feat: add asses signing

dareste · dareste · commit 1b4bd1a72ab5 · 2024-09-26T12:36:03.000+02:00
diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml
@@ -18,41 +18,51 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Set Release Version
-      run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
-
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: '1.22.4'
-
-    - name: Build
-      run: |
-        BUILD=$(git log --format='%H' -n 1)
-        VERSION=$RELEASE_VERSION
-        OSES="linux darwin windows"
-        ARCHS="amd64 arm64"
-        IFS=" "
-
-        for OS in $OSES; do
-        for ARCH in $ARCHS; do
-        echo "OS: ${OS} and ARCH: ${ARCH}"
-        CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\
-                                                   -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\
-                                                   -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg
-        cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/
-        tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ .
-        done; done
-
-    - name: Upload release binaries
-      uses: alexellis/upload-assets@0.4.0
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-      with:
-        asset_paths: '["./release/*.gz"]'
-
-    - name: Update new version in krew-index
-      uses: rajatjindal/krew-release-bot@v0.0.46
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set Release Version
+        run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.4'
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.6.0
+        with:
+          cosign-release: 'v2.4.0'
+
+      - name: Check cosign version
+        run: cosign version
+
+      - name: Build
+        run: |
+          set -e
+          BUILD=$(git log --format='%H' -n 1)
+          VERSION=$RELEASE_VERSION
+          OSES="linux darwin windows"
+          ARCHS="amd64 arm64"
+          IFS=" "
+          
+          for OS in $OSES; do
+          for ARCH in $ARCHS; do
+          echo "OS: ${OS} and ARCH: ${ARCH}"
+          CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\
+                                                     -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\
+                                                     -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg
+          cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/
+          tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ .
+          sha256sum "release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz" >> "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt"
+          done; done
+          cosign sign-blob "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt" \
+                --output-signature="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.sig" \
+                --output-certificate="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.pem" -y
+
+      - name: Upload release binaries
+        uses: alexellis/upload-assets@0.4.1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          asset_paths: '["./release/*.gz", "./release/*.txt", "./release/*.sig", "./release/*.pem"]'
