enhancement(ci): Sign release artifacts (#1959)

#### Description  Signs release artifacts: - binaries - docker images Fixes # #239 #### Checklist  - [x] The PR title has the correct prefix - [x] PR is linked to the corresponding issue - [x] All commits are signed-off (`git commit -s ...`) to provide the [DCO](https://developercertificate.org/) Signed-off-by: Piotr Solarczyk <psolarcz@cisco.com>
cerbos · Jan 25, 2024 · 36b0e6d · 36b0e6d
1 parent 5db9ab0
commit 36b0e6d
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,6 +9,9 @@ jobs:
     name: Release Binaries
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -55,6 +58,11 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: 'v2.1.1'
+
       - name: GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -87,6 +87,18 @@ nfpms:
         dst: /etc/systemd/system/cerbos.service
       - dst: /var/cerbos/policies
         type: dir
+
+signs:
+  - cmd: cosign
+    args:
+      - sign-blob
+      - --yes
+      - --rekor-url
+      - https://rekor.sigstore.dev/
+      - "--output-signature=${signature}"
+      - "${artifact}"
+    artifacts: all
+
 dockers:
   - id: cerbos-amd64
     dockerfile: Dockerfile.cerbos
@@ -237,6 +249,18 @@ docker_manifests:
       - "docker.io/cerbos/cerbosctl:dev-amd64"
       - "docker.io/cerbos/cerbosctl:dev-arm64"
 
+docker_signs:
+  - id: sign-images
+    cmd: cosign
+    args:
+      - sign
+      - --yes
+      - --rekor-url
+      - https://rekor.sigstore.dev/
+      - "${artifact}"
+    artifacts: all
+    output: true
+
 brews:
   - repository:
       owner: cerbos