build(): Sign releaser artifacts, not only container manifests (#2789)

aquasecurity · Sep 7, 2022 · 1cf6800 · 1cf6800
1 parent f47b792
commit 1cf6800
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/.github/workflows/test_linux.yaml b/.github/workflows/test_linux.yaml
@@ -113,7 +113,8 @@ jobs:
         uses: goreleaser/goreleaser-action@v3
         with:
           version: v1.4.1
-          args: release --snapshot --rm-dist --skip-publish --timeout 90m
+          args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
+
 
   build-documents:
     name: Documentation Test

diff --git a/goreleaser.yml b/goreleaser.yml
@@ -235,6 +235,21 @@ docker_manifests:
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le'
 
+signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  signature: "${artifact}.sig"
+  certificate: "${artifact}.pem"
+  args:
+    - "sign-blob"
+    - "--oidc-issuer=https://token.actions.githubusercontent.com"
+    - "--output-certificate=${certificate}"
+    - "--output-signature=${signature}"
+    - "${artifact}"
+  artifacts: all
+  output: true
+
 docker_signs:
 - cmd: cosign
   env: