Skip to content

Commit c8f6c1a

Browse files
mikefarahmikefarah
committed
Updating release to sign checksums
1 parent 0e80383 commit c8f6c1a

2 files changed

Lines changed: 16 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
jobs:
99
publishGitRelease:
1010
runs-on: ubuntu-latest
11+
permissions:
12+
contents: write
13+
id-token: write
1114
steps:
1215
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1316
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -37,12 +40,20 @@ jobs:
3740
--output=yq.1
3841
man.md
3942
43+
- name: Install cosign
44+
uses: sigstore/cosign-installer@v3
45+
4046
- name: Cross compile
4147
run: |
4248
sudo apt-get install rhash -y
4349
go install github.com/goreleaser/goreleaser/v2@latest
4450
./scripts/xcompile.sh
4551
52+
- name: Sign checksums
53+
run: |
54+
cosign sign-blob --yes --output-bundle build/checksums.bundle build/checksums
55+
cosign sign-blob --yes --output-bundle build/checksums-bsd.bundle build/checksums-bsd
56+
4657
- name: Release
4758
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
4859
with:

release_instructions.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@
1313
then update the FROM line in github-action/Dockerfile with the new digest:
1414
FROM mikefarah/yq:4@sha256:<new-digest>
1515

16+
// release artifacts are signed with cosign keyless signing (Sigstore)
17+
// users can verify with:
18+
// cosign verify-blob --bundle checksums.bundle checksums
19+
// install cosign: brew install cosign OR go install github.com/sigstore/cosign/v2/cmd/cosign@latest
20+
1621

1722
- snapcraft
1823
- update snapcraft version

0 commit comments

Comments
 (0)