[action] use cosign to sign over goreleaser artifacts

smallstep · Aug 30, 2021 · d6203eb · d6203eb
1 parent 08115f5
commit d6203eb
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -100,14 +100,24 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.16
+      -
+        name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.1.0'
+      -
+        name: Write cosign key to disk
+        id: write_key
+        run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # v2.4.1
+        uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
         with:
           version: latest
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.PAT }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
 
   release_deb:
     name: Build & Upload Debian Package To Github

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -111,6 +111,11 @@ source:
   name_template: '{{ .ProjectName }}_{{ .Version }}'
 checksum:
   name_template: 'checksums.txt'
+signs:
+- cmd: cosign
+  stdin: '{{ .Env.COSIGN_PWD }}'
+  args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"]
+  artifacts: all
 snapshot:
   name_template: "{{ .Tag }}-next"
 release:

diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs+6THbAiXx4bja5ARQFNZmPwZjlD
+GRvt5H+9ZFDhrcFPR1E7eB2rt1B/DhobANdHGKjvEBZEf0v4X/7S+SHrIw==
+-----END PUBLIC KEY-----