re-add cosign signing checksums file (#2572)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-11-10 06:14:16 +00:00 · 2024-01-31 13:19:41 -05:00 · 2024-01-31 13:19:41 -05:00 · 6ae5b2904d
commit 6ae5b2904d
parent 377538e4a6
2 changed files with 15 additions and 0 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -94,6 +94,8 @@ jobs:
    permissions:
      contents: write
      packages: write
+      # required for goreleaser signs section with cosign
+      id-token: write
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
        with:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -259,3 +259,16 @@ sboms:
      - "$artifact"
      - "--output"
      - "json=$document"
+
+signs:
+  - cmd: .tool/cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args:
+      - "sign-blob"
+      - "--oidc-issuer=https://token.actions.githubusercontent.com"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum