feat: add sbom and keyless signing (#69)

Signed-off-by: Engin Diri <engin.diri@mail.schwarz>
dirien · Dec 24, 2021 · 77a962b · 77a962b
1 parent c54d6af
commit 77a962b
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 40 deletions.
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -1,15 +1,31 @@
 {
   "extends": [
     "config:base",
-    ":semanticCommitTypeAll(chore)"
+    ":semanticCommits",
+    ":semanticCommitTypeAll(chore)",
+    ":gitSignOff"
   ],
   "postUpdateOptions": [
-    "gomodTidy"
+    "gomodTidy",
+    "gomodUpdateImportPaths"
   ],
-  "commitBody": "Signed-off-by: {{{gitAuthor}}}",
   "dependencyDashboard": false,
   "labels": [
     "dependencies"
   ],
-  "semanticCommits": "enabled"
-}
+  "packageRules": [
+    {
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ]
+    }
+  ],
+  "assigneesFromCodeOwners": true,
+  "assignAutomerge": true,
+  "automerge": true,
+  "automergeStrategy": "squash",
+  "automergeType": "pr"
+}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -8,6 +8,11 @@ on:
       - '*'
   pull_request:
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -29,7 +34,6 @@ jobs:
     if: success() && startsWith(github.ref, 'refs/tags/')
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
-      COSIGN_KEY_LOCATION: "/tmp/cosign.key"
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -47,19 +51,12 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.2.0'
-      - name: install cosign private key
-        run: 'echo "$COSIGN_KEY" > $COSIGN_KEY_LOCATION'
-        shell: bash
-        env:
-          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+      - uses: sigstore/cosign-installer@v1.4.1
+      - uses: anchore/sbom-action/download-syft@v0.6.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yml → .goreleaser.yaml b/.goreleaser.yml → .goreleaser.yaml
@@ -44,20 +44,39 @@ dockers:
       - --label=org.opencontainers.image.title={{ .ProjectName }}
       - --label=org.opencontainers.image.source=https://github.com/dirien/{{ .ProjectName }}
 
+source:
+  enabled: true
+
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+
+checksum:
+  name_template: 'checksums.txt'
+
 signs:
   - cmd: cosign
-    stdin: '{{ .Env.COSIGN_PASSWORD }}'
-    args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
     artifacts: checksum
+    output: true
 
 docker_signs:
-  - artifacts: all
-    args: [ "sign", "-key=cosign.key", "${artifact}" ]
-    stdin: '{{ .Env.COSIGN_PASSWORD }}'
-
-release:
-  extra_files:
-    - glob: ./cosign.pub
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    artifacts: manifests
+    output: true
+    args:
+      - 'sign'
+      - '${artifact}'
 
 changelog:
   sort: asc

diff --git a/cosign.key b/cosign.key
diff --git a/cosign.pub b/cosign.pub