From fed1997f6286f3c0c678dbcfd785436063e90002 Mon Sep 17 00:00:00 2001
From: fettpl <38704082+fettpl@users.noreply.github.com>
Date: Mon, 16 Feb 2026 17:55:40 +0100
Subject: [PATCH] ci: add cosign keyless signing for release artifacts

- Add sigstore/cosign keyless signing to the release workflow
- Each artifact gets a detached .sig signature and .pem certificate
- Uses GitHub Actions OIDC for keyless signing (no secret management)
- Adds id-token: write permission for OIDC token generation
- Signatures and certificates are uploaded alongside binaries

Users can verify artifacts with:
  cosign verify-blob --certificate <file>.pem --signature <file>.sig \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity-regexp="github.com/zeroclaw-labs/zeroclaw" \
    <file>

Closes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aa1a475..6cf2c2a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write  # Required for cosign keyless signing via OIDC
 
 env:
   CARGO_TERM_COLOR: always
@@ -84,6 +85,20 @@ jobs:
         with:
           path: artifacts
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      - name: Sign artifacts with cosign (keyless)
+        run: |
+          for file in artifacts/**/*; do
+            [ -f "$file" ] || continue
+            cosign sign-blob --yes \
+              --oidc-issuer=https://token.actions.githubusercontent.com \
+              --output-signature="${file}.sig" \
+              --output-certificate="${file}.pem" \
+              "$file"
+          done
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with: