diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f8aa79..71a7c46 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,6 +56,7 @@ jobs: permissions: contents: write + id-token: write packages: write pull-requests: write @@ -84,6 +85,12 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Install Syft + uses: anchore/sbom-action/download-syft@v0 + # https://github.com/goreleaser/goreleaser/issues/1715#issuecomment-667002748 - name: Install Snapcraft run: | diff --git a/.goreleaser.yaml b/.goreleaser.yaml index b2a34bb..fae84e1 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,9 +1,12 @@ version: 2 +project_name: openapi-oathkeeper + before: hooks: - go mod tidy - go generate ./... + builds: - env: - CGO_ENABLED=0 @@ -12,6 +15,15 @@ builds: - windows - darwin +gomod: + proxy: true + +checksum: + name_template: "checksums.txt" + +source: + enabled: true + archives: - format: tar.gz name_template: >- @@ -26,12 +38,27 @@ archives: - goos: windows format: zip -checksum: - name_template: 'checksums.txt' - snapshot: name_template: "{{ incpatch .Version }}-next" +sboms: + - id: syft-archive + artifacts: archive + +signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + certificate: "${artifact}.pem" + args: + - sign-blob + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "${artifact}" + - "--yes" + artifacts: checksum + output: true + changelog: sort: asc filters: @@ -86,3 +113,14 @@ dockers: - "ghcr.io/cerberauth/openapi-oathkeeper:v{{ .Major }}.{{ .Minor }}" - "ghcr.io/cerberauth/openapi-oathkeeper:latest" dockerfile: .docker/Dockerfile-goreleaser + +docker_signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + artifacts: images + output: true + args: + - "sign" + - "${artifact}" + - "--yes" diff --git a/go.sum b/go.sum index 22816b1..aa435fe 100644 --- a/go.sum +++ b/go.sum @@ -10,8 +10,6 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/getkin/kin-openapi v0.126.0 h1:c2cSgLnAsS0xYfKsgt5oBV6MYRM/giU8/RtwUY4wyfY= -github.com/getkin/kin-openapi v0.126.0/go.mod h1:7mONz8IwmSRg6RttPu6v8U/OJ+gr+J99qSFNjPGSQqw= github.com/getkin/kin-openapi v0.127.0 h1:Mghqi3Dhryf3F8vR370nN67pAERW+3a95vomb3MAREY= github.com/getkin/kin-openapi v0.127.0/go.mod h1:OZrfXzUfGrNbsKj+xmFBx6E5c6yH3At/tAKSc2UszXM= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= @@ -38,8 +36,6 @@ github.com/knadh/koanf/parsers/yaml v0.1.0 h1:ZZ8/iGfRLvKSaMEECEBPM1HQslrZADk8fP github.com/knadh/koanf/parsers/yaml v0.1.0/go.mod h1:cvbUDC7AL23pImuQP0oRw/hPuccrNBS2bps8asS0CwY= github.com/knadh/koanf/providers/confmap v0.1.0 h1:gOkxhHkemwG4LezxxN8DMOFopOPghxRVp7JbIvdvqzU= github.com/knadh/koanf/providers/confmap v0.1.0/go.mod h1:2uLhxQzJnyHKfxG927awZC7+fyHFdQkd697K4MdLnIU= -github.com/knadh/koanf/providers/file v1.0.0 h1:DtPvSQBeF+N0QLPMz0yf2bx0nFSxUcncpqQvzCxfCyk= -github.com/knadh/koanf/providers/file v1.0.0/go.mod h1:/faSBcv2mxPVjFrXck95qeoyoZ5myJ6uxN8OOVNJJCI= github.com/knadh/koanf/providers/file v1.1.0 h1:MTjA+gRrVl1zqgetEAIaXHqYje0XSosxSiMD4/7kz0o= github.com/knadh/koanf/providers/file v1.1.0/go.mod h1:/faSBcv2mxPVjFrXck95qeoyoZ5myJ6uxN8OOVNJJCI= github.com/knadh/koanf/v2 v2.1.1 h1:/R8eXqasSTsmDCsAyYj+81Wteg8AqrV9CP6gvsTsOmM=