feat: cosign everything in the release (#692)

Signed-off-by: Engin Diri <engin.diri@ediri.de>

Signed-off-by: Engin Diri <engin.diri@ediri.de>

Author: dirien

.github/workflows/ci.yaml

@@ -40,7 +40,6 @@ jobs:
     needs: build
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
-      UPX_VERSION: "3.96"
     runs-on: ubuntu-latest
     if: success() && startsWith(github.ref, 'refs/tags/')
     steps:
@@ -68,13 +67,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      - name: download upx
-        run: |
-          cd /tmp
-          wget https://github.com/upx/upx/releases/download/v$UPX_VERSION/upx-$UPX_VERSION-amd64_linux.tar.xz
-          tar xvf upx-$UPX_VERSION-amd64_linux.tar.xz
-          sudo mv upx-$UPX_VERSION-amd64_linux/upx /usr/local/sbin
-        shell: bash
       - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
       - uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1
       - name: Run GoReleaser

.goreleaser.yaml

@@ -41,9 +41,9 @@ signs:
     args:
       - sign-blob
       - '--output-certificate=${certificate}'
-      - '--output-signature=${signature}'
+      - '--bundle=${signature}'
       - '${artifact}'
-    artifacts: checksum
+    artifacts: all
     output: true
 
 dockers: