try adding signing

jackgopack4 · Sep 19, 2024 · 2759561 · 2759561
1 parent 67048bc
commit 2759561
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/.github/workflows/builder-release.yaml b/.github/workflows/builder-release.yaml
@@ -31,6 +31,8 @@ jobs:
         run:  |
           cp cmd/builder/Dockerfile .core/cmd/builder/Dockerfile
           cp cmd/builder/builder-config.yaml .core/cmd/builder/builder-config.yaml
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+      - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
       - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
         with:
           platforms: arm64,ppc64le,linux/arm/v7,s390x
@@ -62,3 +64,4 @@ jobs:
         env:
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          COSIGN_YES: true
diff --git a/cmd/builder/.goreleaser.yml b/cmd/builder/.goreleaser.yml
@@ -120,3 +120,26 @@ snapshot:
   version_template: "{{ .Tag }}-next"
 changelog:
   disable: true
+signs:
+  - cmd: cosign
+    args:
+      - sign-blob
+      - --output-signature
+      - ${artifact}.sig
+      - --output-certificate
+      - ${artifact}.pem
+      - ${artifact}
+    signature: ${artifact}.sig
+    artifacts: all
+    certificate: ${artifact}.pem
+docker_signs:
+  - args:
+      - sign
+      - ${artifact}
+    artifacts: all
+sboms:
+  - id: archive
+    artifacts: archive
+  - id: package
+    artifacts: package
+