Skip to content

Commit 8697f08

Browse files
authored
Sign release checksums with cosign (#60)
1 parent 9d67341 commit 8697f08

2 files changed

Lines changed: 15 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ on:
77

88
permissions:
99
contents: write
10+
id-token: write
1011

1112
jobs:
1213
release:
@@ -18,6 +19,8 @@ jobs:
1819
fetch-depth: 0
1920
persist-credentials: false
2021

22+
- uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
23+
2124
- name: Set up Go
2225
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2326
with:

.goreleaser.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,18 @@ archives:
3333
checksum:
3434
name_template: "checksums.txt"
3535

36+
signs:
37+
- cmd: cosign
38+
certificate: "${artifact}.pem"
39+
args:
40+
- sign-blob
41+
- "--output-certificate=${certificate}"
42+
- "--output-signature=${signature}"
43+
- "${artifact}"
44+
- "--yes"
45+
artifacts: checksum
46+
output: true
47+
3648
snapshot:
3749
version_template: "{{ incpatch .Version }}-next"
3850

0 commit comments

Comments
 (0)