From a7fd38c2d2775292e44135f266ef95b96db25c87 Mon Sep 17 00:00:00 2001
From: James Alseth <james@jalseth.me>
Date: Tue, 13 May 2025 08:25:11 -0700
Subject: [PATCH] ci: Sign checksums and container image via Sigstore

Signed-off-by: James Alseth <james@jalseth.me>
---
 .github/workflows/release.yaml     | 19 ++++++++-
 .github/workflows/test_cosign.yaml | 62 ++++++++++++++++++++++++++++++
 .goreleaser.yml                    | 54 +++++++++++++-------------
 3 files changed, 107 insertions(+), 28 deletions(-)
 create mode 100644 .github/workflows/test_cosign.yaml

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2dd93b1c3..492b36e5d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,6 +11,9 @@ env:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Needed to create GitHub releases.
+      id-token: write # Used for Sigstore OIDC.
     steps:
       - name: checkout source
         uses: actions/checkout@v4
@@ -82,4 +85,18 @@ jobs:
           args: release --clean
           version: "~> v1"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup cosign
+        uses: sigstore/cosign-installer@e9a05e6d32d7ed22b5656cd874ef31af58d05bfa # 3.8.2
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: sign checksums
+        run: cosign sign-blob checksums.txt --yes
+        working-directory: dist # Folder used by GoReleaser for build artifacts
+
+      - name: sign container image
+        env:
+          CONFTEST_VERSION: ${{ steps.get-version.outputs.VERSION }}
+        run: cosign sign "$IMAGE:$CONFTEST_VERSION" --yes
diff --git a/.github/workflows/test_cosign.yaml b/.github/workflows/test_cosign.yaml
new file mode 100644
index 000000000..1e1375c4f
--- /dev/null
+++ b/.github/workflows/test_cosign.yaml
@@ -0,0 +1,62 @@
+name: test-cosign
+
+on: [pull_request]
+
+permissions: read-all
+
+env:
+  IMAGE: openpolicyagent/conftest
+  PLATFORMS: linux/amd64,linux/arm64
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: checkout source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24.x"
+
+      - name: release
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          args: release --auto-snapshot --skip-validate --skip-publish
+          version: "~> v1"
+
+      - name: setup docker buildx
+        run: docker buildx create --name conftestbuild --use
+
+      - name: Build only Docker latest image
+        uses: docker/build-push-action@v6 
+        with:
+          context: .
+          push: false
+          build-args: |
+            VERSION=asdfg
+          tags: |
+            ${{ env.IMAGE }}:asdfg
+          platforms: ${{ env.PLATFORMS }}
+
+      - name: setup cosign
+        uses: sigstore/cosign-installer@e9a05e6d32d7ed22b5656cd874ef31af58d05bfa # 3.8.2
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: sign checksums
+        run: cosign sign-blob checksums.txt --yes --tlog-upload=false
+        working-directory: dist # Folder used by GoReleaser for build artifacts
+
+      - name: sign container image
+        env:
+          CONFTEST_VERSION: asdfg
+        run: |
+          echo "$IMAGE:$CONFTEST_VERSION"
+          cosign sign "$IMAGE:$CONFTEST_VERSION" --yes --upload=false --tlog-upload=false
+
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 73a57fb47..efc114a73 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -9,14 +9,14 @@ builds:
   env:
   - CGO_ENABLED=0
   goos:
-  - windows
+  # - windows
   - linux
-  - darwin
+  # - darwin
   goarch:
   - amd64
-  - arm64
-  - ppc64le
-  - s390x
+  # - arm64
+  # - ppc64le
+  # - s390x
   ldflags:
   - "-s"
   - "-w"
@@ -45,28 +45,28 @@ archives:
 checksum:
   name_template: 'checksums.txt'
 
-changelog:
-  use: github
-  groups:
-  - title: New Features
-    regexp: '^.*?feat(ure)?(\([[:word:]]+\))??!?:.+$'
-    order: 0
-  - title: Bug Fixes
-    regexp: '^.*?(bug|fix)(\([[:word:]]+\))??!?:.+$'
-    order: 1
-  - title: OPA Changes
-    regexp: '(?i)bump (opa|github.com/open-policy-agent/opa)'
-    order: 5
-  - title: Other Changes
-    order: 999
-  sort: asc
-  filters:
-    exclude:
-    - '^.*?docs(\([[:word:]]+\))??!?:.+$'
-    - '^.*?test(\([[:word:]]+\))??!?:.+$'
-    - '^.*?misc(\([[:word:]]+\))??!?:.+$'
-    - '^.*?typo(\([[:word:]]+\))??!?:.+$'
-    - '(?i) typo( |\.|\r?\n)'
+# changelog:
+#   use: github
+#   groups:
+#   - title: New Features
+#     regexp: '^.*?feat(ure)?(\([[:word:]]+\))??!?:.+$'
+#     order: 0
+#   - title: Bug Fixes
+#     regexp: '^.*?(bug|fix)(\([[:word:]]+\))??!?:.+$'
+#     order: 1
+#   - title: OPA Changes
+#     regexp: '(?i)bump (opa|github.com/open-policy-agent/opa)'
+#     order: 5
+#   - title: Other Changes
+#     order: 999
+#   sort: asc
+#   filters:
+#     exclude:
+#     - '^.*?docs(\([[:word:]]+\))??!?:.+$'
+#     - '^.*?test(\([[:word:]]+\))??!?:.+$'
+#     - '^.*?misc(\([[:word:]]+\))??!?:.+$'
+#     - '^.*?typo(\([[:word:]]+\))??!?:.+$'
+#     - '(?i) typo( |\.|\r?\n)'
 
 # Publishes the deb and rpm files to the GitHub releases page.
 nfpms: