feat: sign goreleaser release using keyless cosign

.github/workflows/goreleaser-cd.yml

@@ -55,7 +55,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser-pro
-          version: "~> v1"
+          version: '~> v2'
           args: release --clean --split --timeout 90m
         env:
           CGO_LDFLAGS: "${{ matrix.goos == 'darwin' && '-framework UniformTypeIdentifiers' || '' }}"
@@ -73,6 +73,9 @@ jobs:
     needs: prepare
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -106,12 +109,14 @@ jobs:
         uses: WyriHaximus/github-action-get-previous-tag@v1
         env:
           INPUT_PREFIX: v
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.6.0
       - name: GoReleaser (Release)
         uses: goreleaser/goreleaser-action@v6
         if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit
         with:
           distribution: goreleaser-pro
-          version: "~> v1"
+          version: '~> v2'
           args: continue --merge --timeout 90m
         env:
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

.goreleaser.yaml

@@ -5,6 +5,8 @@
 partial:
   by: goos
 
+version: 2
+
 before:
   hooks:
     - go mod tidy
@@ -35,12 +37,12 @@ builds:
     overrides:
       - goos: linux
         goarch: arm64
-        tags: [ linux ]
+        tags: [linux]
         env:
           - CGO_ENABLED=0
       - goos: windows
         goarch: arm64
-        tags: [ windows ]
+        tags: [windows]
         env:
           - CGO_ENABLED=0
   # Build CLI binary without embedded UI for linux.
@@ -62,7 +64,7 @@ builds:
 
 archives:
   - id: plural-cli
-    builds: [ plural-cli ]
+    builds: [plural-cli]
     name_template: >-
       {{ .ProjectName }}_{{ .Version }}_
       {{- title .Os }}_
@@ -79,7 +81,7 @@ archives:
 checksum:
   name_template: 'checksums.txt'
 snapshot:
-  name_template: "{{ incpatch .Version }}-next"
+  version_template: "{{ incpatch .Version }}-next"
 changelog:
   sort: asc
   use: github-native
@@ -88,6 +90,18 @@ changelog:
       - '^docs:'
       - '^test:'
 
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    artifacts: checksum
+    args:
+      - sign-blob
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+
 release:
   name_template: "{{.ProjectName}}-v{{.Version}}"
   header: |
@@ -106,7 +120,7 @@ git:
 
 brews:
   - name: plural
-    ids: [ plural-cli ]
+    ids: [plural-cli]
     repository:
       owner: pluralsh
       name: homebrew-plural
@@ -140,7 +154,7 @@ brews:
 
     # Folder inside the repository to put the formula.
     # Default is the root folder.
-    folder: Formula
+    directory: Formula
 
     # Your app's homepage.
     # Default is empty.

Makefile

@@ -79,6 +79,10 @@ release:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags='$(LDFLAGS)' -o $(OUTFILE) ./cmd/plural
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags='$(LDFLAGS)' -o $(OUTCTLFILE) ./cmd/pluralctl
 
+.PHONY: goreleaser
+goreleaser:
+	goreleaser release --clean --prepare --single-target --snapshot --verbose
+
 .PHONY: setup
 setup: ## sets up your local env (for mac only)
 	brew install golangci-lint
@@ -140,20 +144,20 @@ bake-ami:
 	@echo "baked ami for all regions"
 
 .PHONY: up
-up: # spin up local server
+up: ## spin up local server
 	docker-compose up
 
 .PHONY: pull
-pull: # pulls new server image
+pull: ## pulls new server image
 	docker-compose pull
 
 .PHONY: serve
-serve: build-cloud # build cloud version of plural-cli and start plural serve in docker
+serve: build-cloud ## build cloud version of plural-cli and start plural serve in docker
 	docker kill plural-cli || true
 	docker run --rm --name plural-cli -p 8080:8080 -d plural-cli:latest-cloud
 
 .PHONY: release-vsn
-release-vsn: # tags and pushes a new release
+release-vsn: ## tags and pushes a new release
 	@read -p "Version: " tag; \
 	git checkout main; \
 	git pull --rebase; \
@@ -169,11 +173,11 @@ test: setup-tests
 	gotestsum --format testname -- -v -race ./pkg/... ./cmd/command/...
 
 .PHONY: format
-format: # formats all go code to prep for linting
+format: ## formats all go code to prep for linting
 	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v1.59.1 golangci-lint run --fix
 
 .PHONY: genmock
-genmock: # generates mocks before running tests
+genmock: ## generates mocks before running tests
 	hack/gen-client-mocks.sh
 
 .PHONY: lint
@@ -185,3 +189,31 @@ delete-tag:
 	@read -p "Version: " tag; \
 	git tag -d $$tag; \
 	git push origin :$$tag
+
+REPO_URL := https://github.com/pluralsh/plural-cli/releases/download
+OIDC_ISSUER_URL := https://token.actions.githubusercontent.com
+VERIFY_FILE_NAME := checksums.txt
+RELEASE_ARCHIVE_NAME := plural-cli
+VERIFY_TMP_DIR := dist
+
+.PHONY: verify
+verify: ## verifies provided tagged release with cosign
+	@read -p "Enter version to verify: " tag ;\
+	echo "Downloading ${VERIFY_FILE_NAME} for tag v$${tag}..." ;\
+	wget -P ${VERIFY_TMP_DIR} "${REPO_URL}/v$${tag}/checksums.txt" >/dev/null 2>&1 ;\
+	echo "Verifying signature..." ;\
+	COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+      --certificate-oidc-issuer "${OIDC_ISSUER_URL}" \
+      --certificate-github-workflow-name "CD / CLI" \
+      --certificate-github-workflow-ref "refs/tags/v$${tag}" \
+      --certificate "${REPO_URL}/v$${tag}/${VERIFY_FILE_NAME}.pem" \
+      --signature "${REPO_URL}/v$${tag}/${VERIFY_FILE_NAME}.sig" \
+      "./${VERIFY_TMP_DIR}/${VERIFY_FILE_NAME}" ;\
+    echo "Verifying archives..." ;\
+    wget -P ${VERIFY_TMP_DIR} "${REPO_URL}/v$${tag}/${RELEASE_ARCHIVE_NAME}_$${tag}_Darwin_amd64.tar.gz" >/dev/null 2>&1 ;\
+    wget -P ${VERIFY_TMP_DIR} "${REPO_URL}/v$${tag}/${RELEASE_ARCHIVE_NAME}_$${tag}_Darwin_arm64.tar.gz" >/dev/null 2>&1 ;\
+    wget -P ${VERIFY_TMP_DIR} "${REPO_URL}/v$${tag}/${RELEASE_ARCHIVE_NAME}_$${tag}_Linux_amd64.tar.gz" >/dev/null 2>&1 ;\
+    wget -P ${VERIFY_TMP_DIR} "${REPO_URL}/v$${tag}/${RELEASE_ARCHIVE_NAME}_$${tag}_Linux_arm64.tar.gz" >/dev/null 2>&1 ;\
+    wget -P ${VERIFY_TMP_DIR} "${REPO_URL}/v$${tag}/${RELEASE_ARCHIVE_NAME}_$${tag}_Windows_amd64.tar.gz" >/dev/null 2>&1 ;\
+    (cd ${VERIFY_TMP_DIR} && exec sha256sum --ignore-missing -c checksums.txt) ;\
+    rm -r "${VERIFY_TMP_DIR}"

go.mod

@@ -73,6 +73,7 @@ require (
 	k8s.io/client-go v0.30.1
 	layeh.com/gopher-luar v1.0.10
 	sigs.k8s.io/application v0.8.3
+	sigs.k8s.io/controller-runtime v0.18.2
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -188,7 +189,6 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
-	sigs.k8s.io/controller-runtime v0.18.2 // indirect
 )
 
 require (

go.sum

@@ -1699,8 +1699,6 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
-github.com/pluralsh/console/go/client v1.17.0 h1:ExP+HUWa94e8cIbFY+6ARBq33oC87xpxTVw3+eZS7+I=
-github.com/pluralsh/console/go/client v1.17.0/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
 github.com/pluralsh/console/go/client v1.17.1-0.20240918005717-8285a4b181b1 h1:aTQquJlO/yMJNy+D4q/9OYDWrTabWgIzTG+prOPuBmY=
 github.com/pluralsh/console/go/client v1.17.1-0.20240918005717-8285a4b181b1/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
 github.com/pluralsh/console/go/controller v0.0.0-20240918005717-8285a4b181b1 h1:AXudlzS4Q8Y8J+0Q+kb8b4D/2tok4mryTJOKRvRlzJA=