ci: add cosign signing

.github/workflows/build.yml

@@ -9,26 +9,30 @@ jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Shellcheck
         run: make shellcheck
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           persist-credentials: false
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
           install-only: true
+
       - name: Install help2man
         run: sudo apt-get install -y help2man
+
       - name: Run GoReleaser
         run: make snapshot

.github/workflows/docs.yml

@@ -9,7 +9,7 @@ jobs:
   update-readme:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           persist-credentials: false
       - name: Run GoReleaser

.github/workflows/metadata-gh-pages.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 

.github/workflows/metadata.yml

@@ -12,7 +12,8 @@ on:
         - "no"
   push:
     branches:
-      - "*"
+      - "main"
+      - "master"
   schedule:
     - cron: "30 * * * *"
 jobs:
@@ -22,7 +23,7 @@ jobs:
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - name: Checkout project repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -44,13 +45,14 @@ jobs:
       - name: Generate bot token
         id: bot-token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        # uses: actions/create-github-app-token@v1
         with:
           repository: ${{ vars.METADATA_REPO }}
           app_id: ${{ vars.METADATA_BOT_APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
       - name: Checkout metadata repo to protonwire-api-deploy
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: ${{ vars.METADATA_REPO }}
           path: protonwire-api-deploy

.github/workflows/release.yml

@@ -8,7 +8,7 @@ jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Shellcheck
         run: make shellcheck
   build:
@@ -18,29 +18,36 @@ jobs:
       packages: write
       id-token: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
           install-only: true
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.1.2
+
       - name: Install help2man
         run: sudo apt-get install -y help2man
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Run GoReleaser
         run: make release
         env:

.github/workflows/security.yml

@@ -24,16 +24,19 @@ jobs:
         env:
           GH_REPO: ${{ github.repository }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Checkout latest tag
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ steps.get_latest_release.outputs.TAG_NAME }}
+
       - uses: actions/cache@v3
         with:
           path: .trivy
           key: ${{ runner.os }}-trivy-${{ github.run_id }}
           restore-keys: |
             ${{ runner.os }}-trivy-
+
       - name: Run Trivy vulnerability scanner
         id: trivy
         uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f
@@ -45,6 +48,7 @@ jobs:
           image-ref: 'ghcr.io/tprasadtp/protonwire:latest'
           format: 'sarif'
           output: 'trivy-results.sarif'
+
       - name: Upload Trivy scan results to GitHub Security tab
         if: github.ref == 'refs/heads/master' && always()
         uses: github/codeql-action/upload-sarif@v2

.goreleaser.yml

@@ -312,3 +312,12 @@ release:
   extra_files:
     - glob: dist/protonwire
     - glob: dist/protonwire.1
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    output: true
+    args:
+      - "sign"
+      - "${artifact}@${digest}"
+      - --yes