feat: sign artifacts with cosign

Author: jsiebens

.github/workflows/ci.yaml

@@ -3,6 +3,9 @@ name: ci
 on:
   pull_request:
 
+permissions:
+  id-token: write
+
 jobs:
   ci:
     runs-on: ubuntu-latest
@@ -22,6 +25,8 @@ jobs:
       - name: Tests
         run: |
           go test ./...
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.0.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:

.github/workflows/release.yaml

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   packages: write
+  id-token: write
 
 jobs:
   release:
@@ -31,6 +32,8 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: ^1.17
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.0.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:

.goreleaser.yaml

@@ -32,6 +32,7 @@ dockers:
     use: buildx
     build_flag_templates:
       - --platform=linux/arm64
+
 docker_manifests:
   - name_template: ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}
     image_templates:
@@ -42,6 +43,28 @@ docker_manifests:
       - ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-amd64
       - ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-arm64
 
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+
+docker_signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    artifacts: all
+    output: true
+    args:
+      - sign
+      - '${artifact}'
+
 archives:
   - format_overrides:
       - goos: windows