feat: sign pulumi binaries with cosign

.github/workflows/ci-build-binaries.yml

@@ -48,6 +48,9 @@ jobs:
     env:
       PULUMI_VERSION: ${{ inputs.version }}
 
+    permissions:
+      id-token: write
+
     steps:
       - name: "Windows cache workaround"
         # https://github.com/actions/cache/issues/752#issuecomment-1222415717
@@ -80,6 +83,7 @@ jobs:
       - name: Setup versioning env vars
         run: |
           ./scripts/versions.sh | tee -a "${GITHUB_ENV}"
+      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -116,4 +120,5 @@ jobs:
           retention-days: 1
           path: |
             goreleaser/*.tar.gz
+            goreleaser/*.sig
             goreleaser/*.zip

.github/workflows/ci.yml

@@ -2,6 +2,7 @@ name: CI
 
 permissions:
   contents: read
+  id-token: write
 
 on:
   workflow_call:

.github/workflows/on-pr.yml

@@ -3,6 +3,7 @@ name: Pull Request
 permissions:
   contents: write
   pull-requests: write
+  id-token: write
 
 on:
   pull_request:
@@ -42,6 +43,7 @@ jobs:
     uses: ./.github/workflows/ci.yml
     permissions:
       contents: read
+      id-token: write
     with:
       ref: ${{ github.ref }}
       version: ${{ needs.info.outputs.version }}

.goreleaser.yml

@@ -58,6 +58,17 @@ archives:
       strip_parent: true
   name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
 
+signs:
+- cmd: cosign
+  certificate: '${artifact}.pem'
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
+  artifacts: binary
+  output: true
+
 snapshot:
   name_template: "{{ .Version }}-SNAPSHOT"
 

changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml

@@ -0,0 +1,4 @@
+changes:
+- type: feat
+  scope: ci
+  description: sign pulumi binaries with cosign