From e0fcf733b688980456fc9818629dc9139da37aca Mon Sep 17 00:00:00 2001
From: Engin Diri <engin.diri@ediri.de>
Date: Tue, 8 Nov 2022 12:13:27 +0100
Subject: [PATCH] feat: sign pulumi binaries with cosign

---
 .github/workflows/ci-build-binaries.yml               |  5 +++++
 .goreleaser.yml                                       | 11 +++++++++++
 ...0221109--ci--sign-pulumi-binaries-with-cosign.yaml |  4 ++++
 3 files changed, 20 insertions(+)
 create mode 100644 changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml

diff --git a/.github/workflows/ci-build-binaries.yml b/.github/workflows/ci-build-binaries.yml
index 4990d1627a18..8c0b63eadc1d 100644
--- a/.github/workflows/ci-build-binaries.yml
+++ b/.github/workflows/ci-build-binaries.yml
@@ -48,6 +48,9 @@ jobs:
     env:
       PULUMI_VERSION: ${{ inputs.version }}
 
+    permissions:
+      id-token: write
+
     steps:
       - name: "Windows cache workaround"
         # https://github.com/actions/cache/issues/752#issuecomment-1222415717
@@ -80,6 +83,7 @@ jobs:
       - name: Setup versioning env vars
         run: |
           ./scripts/versions.sh | tee -a "${GITHUB_ENV}"
+      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -116,4 +120,5 @@ jobs:
           retention-days: 1
           path: |
             goreleaser/*.tar.gz
+            goreleaser/*.sig
             goreleaser/*.zip
diff --git a/.goreleaser.yml b/.goreleaser.yml
index eb3031a9776d..7199c2fce7ec 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -58,6 +58,17 @@ archives:
       strip_parent: true
   name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
 
+signs:
+- cmd: cosign
+  certificate: '${artifact}.pem'
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
+  artifacts: binary
+  output: true
+
 snapshot:
   name_template: "{{ .Version }}-SNAPSHOT"
 
diff --git a/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml
new file mode 100644
index 000000000000..8abd9f4b57f4
--- /dev/null
+++ b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml
@@ -0,0 +1,4 @@
+changes:
+- type: feat
+  scope: ci
+  description: sign pulumi binaries with cosign