Updating release to sign checksums

2026-06-30 09:11:40 +00:00 · 2026-04-12 19:38:49 +10:00 · 2026-04-12 19:38:49 +10:00 · c8f6c1a042
commit c8f6c1a042
parent 0e803833fb
2 changed files with 16 additions and 0 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -8,6 +8,9 @@ on:
 jobs:
  publishGitRelease:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@ -37,12 +40,20 @@ jobs:
            --output=yq.1
            man.md

+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
      - name: Cross compile
        run: |
          sudo apt-get install rhash -y
          go install github.com/goreleaser/goreleaser/v2@latest
          ./scripts/xcompile.sh

+      - name: Sign checksums
+        run: |
+          cosign sign-blob --yes --output-bundle build/checksums.bundle build/checksums
+          cosign sign-blob --yes --output-bundle build/checksums-bsd.bundle build/checksums-bsd
+
      - name: Release
        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
        with:
--- a/release_instructions.txt
+++ b/release_instructions.txt
@ -13,6 +13,11 @@
  then update the FROM line in github-action/Dockerfile with the new digest:
    FROM mikefarah/yq:4@sha256:<new-digest>

+// release artifacts are signed with cosign keyless signing (Sigstore)
+// users can verify with:
+//   cosign verify-blob --bundle checksums.bundle checksums
+// install cosign: brew install cosign  OR  go install github.com/sigstore/cosign/v2/cmd/cosign@latest
+

 - snapcraft
  - update snapcraft version