ci/cd: use specific cosign id token

kmendell · kmendell · commit a5fd68a3f4c9 · 2026-04-12T23:29:09.000-05:00
diff --git a/.depot/workflows/build-next-images.yml b/.depot/workflows/build-next-images.yml
@@ -80,6 +80,12 @@ jobs:
         run: |
           echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
+      - name: Fetch Sigstore identity token
+        run: |
+          RESPONSE="$(curl -sSf -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sigstore")"
+          TOKEN="$(jq -r '.value' <<<"$RESPONSE")"
+          echo "SIGSTORE_ID_TOKEN=$TOKEN" >> "$GITHUB_ENV"
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 #v7.0.0
         with:
diff --git a/.github/workflows/build-next-images.yml b/.github/workflows/build-next-images.yml
@@ -76,6 +76,12 @@ jobs:
         run: |
           echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
+      - name: Fetch Sigstore identity token
+        run: |
+          RESPONSE="$(curl -sSf -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sigstore")"
+          TOKEN="$(jq -r '.value' <<<"$RESPONSE")"
+          echo "SIGSTORE_ID_TOKEN=$TOKEN" >> "$GITHUB_ENV"
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 #v7.0.0
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -71,6 +71,12 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@v4.1.1
 
+      - name: Fetch Sigstore identity token
+        run: |
+          RESPONSE="$(curl -sSf -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sigstore")"
+          TOKEN="$(jq -r '.value' <<<"$RESPONSE")"
+          echo "SIGSTORE_ID_TOKEN=$TOKEN" >> "$GITHUB_ENV"
+
       - name: Manager image metadata
         id: manager-meta
         uses: docker/metadata-action@v6
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -163,6 +163,8 @@ binary_signs:
       - "--bundle=${signature}"
       - "${artifact}"
       - "--yes"
+    env:
+      - SIGSTORE_ID_TOKEN={{ .Env.SIGSTORE_ID_TOKEN }}
     output: true
 
 signs:
@@ -175,6 +177,8 @@ signs:
       - "--bundle=${signature}"
       - "${artifact}"
       - "--yes"
+    env:
+      - SIGSTORE_ID_TOKEN={{ .Env.SIGSTORE_ID_TOKEN }}
     output: true
 
 nfpms:
@@ -346,6 +350,8 @@ docker_signs:
       - sign
       - "${artifact}@${digest}"
       - "--yes"
+    env:
+      - SIGSTORE_ID_TOKEN={{ .Env.SIGSTORE_ID_TOKEN }}
     output: true
 
 blobs:
