ci: add cosign keyless signing for release artifacts
- Add sigstore/cosign keyless signing to the release workflow
- Each artifact gets a detached .sig signature and .pem certificate
- Uses GitHub Actions OIDC for keyless signing (no secret management)
- Adds id-token: write permission for OIDC token generation
- Signatures and certificates are uploaded alongside binaries
Users can verify artifacts with:
cosign verify-blob --certificate <file>.pem --signature <file>.sig \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp="github.com/zeroclaw-labs/zeroclaw" \
<file>
Closes #365
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl
parent
de3ec87d16
commit
fed1997f62
1 changed files with 15 additions and 0 deletions
15
.github/workflows/release.yml
vendored
15
.github/workflows/release.yml
vendored
|
|
@ -6,6 +6,7 @@ on:
|
|||
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write # Required for cosign keyless signing via OIDC
|
||||
|
||||
env:
|
||||
CARGO_TERM_COLOR: always
|
||||
|
|
@ -84,6 +85,20 @@ jobs:
|
|||
with:
|
||||
path: artifacts
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
|
||||
|
||||
- name: Sign artifacts with cosign (keyless)
|
||||
run: |
|
||||
for file in artifacts/**/*; do
|
||||
[ -f "$file" ] || continue
|
||||
cosign sign-blob --yes \
|
||||
--oidc-issuer=https://token.actions.githubusercontent.com \
|
||||
--output-signature="${file}.sig" \
|
||||
--output-certificate="${file}.pem" \
|
||||
"$file"
|
||||
done
|
||||
|
||||
- name: Create GitHub Release
|
||||
uses: softprops/action-gh-release@v2
|
||||
with:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue