ci: Use cosign for signing

e-breuninger · Jan 24, 2024 · 639bfbf · 639bfbf
1 parent 06dcd9c
commit 639bfbf
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 25 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,14 +14,17 @@ jobs:
       id-token: write  # to enable use of OIDC for npm provenance
     runs-on: ubuntu-latest
     container:
-      image: node:lts-alpine3.17
+      image: node:lts-alpine3.19
     env:
       NPM_CACHE_DIR: ~/.cache/npm
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Install job dependencies
-        run: apk add tar git
+        run: apk add tar git gpg gpg-agent cosign
+      - name: Import GPG key
+        run: |
+          echo -n "${{ secrets.GPG_PRIVATE_KEY }}" > key.gpg
       - uses: actions/cache@v4
         with:
           path: ~/.cache
@@ -46,18 +49,33 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: stable
-      - name: Import GPG key
-        id: import_gpg
-        uses: paultyng/[email protected]
-        env:
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          PASSPHRASE: ${{ secrets.PASSPHRASE }}
-      - name: Run GoReleaser
-        uses: goreleaser/[email protected]
+  gorelease:
+    needs: semantic-release
+    permissions:
+      contents: write  # to be able to publish a GitHub release
+      issues: write  # to be able to comment on released issues
+      pull-requests: write  # to be able to comment on released pull requests
+      id-token: write  # to enable use of OIDC for npm provenance
+    runs-on: ubuntu-latest
+    container:
+      image: goreleaser/goreleaser
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
         with:
-          version: latest
-          args: release --clean
+          fetch-depth: 0
+      - name: Run GoReleaser
+        run: |
+          pwd
+          ls -lah
+          cd ${GITHUB_WORKSPACE}
+          pwd
+          ls -lah
+          echo -n "${{ secrets.GPG_PRIVATE_KEY }}" > key.gpg
+          goreleaser release --clean
         env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GPG_PASSWORD: ${{ secrets.PASSPHRASE }}
+          COSIGN_PASSWORD: ${{ secrets.PASSPHRASE }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -28,19 +28,13 @@ checksum:
   algorithm: sha256
 signs:
   - artifacts: checksum
+    cmd: cosign
     args:
-      # if you are using this is a GitHub action or some other automated pipeline, you
-      # need to pass the batch flag to indicate its not interactive.
-      - "--batch"
-      - "--passphrase-fd"
-      - "0"
-      - "--local-user"
-      - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key
-      - "--output"
-      - "${signature}"
-      - "--detach-sign"
+      - "sign-blob"
+      - "--key=key.gpg"
+      - "--output-signature=${signature}"
       - "${artifact}"
-    stdin: "{{ .Env.GPG_PASSWORD }}"
+      - "--yes" # needed on cosign 2.0.0+
 release:
   # If you want to manually examine the release before its live, uncomment this line:
   draft: false