feat(ci): add cosign and sbom generation (syft) (#69)

.github/workflows/release.yaml

@@ -5,20 +5,35 @@ on:
     tags:
       - '*'
 
+permissions: read-all
+
 jobs:
   release:
+    permissions:
+      id-token: write
+      packages: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # renovate: tag=v2.4.0
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # renovate: tag=v2.1.5
         with:
           go-version: 1.17
+      - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed # renovate: tag=v2.1.7
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # renovate: tag=v1.4.1
+      - uses: anchore/sbom-action/download-syft@3626d7d7b13e87ee6c6f9ded3940dea05a3967bc # renovate: tag=v0.6.0
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@79d4afbba1b4eff8b9a98e3d2e58c4dbaf094e2b # renovate: tag=v2.8.1
         with:
           version: latest
           args: release --rm-dist

.goreleaser.yml → .goreleaser.yaml

@@ -29,6 +29,30 @@ builds:
       - amd64
       - arm64
 
+source:
+  enabled: true
+
+sboms:
+  - artifacts: binary
+  - id: source
+    artifacts: source
+
+checksum:
+  name_template: 'checksums.txt'
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true
+
 archives:
   - format: binary
     name_template: '{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}'

CONTRIBUTING.md

@@ -80,3 +80,33 @@ Values can then be accessed with template expressions like for example `{{ .Exte
 
 > In general you should use template expressions to optionally add things to existing files (like another Make target)
 > and use the `postHook` property to optionally delete/ add a whole file.
+
+### Release via GoReleaser
+
+We use for the release of the `go-template` project [GoReleaser](https://goreleaser.com/). `GoReleaser` is a tool that 
+helps you to release your projects in a fast and easy way.
+
+Important is the `.goreleaser.yaml` file which is used to configure the release process.
+
+We can start locale builds with adding the `--snapshot` flag to the `goreleaser` command. The `--snapshot` flag will 
+disable some of the phases, like creating a release tag and pushing to the remote.
+
+```bash
+goreleaser build --rm-dist --snapshot
+```
+
+or even a release with: 
+```bash
+goreleaser release --snapshot --rm-dist
+```
+
+Check the great documentation of GoReleaser [here](https://goreleaser.com/intro/) for further information.
+
+#### Cosign and Syft
+
+During the release process we use `cosign` to keyless sign the release artifacts.
+
+On top of that, we use `syft` to generate a Software Bill of Materials (SBOM) from our go modules.
+
+Check the docs for [`syft`](https://github.com/anchore/syft) and [`cosign`](https://github.com/sigstore/cosign) 
+for further information.