feat: sign released artifacts (#7478)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

.github/workflows/release.yaml

@@ -228,6 +228,10 @@ jobs:
       - name: Setup build env
         uses: ./.github/actions/setup-build-env
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
+        with:
+          cosign-release: 'v1.13.0'
       - name: Make Release
         env:
           VERSION: ${{ github.ref_name }}

.goreleaser.yml

@@ -1,7 +1,9 @@
-project_name: kyverno-cli 
+project_name: kyverno-cli
+
 before:
   hooks:
     - go mod download
+
 builds:
 - id: kyverno-cli
   main: cmd/cli/kubectl-kyverno/main.go
@@ -23,6 +25,20 @@ builds:
       goarch: s390x
     - goos: windows
       goarch: s390x
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - --output-certificate=${certificate}
+      - --output-signature=${signature}
+      - ${artifact}
+    artifacts: all
+    output: true
+
 archives:
 - id: kyverno-cli-archive
   name_template: |-
@@ -41,11 +57,16 @@ archives:
     386: i386
     amd64: x86_64
   files: ["LICENSE"]
+
 checksum:
-  name_template: "checksums.txt"
-  algorithm: sha256
+  name_template: checksums.txt
+
+source:
+  enabled: true
+
 release:
   prerelease: auto
+
 changelog:
   sort: asc
   filters:
@@ -53,5 +74,3 @@ changelog:
       - '^docs:'
       - typo
       - '^test:'
-source:
-  enabled: true