From 003d7132265e98c0c7bfcf5c36f753076dd22246 Mon Sep 17 00:00:00 2001
From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Date: Tue, 7 May 2024 14:01:43 +0200
Subject: [PATCH] feat: add sbom and signing to release artifacts

---
 .github/workflows/release.yaml |  4 ++++
 .goreleaser.yaml               | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 87b2926..70ab9e3 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -97,6 +97,10 @@ jobs:
       run: |
         mkdir -p output
         kustomize build ./config/default > ./output/install.yaml
+    - name: Setup Syft
+      uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
+    - name: Setup Cosign
+      uses: sigstore/cosign-installer@v3.5.0
     - name: Run goreleaser
       uses: goreleaser/goreleaser-action@v5
       with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index f174d31..524d0e6 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -22,6 +22,24 @@ archives:
 release:
   extra_files:
     - glob: output/install.yaml
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}-{{ .Version }}-sbom.spdx.json"
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - '--yes'
+    artifacts: checksum
+    output: true
 checksum:
   name_template: 'checksums.txt'
   extra_files: