From d6b3c7d2623d9a809abda367fb93dc48b0ba7d7c Mon Sep 17 00:00:00 2001
From: Mohammed Al Sahaf <msaa1990@gmail.com>
Date: Sat, 3 Sep 2022 03:37:10 +0300
Subject: ci: generate SBOM and sign artifacts using cosign (#4910)

* ci: sign artifacts using cosign

* include SBOM
---
 .goreleaser.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to '.goreleaser.yml')

diff --git a/.goreleaser.yml b/.goreleaser.yml
index f0e2615..d4f786d 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -62,9 +62,18 @@ builds:
       goarm: "5"
   flags:
   - -trimpath
+  - -mod=readonly
   ldflags:
   - -s -w
-
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"]
+    artifacts: all
+sboms:
+  - artifacts: binary
+    cmd: syft
+    args: ["$artifact", "--file", "$sbom", "--output", "cyclonedx-json"]
 archives:
   - format_overrides:
       - goos: windows
-- 
cgit v1.2.3