chore: update gorelease config to enable immutable releases

jkjell · jkjell · commit 86d2585c8afd · 2025-12-09T15:42:38.000-06:00
Signed-off-by: John Kjell &lt;john.kjell@control-plane.io&gt;
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -17,10 +17,6 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: ["main"]
-    paths:
-      - "**.go"
-      - "go.mod"
-      - ".github/workflows/codeql.yml"
   schedule:
     - cron: "0 0 * * 1"
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -124,7 +124,7 @@ jobs:
         uses: anchore/sbom-action/download-syft@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10
 
       - name: Download GoReleaser
-        run: go install github.com/goreleaser/goreleaser@v1.23.0
+        run: go install github.com/goreleaser/goreleaser/v2@v2.13.1
 
       - name: Run GoReleaser
         uses: testifysec/witness-run-action@7aa15e327829f1f2a523365c564c948d5dde69dd
diff --git a/.gitignore b/.gitignore
@@ -19,3 +19,4 @@ test/log
 node_modules
 .DS_Store
 docs-website/.docusaurus
+profile.cov
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -23,12 +23,10 @@ source:
   enabled: true
 signs:
   - cmd: cosign
-    certificate: '${artifact}.pem'
-    signature: '${artifact}.sig'
+    signature: '${artifact}.sigstore.json'
     args:
       - "sign-blob"
-      - "--output-signature=${signature}"
-      - '--output-certificate=${certificate}'
+      - "--bundle=${signature}"
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
     artifacts: all
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/in-toto/witness
 
-go 1.25.0
+go 1.25.5
 
 require (
 	github.com/gobwas/glob v0.2.3
