ci: Use cosign for signing

e-breuninger · Jan 24, 2024 · d8512f1 · d8512f1
1 parent 06dcd9c
commit d8512f1
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 52 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -2,7 +2,7 @@
 name: pre-commit
 on:
   push:
-    branches: ["master"]
+    # branches: ["master"]
   pull_request:
     branches:
       - master

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,63 +1,86 @@
 ---
 name: semantic-release
 on:
-  workflow_run:
-    workflows: [pre-commit]
-    types: [completed]
-    branches: [master]
+  push:
+    branches: ["master"]
+  # workflow_run:
+    # workflows: [pre-commit]
+    # types: [completed]
+    # branches: [master]
 jobs:
-  semantic-release:
+  # semantic-release:
+    # permissions:
+      # contents: write  # to be able to publish a GitHub release
+      # issues: write  # to be able to comment on released issues
+      # pull-requests: write  # to be able to comment on released pull requests
+      # id-token: write  # to enable use of OIDC for npm provenance
+    # runs-on: ubuntu-latest
+    # container:
+      # image: node:lts-alpine3.19
+    # env:
+      # NPM_CACHE_DIR: ~/.cache/npm
+      # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    # steps:
+      # - name: Install job dependencies
+        # run: apk add tar git gpg gpg-agent cosign
+      # - name: Import GPG key
+        # run: |
+          # echo -n "${{ secrets.GPG_PRIVATE_KEY }}" > key.gpg
+      # - uses: actions/cache@v4
+        # with:
+          # path: ~/.cache
+          # key: semantic-release
+      # - name: Checkout code
+        # uses: actions/checkout@v4
+        # with:
+          # fetch-depth: 0
+      # - name: Install semantic-release and plugins
+        # run: npm install --cache $NPM_CACHE_DIR
+          # semantic-release
+          # @semantic-release/github
+          # @semantic-release/changelog
+          # @semantic-release/git
+          # @semantic-release/exec
+          # conventional-changelog-conventionalcommits
+      # - name: Run semantic-release
+        # run: |
+          # git config --global --add safe.directory $PWD
+          # npx semantic-release
+      # - name: Set up Go
+        # uses: actions/setup-go@v5
+        # with:
+          # go-version: stable
+  gorelease:
+    # needs: semantic-release
     permissions:
       contents: write  # to be able to publish a GitHub release
       issues: write  # to be able to comment on released issues
       pull-requests: write  # to be able to comment on released pull requests
       id-token: write  # to enable use of OIDC for npm provenance
     runs-on: ubuntu-latest
     container:
-      image: node:lts-alpine3.17
+      image: goreleaser/goreleaser
     env:
-      NPM_CACHE_DIR: ~/.cache/npm
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
-      - name: Install job dependencies
-        run: apk add tar git
-      - uses: actions/cache@v4
-        with:
-          path: ~/.cache
-          key: semantic-release
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Install semantic-release and plugins
-        run: npm install --cache $NPM_CACHE_DIR
-          semantic-release
-          @semantic-release/github
-          @semantic-release/changelog
-          @semantic-release/git
-          @semantic-release/exec
-          conventional-changelog-conventionalcommits
-      - name: Run semantic-release
+      - name: Run GoReleaser
         run: |
+          id
+          pwd
+          ls -lah
+          cd ${GITHUB_WORKSPACE}
+          pwd
+          ls -lah
           git config --global --add safe.directory $PWD
-          npx semantic-release
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-      - name: Import GPG key
-        id: import_gpg
-        uses: paultyng/[email protected]
-        env:
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          PASSPHRASE: ${{ secrets.PASSPHRASE }}
-      - name: Run GoReleaser
-        uses: goreleaser/[email protected]
-        with:
-          version: latest
-          args: release --clean
+          git rev-parse --is-inside-work-tree
+          echo -n "${{ secrets.GPG_PRIVATE_KEY }}" > key.gpg
+          goreleaser release --clean
         env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GPG_PASSWORD: ${{ secrets.PASSPHRASE }}
+          COSIGN_PASSWORD: ${{ secrets.PASSPHRASE }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -28,19 +28,13 @@ checksum:
   algorithm: sha256
 signs:
   - artifacts: checksum
+    cmd: cosign
     args:
-      # if you are using this is a GitHub action or some other automated pipeline, you
-      # need to pass the batch flag to indicate its not interactive.
-      - "--batch"
-      - "--passphrase-fd"
-      - "0"
-      - "--local-user"
-      - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key
-      - "--output"
-      - "${signature}"
-      - "--detach-sign"
+      - "sign-blob"
+      - "--key=key.gpg"
+      - "--output-signature=${signature}"
       - "${artifact}"
-    stdin: "{{ .Env.GPG_PASSWORD }}"
+      - "--yes" # needed on cosign 2.0.0+
 release:
   # If you want to manually examine the release before its live, uncomment this line:
   draft: false