From bc0963283c7453fbdfc855af4c9d43c847e7178a Mon Sep 17 00:00:00 2001
From: Tiago Peczenyj <tpeczenyj@weborama.com>
Date: Fri, 29 May 2026 08:02:23 +0200
Subject: [PATCH] ci: configure Cosign release signing in GoReleaser

Configure keyless cryptographic release signing for all built release archives:

- .goreleaser.yaml: Add 'signs' block using cosign to sign the checksums file and generate a '.sigstore.json' Sigstore bundle
- release.yml: Add 'Install Cosign' workflow step (sigstore/cosign-installer) so the binary is available during release builds
---
 .github/workflows/release.yml |  2 ++
 .goreleaser.yaml              | 11 +++++++++++
 2 files changed, 13 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eedf2ec..b3648ce 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,6 +25,8 @@ jobs:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@59acb623e2b6991341b1d1e8a7001d2d622ca219 # v3.5.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index d5b1f58..de79af9 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -53,3 +53,14 @@ release:
     name: structalign
   draft: false
   prerelease: auto
+
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sigstore.json"
+    args:
+      - "sign-blob"
+      - "--bundle=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+