From 6ae5b2904d9f4e040b6e812146b4a4cfe7d36f24 Mon Sep 17 00:00:00 2001
From: Alex Goodman <wagoodman@users.noreply.github.com>
Date: Wed, 31 Jan 2024 13:19:41 -0500
Subject: [PATCH] re-add cosign signing checksums file (#2572)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---
 .github/workflows/release.yaml |  2 ++
 .goreleaser.yaml               | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2332d9039..65e5f94d3 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -94,6 +94,8 @@ jobs:
     permissions:
       contents: write
       packages: write
+      # required for goreleaser signs section with cosign
+      id-token: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 9f138f3d3..762d87d3e 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -259,3 +259,16 @@ sboms:
       - "$artifact"
       - "--output"
       - "json=$document"
+
+signs:
+  - cmd: .tool/cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args:
+      - "sign-blob"
+      - "--oidc-issuer=https://token.actions.githubusercontent.com"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum