ci: add checksum and signing support for release binaries

Add SHA256 checksum generation and cosign keyless signing to
release-trigger.yaml. Checksums and signatures are generated
at release time only (not during daily CI builds), keeping the
build pipeline fast and release artifacts verifiable.

- Generate .sha256 checksum files for all release binaries
- Sign binaries with cosign using GitHub OIDC (keyless)
- Include .sha256, .sig, and .crt files in GitHub Releases
- Remove S3 upload job from ci_main.yml
- Delete upload_s3.yml (replaced by GitHub Releases)

Resolves: #199

Signed-off-by: vinayakjeet <vinayakjeetog@gmail.com>

Author: vinayakjeet

.github/workflows/ci_main.yml

@@ -1,4 +1,4 @@
-name: Build & Upload
+name: Build
 
 on:
   push:
@@ -12,9 +12,6 @@ concurrency:
 permissions:
   contents: read
   pull-requests: read
-  packages: write
-  id-token: write
-  attestations: write
 
 jobs:
   build:
@@ -24,13 +21,3 @@ jobs:
       ref: ${{ github.sha }}
       go_version: "1.25.4"
 
-  upload:
-    name: Upload
-    needs: build
-    uses: ./.github/workflows/upload_s3.yml
-    with:
-      ref: ${{ github.sha }}
-    secrets:
-      AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-

.github/workflows/release-trigger.yaml

@@ -99,6 +99,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ci,parse-version-manifest]
     if: needs.parse-version-manifest.outputs.version != ''
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
@@ -110,41 +113,63 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Download urunc amd64 build artifact 
+      - name: Download urunc amd64 build artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: urunc_static_amd64-${{ github.run_id }}
           path: ${{ env.ARTIFACTS_PATH }}
           merge-multiple: true
-      - name: Download shim amd64 build artifact 
+      - name: Download shim amd64 build artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: containerd-shim-urunc-v2_static_amd64-${{ github.run_id }}
           path: ${{ env.ARTIFACTS_PATH }}
           merge-multiple: true
 
-      - name: Download urunc arm64 build artifact 
+      - name: Download urunc arm64 build artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: urunc_static_arm64-${{ github.run_id }}
           path: ${{ env.ARTIFACTS_PATH }}
           merge-multiple: true
 
-      - name: Download shim arm64 build artifact 
+      - name: Download shim arm64 build artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: containerd-shim-urunc-v2_static_arm64-${{ github.run_id }}
           path: ${{ env.ARTIFACTS_PATH }}
           merge-multiple: true
 
+      - name: Generate checksums
+        run: |
+          cd ${{ env.ARTIFACTS_PATH }}
+          sha256sum urunc_static_amd64 > urunc_static_amd64.sha256
+          sha256sum urunc_static_arm64 > urunc_static_arm64.sha256
+          sha256sum containerd-shim-urunc-v2_static_amd64 > containerd-shim-urunc-v2_static_amd64.sha256
+          sha256sum containerd-shim-urunc-v2_static_arm64 > containerd-shim-urunc-v2_static_arm64.sha256
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
+
+      - name: Sign binaries with cosign
+        run: |
+          cd ${{ env.ARTIFACTS_PATH }}
+          for bin in urunc_static_amd64 urunc_static_arm64 \
+                     containerd-shim-urunc-v2_static_amd64 \
+                     containerd-shim-urunc-v2_static_arm64; do
+            cosign sign-blob --yes \
+              --output-signature "${bin}.sig" \
+              --output-certificate "${bin}.crt" \
+              "${bin}"
+          done
+
       - name: Generate urunc-bot token
         id: generate-token
         uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         with:
           app-id: ${{ vars.URUNC_BOT_APP_ID }}
           private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }}
 
-
       - name: Extract release notes for ${{ needs.parse-version-manifest.outputs.version }}
         id: extract_notes
         run: |
@@ -163,15 +188,27 @@ jobs:
         id: create_release
         with:
           files: |
-            ${{ env.ARTIFACTS_PATH}}/urunc_static_amd64
-            ${{ env.ARTIFACTS_PATH}}/urunc_static_arm64
-            ${{ env.ARTIFACTS_PATH}}/containerd-shim-urunc-v2_static_amd64
-            ${{ env.ARTIFACTS_PATH}}/containerd-shim-urunc-v2_static_arm64
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_amd64
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_amd64.sha256
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_amd64.sig
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_amd64.crt
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_arm64
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_arm64.sha256
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_arm64.sig
+            ${{ env.ARTIFACTS_PATH }}/urunc_static_arm64.crt
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_amd64
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_amd64.sha256
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_amd64.sig
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_amd64.crt
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_arm64
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_arm64.sha256
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_arm64.sig
+            ${{ env.ARTIFACTS_PATH }}/containerd-shim-urunc-v2_static_arm64.crt
           body: ${{ steps.extract_notes.outputs.release_notes }}
-          name: ${{needs.parse-version-manifest.outputs.version}}
+          name: ${{ needs.parse-version-manifest.outputs.version }}
           draft: false
           prerelease: false
           generate_release_notes: false
-          tag_name: ${{needs.parse-version-manifest.outputs.version}}
+          tag_name: ${{ needs.parse-version-manifest.outputs.version }}
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}