From d3057bda206bb2e323ab7e646ec277b5b229479e Mon Sep 17 00:00:00 2001
From: Joshua Rich <joshua.rich@gmail.com>
Date: Sun, 22 Oct 2023 09:59:37 +1000
Subject: [PATCH] ci(goreleaser): sign artifacts with cosign

---
 .github/workflows/release-please.yml |  1 +
 .gitignore                           |  1 +
 .goreleaser.yml                      | 11 +++++++++++
 cosign.key                           | 11 +++++++++++
 cosign.pub                           |  4 ++++
 5 files changed, 28 insertions(+)
 create mode 100644 cosign.key
 create mode 100644 cosign.pub

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index bc0b3d4..2953d3e 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -55,3 +55,4 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
diff --git a/.gitignore b/.gitignore
index 36fe373..bbd0e4f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@
 !docs/**/*.png
 !tools/*
 !internal/**/*.png
+!cosign.*
 # ...even if they are in subdirectories
 !*/
 
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 843c20d..ef9404b 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -15,6 +15,17 @@ builds:
       pre:
         - go generate ./...
 
+signs:
+- cmd: cosign
+  stdin: '{{ .Env.COSIGN_PWD }}'
+  args:
+  - "sign-blob"
+  - "--key=cosign.key"
+  - "--output-signature=${signature}"
+  - "${artifact}"
+  - "--yes" # needed on cosign 2.0.0+
+  artifacts: all
+
 archives:
 - format: binary
 
diff --git a/cosign.key b/cosign.key
new file mode 100644
index 0000000..0e83488
--- /dev/null
+++ b/cosign.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiJBdWJVSWszUmNGT2MrV0hONnV3U2ltRE14QXkzSlF6
+NHFDT0crdzQwZ0Q0PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJEczZHSC92YXRqdWRCRkR6YktRYXgxeFYvUmV0RGJweSJ9LCJj
+aXBoZXJ0ZXh0IjoiSkQxSnhWTEQzWStVekFsaVFBdStsVG55d2l5QzZ6S2k3WXVB
+MXNHbmVRb0dsUHNQeWF0QjYyWTlvNlIybkJURHo4MVpob2hZK2dCQUhzR2FjNWJm
+c1VqWEJVWk1MaW5FVGkxdUZST09OL0poa2xIa2d5UnhrUVc4bzU1RGVxRDNjcjBk
+a0o1VnlsR1hBejdlbDhtR0lxeTZ2NmhwSThueHg0b3dsZlAzM3IxVm1aUW9WejN4
+TmljL3lMb0QxREFJd3I1amo2Ym40L0NaY0E9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 0000000..616ce52
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJVfVTRU9qlJ6F+eZTQO/KSo3bmZn
+ooVnvYAquh44OQbmT87BtzeyvMYj2f8VKj653B5lU6P+lkJ/i72XDK8DuA==
+-----END PUBLIC KEY-----