feat: keyless realeases with goreleaser and cosign

This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance

.github/workflows/goreleaser.yaml

@@ -33,7 +33,16 @@ jobs:
       run: |
         GO111MODULE=off go get github.com/mattn/goveralls
         $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+    - name: Vet
+      run: go vet ./...
+    - name: Install staticcheck
+      run: "go install honnef.co/go/tools/cmd/[email protected]"
+    - name: Run staticcheck
+      run: staticcheck ./...
   release-server:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
@@ -46,25 +55,24 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - name: write cosign.key to environment
-        run: 'echo "$COSIGN_KEY" > .github/cosign.key'
-        shell: bash
-        env:
           COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
       - name: install cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.2.1'
+          cosign-release: 'v1.4.1'
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
-          version: 'v0.180.2'
+          version: 'v1.2.2'
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          COSIGN_EXPERIMENTAL: 1
   release-cli:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
@@ -85,13 +93,13 @@ jobs:
       - name: install cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.2.1'
+          cosign-release: 'v1.4.1'
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
-          version: 'v0.180.2'
+          version: 'v1.1.0'
           args: release --config ./.goreleaser_client.yaml --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          COSIGN_EXPERIMENTAL: 1

.goreleaser.yaml

@@ -15,9 +15,17 @@ builds:
     goarch:
       - amd64
     main: ./cmd/tuf/
+gomod:
+  proxy: true
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+source:
+  enabled: true
 signs:
   - cmd: cosign
     signature: "${artifact}.sig"
-    stdin: '{{ .Env.COSIGN_PWD }}'
-    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"]
     artifacts: all

.goreleaser_client.yaml

@@ -18,6 +18,6 @@ builds:
 signs:
   - cmd: cosign
     signature: "${artifact}.sig"
-    stdin: '{{ .Env.COSIGN_PWD }}'
-    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"]
     artifacts: all