ci(release): keyless sign of release artifacts with Cosign #4513

erikgb · 2025-01-13T23:00:29Z

Closes

What changed?

Configure Cosign keyless signing of all release artifacts to the (Goreleaser) release workflow. I am not sure this will work, but there is a fair chance it will. Goreleaser docs: https://goreleaser.com/customization/sign/. I searched the Internet for references, and it seems like Chainguard has done something around this. I just copied https://github.com/chainguard-dev/apko/blob/64e3ae0d1cf09e2e83dd384cd5a4f9c06d48e0a4/.goreleaser.yaml#L34-L39, which should end up like this (Assets; example): https://github.com/chainguard-dev/apko/releases/tag/v0.22.6.

Why was this change made?

Allow our users to verify release artifacts before actually using/installing them.

How was this change implemented?

How did you validate the change?

Release notes

Documentation Changes

erikgb requested review from casibbald and tenstad January 13, 2025 23:00

erikgb force-pushed the release-sign branch from e408724 to dabb296 Compare January 13, 2025 23:07

casibbald approved these changes Jan 14, 2025

View reviewed changes

ci(release): keyless sign of release artifacts with Cosign

c005897

erikgb force-pushed the release-sign branch from dabb296 to c005897 Compare January 14, 2025 10:20

casibbald merged commit 8617ca2 into weaveworks:main Jan 14, 2025
13 checks passed

This was referenced Jan 15, 2025

Updates for 0.39.0-rc.2 #4524

Closed

Updates for 0.39.0-rc.1 #4554

Closed

This was referenced Jan 26, 2025

Updates for 0.39.0-rc.1 #4638

Closed

Updates for 0.39.0-rc.1 #4639

Closed

Updates for 0.39.0-rc.1 #4642

Closed

This was referenced Feb 4, 2025

Updates for 0.39.0-rc.1 #4674

Merged

Updates for 0.39.0-rc.1 #4685

Closed

Provide feedback