ci: sign SBOM with Cosign (keyless) and attach sig+cert

CoderDeltaLAN · CoderDeltaLAN · commit df06b1bf0e3f · 2025-09-22T20:25:14.000+01:00
diff --git a/.github/workflows/release-sbom.yml b/.github/workflows/release-sbom.yml
@@ -4,6 +4,7 @@ on:
     types: [published]
 
 permissions:
+  id-token: write
   contents: write
 
 jobs:
@@ -19,7 +20,18 @@ jobs:
           path: .
           format: cyclonedx-json
           output-file: sbom-cyclonedx.json
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Sign SBOM (keyless OIDC)
+        run: |
+          cosign sign-blob --yes \
+            --output-signature sbom-cyclonedx.json.sig \
+            --output-certificate sbom-cyclonedx.json.crt \
+            sbom-cyclonedx.json
       - name: Attach SBOM to release
         uses: softprops/action-gh-releasecbd405e2c4e67a21c47fa9e383d020e4@e28b836
         with:
-          files: sbom-cyclonedx.json
+          files: |
+            sbom-cyclonedx.json
+            sbom-cyclonedx.json.sig
+            sbom-cyclonedx.json.crt
