From cc479838c084eb8edb9a60b8229555c93d05c843 Mon Sep 17 00:00:00 2001 From: Alik Khilazhev Date: Wed, 20 Sep 2023 11:39:40 +0200 Subject: [PATCH] feat: sign release with keyless --- .github/workflows/release.yml | 16 +++++++++------- .goreleaser.yml | 17 +++++++++++++++-- README.md | 2 +- 3 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3989ded..0318de8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,12 +21,14 @@ jobs: uses: actions/setup-go@v4 with: go-version-file: 'go.mod' - - name: Import GPG key - id: import_gpg - uses: crazy-max/ghaction-import-gpg@v6 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.PASSPHRASE }} + # - name: Import GPG key + # id: import_gpg + # uses: crazy-max/ghaction-import-gpg@v6 + # with: + # gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + # passphrase: ${{ secrets.PASSPHRASE }} + - name: Install Cosign + uses: sigstore/cosign-installer@v3 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: @@ -34,4 +36,4 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + # GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} diff --git a/.goreleaser.yml b/.goreleaser.yml index 6024935..d1fa3ad 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -32,5 +32,18 @@ release: name: tflint-ruleset-ke signs: - - artifacts: checksum - args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"] + - cmd: cosign + signature: '${artifact}.keyless.sig' + certificate: '${artifact}.pem' + output: true + artifacts: checksum + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - --yes + +# signs: +# - artifacts: checksum +# args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"] diff --git a/README.md b/README.md index 72d89e4..5fbe52a 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ You can install the plugin with `tflint --init`. Declare a config in `.tflint.hc plugin "ke" { enabled = true - version = "0.4.0" + version = "0.4.1" source = "github.com/KazanExpress/tflint-ruleset-ke-ke" signing_key = <