Skip to content

Commit

Permalink
feat: cosign added
Browse files Browse the repository at this point in the history
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
  • Loading branch information
developer-guy committed Feb 10, 2022
1 parent 82affb0 commit 1ff2757
Showing 2 changed files with 24 additions and 2 deletions.
13 changes: 11 additions & 2 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -5,6 +5,11 @@ on:
tags:
- "v*"

permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access

jobs:
release:
runs-on: ubuntu-latest
@@ -24,12 +29,16 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- uses: anchore/sbom-action/download-syft@v0.6.0 # installs syft

- uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.5.1' # optional

- uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

password: ${{ secrets.GITHUB_TOKEN }}
- uses: goreleaser/goreleaser-action@v2
with:
version: latest
13 changes: 13 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -53,3 +53,16 @@ sboms:
- artifacts: archive
- id: source
artifacts: source

signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
certificate: '${artifact}.pem'
args:
- sign-blob
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
artifacts: checksum
output: true

0 comments on commit 1ff2757

Please sign in to comment.