ci(release): keyless sign of release artifacts with Cosign

erikgb · erikgb · commit c005897e6829 · 2025-01-14T11:20:49.000+01:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -77,6 +77,9 @@ jobs:
 
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      id-token: write # for Cosign to be able to sign release artifacts with GHA token
     needs:
       - publish_npm_package
       - build-and-push-image
@@ -118,6 +121,8 @@ jobs:
           cat > ${{ runner.temp }}/changelog.md <<'END_OF_CHANGELOG'
           ${{ github.event.pull_request.body }}
           END_OF_CHANGELOG
+      - name: Install cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -68,3 +68,9 @@ builds:
       - darwin
     goarch:
       - arm64
+signs:
+  - id: cosign-keyless
+    cmd: cosign
+    certificate: "${artifact}.crt"
+    args: ["sign-blob", "--output-signature", "${signature}", "--output-certificate", "${certificate}", "${artifact}", "--yes"]
+    artifacts: all
