Skip to content
Release

feat(cd): add production release pipeline with Cosign signing #1

Sign in to view logs

feat(cd): add production release pipeline with Cosign signing

feat(cd): add production release pipeline with Cosign signing #1

Workflow file for this run

.github/workflows/release.yml at 45b61e0
---
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
id-token: write # Required for Cosign keyless signing via Sigstore
jobs:
# Gate: run full CI before releasing
ci:
name: CI Gate
uses: ./.github/workflows/ci.yml
release:
name: Release
needs: ci
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # goreleaser needs full history for changelog
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
version: "~> v2"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Sign checksums with Cosign (keyless)
run: |
cosign sign-blob \
--yes \
--output-signature dist/${CHECKSUM_FILE}.sig \
--output-certificate dist/${CHECKSUM_FILE}.pem \
dist/${CHECKSUM_FILE}
env:
CHECKSUM_FILE: opentofu-provider-flashblade_${{ github.ref_name }}_SHA256SUMS
- name: Upload Cosign signature to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ github.ref_name }}
CHECKSUM_FILE: opentofu-provider-flashblade_${{ github.ref_name }}_SHA256SUMS
run: |
gh release upload "${TAG}" \
"dist/${CHECKSUM_FILE}.sig" \
"dist/${CHECKSUM_FILE}.pem"
- name: Verify Cosign signature
run: |
cosign verify-blob \
--signature dist/${CHECKSUM_FILE}.sig \
--certificate dist/${CHECKSUM_FILE}.pem \
--certificate-identity-regexp "https://github.com/numberly/opentofu-provider-flashblade" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
dist/${CHECKSUM_FILE}
env:
CHECKSUM_FILE: opentofu-provider-flashblade_${{ github.ref_name }}_SHA256SUMS