From 6b02ae47f7d2740c9dc78fa3830990d9559b072e Mon Sep 17 00:00:00 2001 From: Jan De Dobbeleer Date: Thu, 2 Dec 2021 22:42:38 +0100 Subject: [PATCH] feat: sign releases with cosign --- .github/workflows/build_code.yml | 2 +- .github/workflows/release.yml | 16 +++++++++++++++- .gitignore | 4 ++++ cosign.pub | 4 ++++ src/.goreleaser.yml | 3 +++ 5 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 cosign.pub diff --git a/.github/workflows/build_code.yml b/.github/workflows/build_code.yml index adaa5696..645b0d44 100644 --- a/.github/workflows/build_code.yml +++ b/.github/workflows/build_code.yml @@ -24,5 +24,5 @@ jobs: with: distribution: goreleaser version: latest - args: build --rm-dist --snapshot + args: build --rm-dist --snapshot --skip-post-hooks workdir: src diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4aefc5f1..e4afd3bb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,8 +33,11 @@ jobs: needs: changelog if: ${{ needs.changelog.outputs.skipped == 'false' }} runs-on: ubuntu-latest + env: + COSIGN_KEY_LOCATION: "/tmp/cosign.key" defaults: run: + shell: pwsh working-directory: ${{ github.workspace }}/src steps: - name: Install Go 🗳 @@ -45,6 +48,16 @@ jobs: uses: actions/checkout@v2 - name: Tag HEAD 😸 run: git tag ${{ needs.changelog.outputs.tag }} + - name: Install cosign 🔑 + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.3.1' + - name: Private Key 🔐 + run: | + $PSDefaultParameterValues['Out-File:Encoding']='UTF8' + $env:COSIGN_KEY > $env:COSIGN_KEY_LOCATION + env: + COSIGN_KEY: ${{secrets.COSIGN_KEY}} - name: Run GoReleaser 🚀 uses: goreleaser/goreleaser-action@v2 with: @@ -52,6 +65,8 @@ jobs: version: latest args: build --rm-dist workdir: src + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Zip theme files 🤐 run: | $compress = @{ @@ -60,7 +75,6 @@ jobs: DestinationPath = "./dist/themes.zip" } Compress-Archive @compress - shell: pwsh - name: Add hashes 🤫 run: | Get-ChildItem ./dist -Exclude *.yaml | Get-Unique | diff --git a/.gitignore b/.gitignore index 2bddcbd1..fe87d910 100644 --- a/.gitignore +++ b/.gitignore @@ -237,3 +237,7 @@ $RECYCLE.BIN/ *.lnk # End of https://www.toptal.com/developers/gitignore/api/windows,linux,macos + +# Keys + +cosign.key diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 00000000..3260c768 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLQ9sj71/ignxPXEa072vezEZf5D +X1fO3KuoFCtzYTLc/c3rwVGtIdzc02qUoXABysJ0Ok8lsmWvwKvC7yWblg== +-----END PUBLIC KEY----- diff --git a/src/.goreleaser.yml b/src/.goreleaser.yml index c4fdc19c..fd599904 100644 --- a/src/.goreleaser.yml +++ b/src/.goreleaser.yml @@ -31,6 +31,9 @@ builds: goarch: arm - goos: darwin goarch: arm64 + hooks: + post: + - sh -c "cosign sign-blob --key $COSIGN_KEY_LOCATION {{ .Path }} > dist/{{ .Name }}.sig" archives: - id: oh-my-posh format: binary