mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 14:13:48 +03:00
ci: add id-token
permission and update the signing command (#5016)
This commit is contained in:
parent
5dfa08174a
commit
0499d9c1c4
2 changed files with 7 additions and 1 deletions
6
.github/workflows/release.yml
vendored
6
.github/workflows/release.yml
vendored
|
@ -20,6 +20,12 @@ jobs:
|
||||||
GO_SEMVER: '~1.19.0'
|
GO_SEMVER: '~1.19.0'
|
||||||
|
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
|
# https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
|
||||||
|
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents
|
||||||
|
contents: read
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Install Go
|
- name: Install Go
|
||||||
|
|
|
@ -68,7 +68,7 @@ builds:
|
||||||
signs:
|
signs:
|
||||||
- cmd: cosign
|
- cmd: cosign
|
||||||
signature: "${artifact}.sig"
|
signature: "${artifact}.sig"
|
||||||
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"]
|
args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${signature}.pem", "${artifact}"]
|
||||||
artifacts: all
|
artifacts: all
|
||||||
sboms:
|
sboms:
|
||||||
- artifacts: binary
|
- artifacts: binary
|
||||||
|
|
Loading…
Reference in a new issue