golangci-lint icon indicating copy to clipboard operation
golangci-lint copied to clipboard

Published 20 hours ago verified publisher icon golangci

feat: sign release artifacts with cosign

Open scop opened this issue 6 months ago • 2 comments
trafficstars

Sample results in my fork (do not mind the changelog, scroll down to assets): https://github.com/scop/golangci-lint/releases/tag/v0.0.0

Fixes #2462

scop avatar May 11 '25 13:05 scop

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 20 '25 17:05 CLAassistant

Rebased and switched to the new bundle format.

scop avatar May 23 '25 13:05 scop

I don't forget this PR, but each time I look at it, I'm stuck with the same problems/questions.

  1. Adding a new element inside the release process introduces a new risk of release failure.
  2. The goreleaser configuration inside this PR is different than the suggested one, I don't know why, and I don't find clear references with this configuration.
    • https://goreleaser.com/customization/binary_sign/?h=cosign#signing-with-cosign
    • https://github.com/goreleaser/example-supply-chain/blob/main/.github/workflows/release.yml
    • https://github.com/sigstore/cosign

ldez avatar Sep 17 '25 22:09 ldez