Improve workflow security by not writing the private key to a file

.github/workflows/ci.yaml

@@ -112,10 +112,6 @@ jobs:
           fi
           rm -f /tmp/spiffe-vault-release-vars.env
 
-      - name: Install signing key
-        run: |
-          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
-
       - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # ratchet:goreleaser/goreleaser-action@v4
         with:
@@ -125,6 +121,7 @@ jobs:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
           GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Get container info
@@ -142,10 +139,6 @@ jobs:
           docker logout
           docker logout ghcr.io
 
-      - name: Cleanup signing keys
-        if: ${{ always() }}
-        run: rm -f cosign.key
-
   sbom:
     name: sbom
     needs: [release]
@@ -174,14 +167,14 @@ jobs:
       - name: Attach SBOM
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         run: |
           echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
-          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
           IFS=,
           for t in ${TAGS}; do
             cosign verify --key cosign.pub ${{ matrix.repo }}:${t}
             syft ${{ matrix.repo }}:${t} -o spdx-json > sbom-spdx.json
-            cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${{ matrix.repo }}:${t}
+            cosign attest --predicate sbom-spdx.json --type spdx --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}:${t}
             cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t}
           done
 
@@ -190,7 +183,6 @@ jobs:
         run: |
           docker logout
           docker logout ghcr.io
-          rm -f cosign.key
 
   provenance:
     name: provenance
@@ -215,8 +207,7 @@ jobs:
 
       - name: Sign provenance
         run: |
-          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
-          cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY --output-signature "${SIGNATURE}" provenance.att
           cat "${SIGNATURE}"
 
           curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
@@ -230,6 +221,7 @@ jobs:
             "https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           SIGNATURE: provenance.att.sig
 
@@ -270,10 +262,10 @@ jobs:
 
       - name: Attach provenance to image
         run: |
-          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
-          cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
+          cosign attest --predicate provenance-predicate.att --type slsaprovenance --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
 
       - name: Verify attestation
         run: |
@@ -285,4 +277,3 @@ jobs:
         run: |
           docker logout
           docker logout ghcr.io
-          rm -f cosign.key

.goreleaser.draft.yml

@@ -82,7 +82,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -95,7 +95,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -108,7 +108,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -121,7 +121,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -134,7 +134,7 @@ docker_signs:
       - 'sign'
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '${artifact}'
   - cmd: cosign
     artifacts: all

.goreleaser.yml

@@ -82,7 +82,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -95,7 +95,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -108,7 +108,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -121,7 +121,7 @@ signs:
       - sign-blob
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -134,7 +134,7 @@ docker_signs:
       - sign
       - --yes
       - --key
-      - cosign.key
+      - env://COSIGN_PRIVATE_KEY
       - '${artifact}'
   - cmd: cosign
     artifacts: all