feat: enable artifact signing via cosign

.github/workflows/ci.yml

@@ -71,7 +71,7 @@ jobs:
       # Install various tools
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
-          go-version: '>=1.21.4'
+          go-version: '>=1.21.5'
           cache: true
       - name: setup-tparse
         run: |
@@ -110,7 +110,7 @@ jobs:
       # Install Go
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
-          go-version: '>=1.21.4'
+          go-version: '>=1.21.5'
           cache: true
       # Run linter
       - name: golangci-lint
@@ -131,7 +131,7 @@ jobs:
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           cache: true
-          go-version: '>=1.21.4'
+          go-version: '>=1.21.5'
       - name: govulncheck
         run: |
           go install golang.org/x/vuln/cmd/govulncheck@latest

.github/workflows/release.yml

@@ -39,6 +39,7 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       packages: write
     steps:
       - uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1
@@ -69,12 +70,14 @@ jobs:
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         if: ${{ steps.release.outputs.release_created }}
         with:
-          go-version: '>=1.21.4'
+          go-version: '>=1.21.5'
           cache: true
       - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
         if: ${{ steps.release.outputs.release_created }}
       - uses: anchore/sbom-action/download-syft@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b # v0.15.0
         if: ${{ steps.release.outputs.release_created }}
+      - uses: sigstore/cosign-installer@v3
+        if: ${{ steps.release.outputs.release_created }}
 
       # Login to ghcr.io
       - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3

.goreleaser.yaml

@@ -92,6 +92,27 @@ archives:
 sboms:
   - artifacts: archive
 
+signs:
+  - cmd: cosign
+    certificate: "${artifact}.pem"
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - --yes
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    output: true
+    args:
+      - "sign"
+      - "${artifact}@${digest}"
+      - --yes
+
 dockers:
   -
     id: "linux-amd64"