feat: sign releases with cosign

2024-11-09 20:44:03 -08:00 · 2021-12-02 22:42:38 +01:00 · 2021-12-02 22:42:38 +01:00 · 6b02ae47f7
parent 8f412dba7e
commit 6b02ae47f7
5 changed files with 27 additions and 2 deletions
--- a/.github/workflows/build_code.yml
+++ b/.github/workflows/build_code.yml
@ -24,5 +24,5 @@ jobs:
      with:
        distribution: goreleaser
        version: latest
-        args: build --rm-dist --snapshot
+        args: build --rm-dist --snapshot --skip-post-hooks
        workdir: src
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -33,8 +33,11 @@ jobs:
    needs: changelog
    if: ${{ needs.changelog.outputs.skipped == 'false' }}
    runs-on: ubuntu-latest
+    env:
+      COSIGN_KEY_LOCATION: "/tmp/cosign.key"
    defaults:
      run:
+        shell: pwsh
        working-directory: ${{ github.workspace }}/src
    steps:
      - name: Install Go 🗳
@ -45,6 +48,16 @@ jobs:
        uses: actions/checkout@v2
      - name: Tag HEAD 😸
        run: git tag ${{ needs.changelog.outputs.tag }}
+      - name: Install cosign 🔑
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.3.1'
+      - name: Private Key 🔐
+        run: |
+          $PSDefaultParameterValues['Out-File:Encoding']='UTF8'
+          $env:COSIGN_KEY > $env:COSIGN_KEY_LOCATION
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
      - name: Run GoReleaser 🚀
        uses: goreleaser/goreleaser-action@v2
        with:
@ -52,6 +65,8 @@ jobs:
          version: latest
          args: build --rm-dist
          workdir: src
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      - name: Zip theme files 🤐
        run: |
          $compress = @{
@ -60,7 +75,6 @@ jobs:
            DestinationPath = "./dist/themes.zip"
          }
          Compress-Archive @compress
-        shell: pwsh
      - name: Add hashes 🤫
        run: |
          Get-ChildItem ./dist -Exclude *.yaml | Get-Unique |
--- a/.gitignore
+++ b/.gitignore
@ -237,3 +237,7 @@ $RECYCLE.BIN/
 *.lnk

 # End of https://www.toptal.com/developers/gitignore/api/windows,linux,macos
+
+# Keys
+
+cosign.key
--- a/cosign.pub
+++ b/cosign.pub
@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLQ9sj71/ignxPXEa072vezEZf5D
+X1fO3KuoFCtzYTLc/c3rwVGtIdzc02qUoXABysJ0Ok8lsmWvwKvC7yWblg==
+-----END PUBLIC KEY-----
--- a/src/.goreleaser.yml
+++ b/src/.goreleaser.yml
@ -31,6 +31,9 @@ builds:
        goarch: arm
      - goos: darwin
        goarch: arm64
+    hooks:
+      post:
+      - sh -c "cosign sign-blob --key $COSIGN_KEY_LOCATION {{ .Path }} > dist/{{ .Name }}.sig"
 archives:
  - id: oh-my-posh
    format: binary