ci: Sign checksums and container image via Sigstore

Signed-off-by: James Alseth <[email protected]>

Author: jalseth

.github/workflows/release.yaml

@@ -82,4 +82,18 @@ jobs:
           args: release --clean
           version: "~> v1"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup cosign
+        uses: sigstore/cosign-installer@e9a05e6d32d7ed22b5656cd874ef31af58d05bfa # 3.8.2
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: sign checksums
+        run: cosign sign-blob checksums.txt --yes
+        working-directory: dist # Folder used by GoReleaser for build artifacts
+
+      - name: sign container image
+        env:
+          CONFTEST_VERSION: ${{ steps.get-version.outputs.VERSION }}
+        run: cosign sign "$IMAGE/$CONFTEST_VERSION" --yes

.github/workflows/test_cosign.yaml

@@ -0,0 +1,59 @@
+name: test-cosign
+
+on: [pull_request]
+
+permissions: read-all
+
+env:
+  IMAGE: openpolicyagent/conftest
+  PLATFORMS: linux/amd64,linux/arm64
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: checkout source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24.x"
+
+      - name: release
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          args: release --auto-snapshot --skip-validate --skip-publish
+          version: "~> v1"
+
+      - name: setup docker buildx
+        run: docker buildx create --name conftestbuild --use
+
+      - name: Build only Docker latest image
+        uses: docker/build-push-action@v6 
+        with:
+          context: .
+          push: false
+          build-args: |
+            VERSION=asdfg
+          tags: |
+            ${{ env.IMAGE }}:asdfg
+          platforms: ${{ env.PLATFORMS }}
+
+      - name: setup cosign
+        uses: sigstore/cosign-installer@e9a05e6d32d7ed22b5656cd874ef31af58d05bfa # 3.8.2
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: sign checksums
+        run: cosign sign-blob checksums.txt --yes --tlog-upload=false
+        working-directory: dist # Folder used by GoReleaser for build artifacts
+
+      - name: sign container image
+        env:
+          CONFTEST_VERSION: asdfg
+        run: cosign sign "$IMAGE/$CONFTEST_VERSION" --yes --upload=false  --tlog-upload=false

.goreleaser.yml

@@ -9,14 +9,14 @@ builds:
   env:
   - CGO_ENABLED=0
   goos:
-  - windows
+  # - windows
   - linux
-  - darwin
+  # - darwin
   goarch:
   - amd64
-  - arm64
-  - ppc64le
-  - s390x
+  # - arm64
+  # - ppc64le
+  # - s390x
   ldflags:
   - "-s"
   - "-w"
@@ -45,28 +45,28 @@ archives:
 checksum:
   name_template: 'checksums.txt'
 
-changelog:
-  use: github
-  groups:
-  - title: New Features
-    regexp: '^.*?feat(ure)?(\([[:word:]]+\))??!?:.+$'
-    order: 0
-  - title: Bug Fixes
-    regexp: '^.*?(bug|fix)(\([[:word:]]+\))??!?:.+$'
-    order: 1
-  - title: OPA Changes
-    regexp: '(?i)bump (opa|github.com/open-policy-agent/opa)'
-    order: 5
-  - title: Other Changes
-    order: 999
-  sort: asc
-  filters:
-    exclude:
-    - '^.*?docs(\([[:word:]]+\))??!?:.+$'
-    - '^.*?test(\([[:word:]]+\))??!?:.+$'
-    - '^.*?misc(\([[:word:]]+\))??!?:.+$'
-    - '^.*?typo(\([[:word:]]+\))??!?:.+$'
-    - '(?i) typo( |\.|\r?\n)'
+# changelog:
+#   use: github
+#   groups:
+#   - title: New Features
+#     regexp: '^.*?feat(ure)?(\([[:word:]]+\))??!?:.+$'
+#     order: 0
+#   - title: Bug Fixes
+#     regexp: '^.*?(bug|fix)(\([[:word:]]+\))??!?:.+$'
+#     order: 1
+#   - title: OPA Changes
+#     regexp: '(?i)bump (opa|github.com/open-policy-agent/opa)'
+#     order: 5
+#   - title: Other Changes
+#     order: 999
+#   sort: asc
+#   filters:
+#     exclude:
+#     - '^.*?docs(\([[:word:]]+\))??!?:.+$'
+#     - '^.*?test(\([[:word:]]+\))??!?:.+$'
+#     - '^.*?misc(\([[:word:]]+\))??!?:.+$'
+#     - '^.*?typo(\([[:word:]]+\))??!?:.+$'
+#     - '(?i) typo( |\.|\r?\n)'
 
 # Publishes the deb and rpm files to the GitHub releases page.
 nfpms: