From 8cd85d95549ebe99cd000e5a27e76842481847a9 Mon Sep 17 00:00:00 2001
From: Emmanuel Gautier <git@emmanuelgautier.fr>
Date: Sun, 15 Sep 2024 19:12:34 +0200
Subject: [PATCH] build: sign artifacts

---
 .github/workflows/publish.yml |  7 +++++
 .goreleaser.yaml              | 51 ++++++++++++++++++++++++++++++++---
 2 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5837b26..1deb18e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,6 +15,7 @@ jobs:
 
     permissions:
       contents: write
+      id-token: write
       packages: write
       pull-requests: write
 
@@ -43,6 +44,12 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@v0
+
       - uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index cf5db72..8291ef9 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,7 @@
+version: 2
+
+project_name: giteway
+
 before:
   hooks:
     - go mod tidy
@@ -8,6 +12,17 @@ builds:
       - CGO_ENABLED=0
     goos:
       - linux
+      - windows
+      - darwin
+
+gomod:
+  proxy: true
+
+checksum:
+  name_template: 'checksums.txt'
+
+source:
+  enabled: true
 
 archives:
   - format: tar.gz
@@ -23,15 +38,34 @@ archives:
     - goos: windows
       format: zip
 
-checksum:
-  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+
+sboms:
+  - id: syft-archive
+    artifacts: archive
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+    output: true
 
 changelog:
   sort: asc
   filters:
     exclude:
       - "^docs:"
-      - "^test:"
+      - "^.vscode"
+      - "^.github"
 
 dockers:
   - image_templates:
@@ -44,3 +78,14 @@ dockers:
       - "ghcr.io/thegalactiks/giteway:v{{ .Major }}.{{ .Minor }}"
       - "ghcr.io/thegalactiks/giteway:latest"
     dockerfile: .docker/Dockerfile-goreleaser
+
+docker_signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    artifacts: images
+    output: true
+    args:
+      - "sign"
+      - "${artifact}"
+      - "--yes"