oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

re-add cosign signing checksums file (#2572)

Browse Source 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Alex Goodman 2024-01-31 13:19:41 -05:00 committed by GitHub
parent 377538e4a6
commit 6ae5b2904d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/release.yaml vendored
View File

@ -94,6 +94,8 @@ jobs:
permissions: permissions:
contents: write contents: write
packages: write packages: write
# required for goreleaser signs section with cosign
id-token: write
steps: steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
with: with:

13
.goreleaser.yaml
View File

@ -259,3 +259,16 @@ sboms:
- "$artifact" - "$artifact"
- "--output" - "--output"
- "json=$document" - "json=$document"
signs:
- cmd: .tool/cosign
signature: "${artifact}.sig"
certificate: "${artifact}.pem"
args:
- "sign-blob"
- "--oidc-issuer=https://token.actions.githubusercontent.com"
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "${artifact}"
- "--yes"
artifacts: checksum