summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMohammed Al Sahaf <[email protected]>2022-09-05 23:57:27 +0300
committerGitHub <[email protected]>2022-09-05 20:57:27 +0000
commit0499d9c1c4177503c4a3d8d6bffd5d44e5edd430 (patch)
tree119bee2a5549a2736d47190d42a441b2f33e7640
parent5dfa08174ae3af34f10f0c1b5ca69b12a0ec7395 (diff)
downloadcaddy-0499d9c1c4177503c4a3d8d6bffd5d44e5edd430.tar.gz
caddy-0499d9c1c4177503c4a3d8d6bffd5d44e5edd430.zip
ci: add `id-token` permission and update the signing command (#5016)v2.6.0-beta.2
-rw-r--r--.github/workflows/release.yml6
-rw-r--r--.goreleaser.yml2
2 files changed, 7 insertions, 1 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d67f875fb..8ab9488c1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,12 @@ jobs:
GO_SEMVER: '~1.19.0'
runs-on: ${{ matrix.os }}
+ # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
+ # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+ permissions:
+ id-token: write
+ # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents
+ contents: read
steps:
- name: Install Go
diff --git a/.goreleaser.yml b/.goreleaser.yml
index d4f786de7..d3de2b704 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -68,7 +68,7 @@ builds:
signs:
- cmd: cosign
signature: "${artifact}.sig"
- args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"]
+ args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${signature}.pem", "${artifact}"]
artifacts: all
sboms:
- artifacts: binary