update release job (#651)

* update release job

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* update changelog

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

.github/workflows/validate-release.yml

@@ -38,6 +38,10 @@ jobs:
       security-events: none
       statuses: none
 
+    env:
+      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0
+      COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.5.1@sha256:6247b2e693b0e6a62dcfa75eb46b698c1f4cd1aca36aaefafd4bbb2f2b2af717
+
     steps:
       - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
       - name: Extract version of Go to use
@@ -51,6 +55,15 @@ jobs:
         with:
           install-only: true
 
+      - name: Check Signature
+        run: |
+          docker run --rm \
+          -e COSIGN_EXPERIMENTAL=true \
+          -e TUF_ROOT=/tmp \
+          $COSIGN_IMAGE \
+          verify \
+          $CROSS_BUILDER_IMAGE
+
       - name: snaphot
         run: make snapshot
         env:

.goreleaser.yml

@@ -10,6 +10,7 @@ env:
 before:
   hooks:
     - go mod tidy
+    - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
 
 gomod:
   proxy: true
@@ -70,7 +71,8 @@ builds:
      - "{{ .Env.CLIENT_LDFLAGS }}"
 
 signs:
-  - signature: "${artifact}.sig"
+  - id: rekor
+    signature: "${artifact}.sig"
     cmd: cosign
     args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Highlights
 
+* Add Rekor logo to README (https://github.com/sigstore/rekor/pull/650)
 * update API calls to v5 (https://github.com/sigstore/rekor/pull/591)
 * Refactor helm type to remove intermediate state. (https://github.com/sigstore/rekor/pull/575)
 * Refactor the shard map parsing so we can pass it down into the API object. (https://github.com/sigstore/rekor/pull/564)
@@ -70,6 +71,7 @@
 * Jason Hall (@imjasonh)
 * Lily Sturmann (@lkatalin)
 * Morten Linderud (@Foxboron)
+* Nathan Smith (@nsmith5)
 * Sylvestre Ledru (@sylvestre)
 * Trishank Karthik Kuppusamy (@trishankatdatadog)
 

release/cloudbuild.yaml

@@ -32,18 +32,16 @@ steps:
     echo "Checking out ${_GIT_TAG}"
     git checkout ${_GIT_TAG}
 
-- name: 'gcr.io/projectsigstore/cosign:v1.4.1@sha256:502d5130431e45f28c51d2c24a05ef5ccd3fd916bcc91db0c8bee3a81e09a0bb'
+- name: 'gcr.io/projectsigstore/cosign:v1.5.1@sha256:6247b2e693b0e6a62dcfa75eb46b698c1f4cd1aca36aaefafd4bbb2f2b2af717'
   dir: "go/src/sigstore/rekor"
   env:
   - COSIGN_EXPERIMENTAL=true
   - TUF_ROOT=/tmp
   args:
   - 'verify'
-  - '--key'
-  - 'https://raw.githubusercontent.com/gythialy/golang-cross/main/cosign.pub'
-  - 'ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766'
+  - 'ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0'
 
-- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766
+- name: ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0
   entrypoint: /bin/sh
   dir: "go/src/sigstore/rekor"
   env:
@@ -64,7 +62,7 @@ steps:
     - |
       make release
 
-- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766
+- name: ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0
   entrypoint: 'bash'
   dir: "go/src/sigstore/rekor"
   env: