chore(ci): keyless signing (#413)

* chore(ci): keyless signing

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: fix

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: ci

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: vercel build script

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improve wording

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improve wording

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improve wording

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* chore(Taskfile): Remove -s flag for gofumpt (#421)

* chore(deps): bump sigstore/cosign-installer from 1.3.1 to 1.4.1 (#425)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 1.3.1 to 1.4.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@v1.3.1...v1.4.1)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (#426)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.2.1 to 1.3.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md)
- [Commits](spf13/cobra@v1.2.1...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: fix links

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: update help after cobra upgrade

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: name

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

Co-authored-by: 4censord <49623362+4censord@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/build.yml

@@ -114,6 +114,9 @@ jobs:
     needs:
       - unit-tests
       - Acceptance-Tests
+    permissions:
+      contents: write
+      id-token: write
     steps:
       -
         name: Checkout
@@ -188,4 +191,3 @@ jobs:
           DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
           DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}

.goreleaser.yml

@@ -146,14 +146,25 @@ furies:
 
 signs:
 - cmd: cosign
-  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign-blob", "-key=/tmp/goreleaser_cosign.key", "-output=${signature}", "${artifact}"]
-  artifacts: checksum
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  certificate: '${artifact}.pem'
+  args:
+    - sign-blob
+    - '--oidc-issuer=https://token.actions.githubusercontent.com'
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
 
 docker_signs:
-- artifacts: manifests
-  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign", "-key=/tmp/goreleaser_cosign.key", "${artifact}"]
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  artifacts: manifests
+  args:
+  - 'sign'
+  - '--oidc-issuer=https://token.actions.githubusercontent.com'
+  - '${artifact}'
 
 changelog:
   sort: asc
@@ -181,8 +192,6 @@ checksum:
   name_template: 'checksums.txt'
 
 release:
-  extra_files:
-    - glob: cosign.pub
   footer: |
     **Full Changelog**: https://github.com/goreleaser/nfpm/compare/{{ .PreviousTag }}...{{ .Tag }}
 

scripts/vercel/build.sh

@@ -1,3 +1,5 @@
 #!/bin/bash
 set -euo pipefail
+version="$(curl -sSf -H "Authorization: Bearer $GITHUB_TOKEN" "https://api.github.com/repos/goreleaser/nfpm/releases/latest" | jq -r '.tag_name')"
+sed -s'' -i "s/__VERSION__/$version/g" www/docs/install.md
 mkdocs build -f www/mkdocs.yml

www/docs/install.md

@@ -69,38 +69,38 @@ go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
 
 Download the pre-compiled binaries from the [releases page][releases] and copy them to the desired location.
 
-## Verifying the binaries
+## Veryifing the artifacts
 
-All artifacts are checksummed and the checksum file is signed with [cosign][].
+### binaries
 
-You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
+All artifacts are checksummed and the checksum is signed with [cosign][].
+
+1. Download the files you want, the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page:
+	```sh
+	wget https://github.com/goreleaser/nfpm/releases/download/__VERSION__/checksums.txt
+	wget https://github.com/goreleaser/nfpm/releases/download/__VERSION__/checksums.txt.sig
+	```
 
-1. Download the files you want, the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page.
 1. Verify the signature:
 	```sh
-	cosign verify-blob \
-		-key https://goreleaser.com/static/goreleaser.pub \
-		-signature checksums.txt.sig \
+	COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+		--signature checksums.txt.sig \
 		checksums.txt
 	```
 1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
 	```sh
 	sha256sum --ignore-missing -c checksums.txt
 	```
 
-## Verifying docker images
+### docker images
 
-Our Docker image is signed with [cosign][].
+Our Docker images are signed with [cosign][].
 
-You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub):
+Verify the signature:
 
 ```sh
-cosign verify \
-	-key https://goreleaser.com/static/goreleaser.pub \
-	goreleaser/nfpm
-cosign verify \
-	-key https://goreleaser.com/static/goreleaser.pub \
-	ghcr.io/goreleaser/nfpm
+COSIGN_EXPERIMENTAL=1 cosign verify	goreleaser/nfpm
+COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/goreleaser/nfpm
 ```
 
 ## Running with Docker