Merge pull request #84 from git-pkgs/cosign-signing

andrew · web-flow · commit d3d11445c616 · 2026-04-13T09:22:29.000+01:00
Sign release checksums with cosign keyless
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release:
@@ -18,6 +19,8 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -34,6 +34,18 @@ archives:
 checksum:
   name_template: "checksums.txt"
 
+signs:
+  - cmd: cosign
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+    output: true
+
 snapshot:
   version_template: "{{ incpatch .Version }}-next"
 
