Sign the artifacts (binaries/images) using cosign

[cpanato]

Your feature request related to a problem? Please describe.

Not a problem, is a feature request.

The idea is to sign the release artifacts using cosign when doing the release.
The project is already using GoReleaser and GitHub actions and that makes things easier to implement 😃

This is an initial step for a more secure release and lets the consumers have the ability to verify the release artifacts.

I can help to implement this feature if the team decides to move this idea forward.

Describe the solution you'd like.

Using the current GoRelease config and the GitHub Actions we can sign the binaries/images using a keyless approach and push the signed artifacts all together to the GitHub release.

Describe alternatives you've considered.

n/a

Additional context.

n/a

[boring-cyborg]

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

[cpanato]

Do the maintainers think this is a good idea? i can implement the tiny bits if y'all agree

[scop]

I do think it's a good idea, and I'm willing to chime in with the implementation as well.