feat: sign release with keyless

.github/workflows/release.yml

@@ -21,17 +21,19 @@ jobs:
       uses: actions/setup-go@v4
       with:
         go-version-file: 'go.mod'
-    - name: Import GPG key
-      id: import_gpg
-      uses: crazy-max/ghaction-import-gpg@v6
-      with:
-        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-        passphrase: ${{ secrets.PASSPHRASE }}
+    # - name: Import GPG key
+    #   id: import_gpg
+    #   uses: crazy-max/ghaction-import-gpg@v6
+    #   with:
+    #     gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+    #     passphrase: ${{ secrets.PASSPHRASE }}
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v5
       with:
         version: latest
         args: release --rm-dist
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+      #   GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}

.goreleaser.yml

@@ -32,5 +32,18 @@ release:
     name: tflint-ruleset-ke
 
 signs:
-  - artifacts: checksum
-    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
+  - cmd: cosign
+    signature: '${artifact}.keyless.sig'
+    certificate: '${artifact}.pem'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - --yes
+
+# signs:
+#   - artifacts: checksum
+#     args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]

README.md

@@ -16,7 +16,7 @@ You can install the plugin with `tflint --init`. Declare a config in `.tflint.hc
 plugin "ke" {
   enabled = true
 
-  version = "0.4.0"
+  version = "0.4.1"
   source  = "github.com/KazanExpress/tflint-ruleset-ke-ke"
 
   signing_key = <<EOF