release: prefer actions/attest-build-provenance to cosign (#335)

thepwagner · web-flow · commit c6d29f8c56d9 · 2025-03-10T13:36:50.000-04:00
* release: prefer actions/attest-build-provenance to cosign * attestations: write xref https://github.com/Shopify/ejson/blob/main/.github/workflows/release.yml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -13,6 +13,7 @@ jobs:
       contents: write
       packages: write
       id-token: write
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
@@ -25,8 +26,6 @@ jobs:
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # tag=v5.3.0
         with:
           go-version: "${{ steps.gover.outputs.goversion }}"
-      - name: Set up Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # tag=v3.8.1
       - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # tag=v3.3.0
         with:
           registry: ghcr.io
@@ -40,3 +39,13 @@ jobs:
           args: release --clean --parallelism=1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Set up for signing"
+        run: |
+          mkdir -p to_sign
+          mv dist/*.tar.gz to_sign/
+          mv dist/*.deb to_sign/
+          mv dist/*.apk to_sign/
+      - name: "Sign artifacts"
+        uses: actions/attest-build-provenance@bd77c077858b8d561b7a36cbe48ef4cc642ca39d # v2.2.2
+        with:
+          subject-path: "to_sign/*"
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -9,9 +9,6 @@ builds:
     goarch:
       - amd64
       - arm64
-    hooks:
-      post:
-        - cmd: "cosign sign-blob --yes --output-certificate dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}-keyless.pem --output-signature dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}-keyless.sig {{ .Path }}"
 
 release:
   extra_files:
@@ -63,15 +60,6 @@ docker_manifests:
       - ghcr.io/shopify/{{ .ProjectName }}:{{ .Version }}-amd64
       - ghcr.io/shopify/{{ .ProjectName }}:{{ .Version }}-arm64
 
-docker_signs:
-  - cmd: cosign
-    artifacts: manifests
-    output: true
-    args:
-      - "sign"
-      - "--yes"
-      - "${artifact}"
-
 nfpms:
   - id: goreleaser
     maintainer: "Shopify <admins@shopify.com>"
