From c005897e6829fb8587d129083f1d2d6b27aa8c5d Mon Sep 17 00:00:00 2001
From: Erik Godding Boye <egboye@gmail.com>
Date: Mon, 13 Jan 2025 23:55:06 +0100
Subject: [PATCH] ci(release): keyless sign of release artifacts with Cosign

---
 .github/workflows/release.yaml | 5 +++++
 .goreleaser.yml                | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 070bf8ce53..578b732d7e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -77,6 +77,9 @@ jobs:
 
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      id-token: write # for Cosign to be able to sign release artifacts with GHA token
     needs:
       - publish_npm_package
       - build-and-push-image
@@ -118,6 +121,8 @@ jobs:
           cat > ${{ runner.temp }}/changelog.md <<'END_OF_CHANGELOG'
           ${{ github.event.pull_request.body }}
           END_OF_CHANGELOG
+      - name: Install cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 9ee212e1c0..77e40778de 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -68,3 +68,9 @@ builds:
       - darwin
     goarch:
       - arm64
+signs:
+  - id: cosign-keyless
+    cmd: cosign
+    certificate: "${artifact}.crt"
+    args: ["sign-blob", "--output-signature", "${signature}", "--output-certificate", "${certificate}", "${artifact}", "--yes"]
+    artifacts: all