feat: Add Cosign integration for signing checksums in release process

Signed-off-by: Eden Reich <[email protected]>

Author: edenreich

.github/workflows/release.yml

@@ -49,6 +49,9 @@ jobs:
       - name: Install Flox
         uses: flox/install-flox-action@main
 
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - name: Check for existing releases
         id: check_releases
         env:

.releaserc.json

@@ -98,6 +98,16 @@
             "path": "dist/checksums.txt",
             "label": "SHA256 checksums",
             "name": "checksums.txt"
+          },
+          {
+            "path": "dist/checksums.txt.sig",
+            "label": "Cosign signature for checksums",
+            "name": "checksums.txt.sig"
+          },
+          {
+            "path": "dist/checksums.txt.pem",
+            "label": "Cosign certificate for checksums",
+            "name": "checksums.txt.pem"
           }
         ],
         "addReleases": "bottom"

Taskfile.yml

@@ -123,6 +123,7 @@ tasks:
       - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X github.com/inference-gateway/cli/cmd.version={{.VERSION}} -X github.com/inference-gateway/cli/cmd.commit={{.COMMIT}} -X github.com/inference-gateway/cli/cmd.date={{.DATE}}" -o dist/{{.BINARY_NAME}}-linux-amd64 {{.MAIN_PACKAGE}}
       - CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "-X github.com/inference-gateway/cli/cmd.version={{.VERSION}} -X github.com/inference-gateway/cli/cmd.commit={{.COMMIT}} -X github.com/inference-gateway/cli/cmd.date={{.DATE}}" -o dist/{{.BINARY_NAME}}-linux-arm64 {{.MAIN_PACKAGE}}
       - cd dist && sha256sum {{.BINARY_NAME}}-* > checksums.txt
+      - cd dist && cosign sign-blob --yes --output-signature checksums.txt.sig --output-certificate checksums.txt.pem checksums.txt
 
   clean:release:
     desc: Clean release artifacts