From 123ba5f9d89e1523c9bd5192cc5b68da7ab575cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Fri, 9 Jun 2023 18:05:45 +0200
Subject: [PATCH] feat: sign released artifacts (#7478)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .github/workflows/release.yaml |  4 ++++
 .goreleaser.yml                | 29 ++++++++++++++++++++++++-----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a46c7462a1..33f2dd885c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -228,6 +228,10 @@ jobs:
       - name: Setup build env
         uses: ./.github/actions/setup-build-env
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
+        with:
+          cosign-release: 'v1.13.0'
       - name: Make Release
         env:
           VERSION: ${{ github.ref_name }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 753b9c9394..f8875f205f 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,7 +1,9 @@
-project_name: kyverno-cli 
+project_name: kyverno-cli
+
 before:
   hooks:
     - go mod download
+
 builds:
 - id: kyverno-cli
   main: cmd/cli/kubectl-kyverno/main.go
@@ -23,6 +25,20 @@ builds:
       goarch: s390x
     - goos: windows
       goarch: s390x
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - --output-certificate=${certificate}
+      - --output-signature=${signature}
+      - ${artifact}
+    artifacts: all
+    output: true
+
 archives:
 - id: kyverno-cli-archive
   name_template: |-
@@ -41,11 +57,16 @@ archives:
     386: i386
     amd64: x86_64
   files: ["LICENSE"]
+
 checksum:
-  name_template: "checksums.txt"
-  algorithm: sha256
+  name_template: checksums.txt
+
+source:
+  enabled: true
+
 release:
   prerelease: auto
+
 changelog:
   sort: asc
   filters:
@@ -53,5 +74,3 @@ changelog:
       - '^docs:'
       - typo
       - '^test:'
-source:
-  enabled: true