Fix cosign + add keyless signatures

philips-labs · Dec 11, 2023 · 52ed3f7 · 52ed3f7
1 parent eb2a740
commit 52ed3f7
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -60,6 +60,12 @@ jobs:
   release:
     name: release
     needs: [build]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
     outputs:
       container_digest: ${{ steps.container_info.outputs.container_digest }}
       container_tags: ${{ steps.container_info.outputs.container_tags }}

diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml
@@ -80,6 +80,7 @@ signs:
     artifacts: checksum
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -92,6 +93,7 @@ signs:
     artifacts: binary
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -104,6 +106,7 @@ signs:
     artifacts: archive
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -116,6 +119,7 @@ signs:
     artifacts: sbom
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -128,9 +132,17 @@ docker_signs:
     output: true
     args:
       - 'sign'
+      - --yes
       - --key
       - cosign.key
       - '${artifact}'
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - sign
+      - --yes
+      - '${artifact}'
 
 snapshot:
   name_template: "{{ .Version }}-next"

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -80,6 +80,7 @@ signs:
     artifacts: checksum
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -92,6 +93,7 @@ signs:
     artifacts: binary
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -104,6 +106,7 @@ signs:
     artifacts: archive
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -116,6 +119,7 @@ signs:
     artifacts: sbom
     args:
       - sign-blob
+      - --yes
       - --key
       - cosign.key
       - '--output-certificate=${certificate}'
@@ -127,10 +131,18 @@ docker_signs:
     artifacts: all
     output: true
     args:
-      - 'sign'
+      - sign
+      - --yes
       - --key
       - cosign.key
       - '${artifact}'
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - sign
+      - --yes
+      - '${artifact}'
 
 snapshot:
   name_template: "{{ .Version }}-next"