Add cosign signing (#54)

* signing Signed-off-by: Benji Visser <benji@093b.org> * update goreleaser Signed-off-by: Benji Visser <benji@093b.org> * install syft Signed-off-by: Benji Visser <benji@093b.org> * tags Signed-off-by: Benji Visser <benji@093b.org> * 1.6.10 Signed-off-by: Benji Visser <benji@093b.org> * cosign Signed-off-by: Benji Visser <benji@093b.org> * keyless Signed-off-by: Benji Visser <benji@093b.org> * update Signed-off-by: Benji Visser <benji@093b.org> * permissions Signed-off-by: Benji Visser <benji@093b.org> * test job Signed-off-by: Benji Visser <benji@093b.org> --------- Signed-off-by: Benji Visser <benji@093b.org>
noqcks · Jul 2, 2023 · 38605fc · 38605fc
1 parent d725ec4
commit 38605fc
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 6 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,12 @@ on:
   push:
     tags:
       - '*'
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
 jobs:
   test:
     runs-on: "ubuntu-latest"
@@ -17,7 +23,9 @@ jobs:
         run: go install github.com/onsi/ginkgo/v2/ginkgo@latest
       - name: Test
         run: ginkgo ./...
+
   release:
+    needs: [test]
     env:
       GO111MODULE: on
     name: Release
@@ -26,17 +34,27 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
       - name: Version
         run: echo "VERSION=$(cat VERSION)" >> $GITHUB_ENV
+
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
+          go-version-file: 'go.mod'
           go-version: 1.19.x
+
+      - name: Install syft
+        run: go install github.com/anchore/syft/cmd/syft@latest
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.1.1
+
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yml → .goreleaser.yaml b/.goreleaser.yml → .goreleaser.yaml
@@ -1,5 +1,4 @@
-# This is an example .goreleaser.yml file with some sane defaults.
-# Make sure to check the documentation at http://goreleaser.com
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 before:
   hooks:
     # You may remove this if you don't use go modules.
@@ -16,16 +15,45 @@ builds:
     goarch:
       - amd64
       - arm64
+    mod_timestamp: '{{ .CommitTimestamp }}'
     ldflags:
       - -X main.AppVersion={{.Env.VERSION}} -w -extldflags static
+
 archives:
   - format: binary
     name_template: "{{ .ProjectName }}-v{{ .Version }}-{{ .Os }}-{{ .Arch }}"
 
 checksum:
   name_template: 'checksums.txt'
+
+gomod:
+  proxy: true
+
+source:
+  enabled: true
+
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+
+signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  certificate: '${artifact}.pem'
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
+    - "--yes" # needed on cosign 2.0.0+
+  artifacts: checksum
+  output: true
+
 snapshot:
   name_template: "{{ incpatch .Tag }}-next"
+
 changelog:
   sort: asc
   filters:

diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ $ go get github.com/noqcks/gucci
 Or you can just download the binary and move it into your `PATH`:
 
 ```
-VERSION=1.6.6
+VERSION=1.6.10
 wget -q "https://github.com/noqcks/gucci/releases/download/${VERSION}/gucci-v${VERSION}-darwin-amd64"
 chmod +x gucci-v${VERSION}-darwin-amd64
 mv gucci-v${VERSION}-darwin-amd64 /usr/local/bin/gucci

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.6.6
+1.6.10