to disk + id: write_key + run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" - name: Run GoReleaser - uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # v2.4.1 + uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0 with: version: latest args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.PAT }} + COSIGN_PWD: ${{ secrets.COSIGN_PWD }} release_deb: name: Build & Upload Debian Package To Github diff --git a/.goreleaser.yml b/.goreleaser.yml index 7a7e20d3..1acf405a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -111,6 +111,11 @@ source: name_template: '{{ .ProjectName }}_{{ .Version }}' checksum: name_template: 'checksums.txt' +signs: +- cmd: cosign + stdin: '{{ .Env.COSIGN_PWD }}' + args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"] + artifacts: all snapshot: name_template: "{{ .Tag }}-next" release: diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 00000000..9a0b42be --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs+6THbAiXx4bja5ARQFNZmPwZjlD +GRvt5H+9ZFDhrcFPR1E7eB2rt1B/DhobANdHGKjvEBZEf0v4X/7S+SHrIw== +-----END PUBLIC KEY-----