Skip to content

Commit

Permalink
sign release artifacts using cosign
Browse files Browse the repository at this point in the history
Signed-off-by: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
  • Loading branch information
prashantrewar committed Dec 26, 2023
1 parent 0f793e1 commit 369c9cd
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
17 changes: 17 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ jobs:
# Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
Expand All @@ -22,6 +23,10 @@ jobs:
uses: actions/setup-go@v2
with:
go-version: 1.21.5

- name: Set up Cosign
uses: sigstore/cosign-installer@v3

- name: Retrieve version
run: |
echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
Expand Down Expand Up @@ -86,6 +91,18 @@ jobs:
${checksums['kapp-linux-arm64']} ./kapp-linux-arm64
${checksums['kapp-windows-amd64.exe']} ./kapp-windows-amd64.exe`
- name: Sign checksums.txt
run: |
cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert release/checksums.txt.pem \
--signature release/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/carvel-dev \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt
- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
env:
Expand Down
13 changes: 13 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,19 @@ checksum:
name_template: 'checksums.txt'
algorithm: sha256
disable: false

signs:
- artifacts: checksum
certificate: '${artifact}.pem'
cmd: cosign
args:
- sign-blob
- "--yes"
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
output: true

snapshot:
name_template: "{{ .Tag }}-next"
release:
Expand Down

0 comments on commit 369c9cd

Please sign in to comment.