From 0499d9c1c4177503c4a3d8d6bffd5d44e5edd430 Mon Sep 17 00:00:00 2001 From: Mohammed Al Sahaf Date: Mon, 5 Sep 2022 23:57:27 +0300 Subject: [PATCH] ci: add `id-token` permission and update the signing command (#5016) --- .github/workflows/release.yml | 6 ++++++ .goreleaser.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d67f875fb..8ab9488c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,6 +20,12 @@ jobs: GO_SEMVER: '~1.19.0' runs-on: ${{ matrix.os }} + # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233 + # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings + permissions: + id-token: write + # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents + contents: read steps: - name: Install Go diff --git a/.goreleaser.yml b/.goreleaser.yml index d4f786de7..d3de2b704 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -68,7 +68,7 @@ builds: signs: - cmd: cosign signature: "${artifact}.sig" - args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"] + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${signature}.pem", "${artifact}"] artifacts: all sboms: - artifacts: binary