Skip to content

build(release): signed releases via goreleaser + cosign#35

Merged
adrianbrad merged 1 commit intomainfrom
chore/signed-releases
Apr 20, 2026
Merged

build(release): signed releases via goreleaser + cosign#35
adrianbrad merged 1 commit intomainfrom
chore/signed-releases

Conversation

@adrianbrad
Copy link
Copy Markdown
Owner

@adrianbrad adrianbrad commented Apr 20, 2026

Adds an on-tag release workflow to close Scorecard's Signed-Releases gap.

What runs on git push --tags

  1. Checkout + Go + cosign + syft.
  2. goreleaser release --clean, which:
    • builds a source tarball (library — builds: skip: true)
    • generates an SPDX SBOM with syft
    • emits checksums.txt
    • signs every artifact with cosign keyless via Sigstore (OIDC token from GITHUB_TOKEN, no GPG secrets to manage)
  3. Publishes a GitHub Release with notes grouped by conventional commit type.

Verification for consumers

Example from the generated release notes:

cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp '^https://github.com/adrianbrad/queue/\.github/workflows/release\.yaml@refs/tags/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

Scorecard impact

  • Signed-Releases: ?10/10 (after first tagged release cuts)
  • Aggregate expected jump: ~7.4 → ~8.0

Test plan

  • goreleaser check .goreleaser.yaml passes via ghcr.io/goreleaser/goreleaser:latest
  • Push a patch tag (e.g. v1.4.1) after merge and confirm the workflow publishes a signed GitHub Release
  • Rerun scorecard --repo=... to verify Signed-Releases lift

@adrianbrad
build(release): add goreleaser workflow with cosign keyless signing
d0f649a 
On v* tag push, run goreleaser to:
- build a source tarball (library, no binaries)
- generate SPDX SBOM via syft
- emit checksums.txt
- sign every artifact with cosign keyless (Sigstore OIDC via the
  GitHub Actions token)
- publish a GitHub Release with notes grouped by conventional commit
  type

Lifts Scorecard's Signed-Releases from '?' to 10/10 once the first
tagged release cuts.
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (f6037c0) to head (d0f649a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main       #35   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            5         5           
  Lines          442       442           
=========================================
  Hits           442       442
Flag Coverage Δ
unittests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@adrianbrad adrianbrad merged commit 7c20346 into main Apr 20, 2026
10 checks passed
@adrianbrad adrianbrad deleted the chore/signed-releases branch April 21, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adrianbrad