serv/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-26 21:53:48 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

ci: add id-token permission and update the signing command (#5016)

Browse source
This commit is contained in:
Mohammed Al Sahaf 2022-09-05 23:57:27 +03:00 committed by GitHub
parent 5dfa08174a
commit 0499d9c1c4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/release.yml vendored
View file

@ -20,6 +20,12 @@ jobs:
GO_SEMVER: '~1.19.0' GO_SEMVER: '~1.19.0'
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
# https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
permissions:
id-token: write
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents
contents: read
steps: steps:
- name: Install Go - name: Install Go

2
.goreleaser.yml
View file

@ -68,7 +68,7 @@ builds:
signs: signs:
- cmd: cosign - cmd: cosign
signature: "${artifact}.sig" signature: "${artifact}.sig"
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"] args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${signature}.pem", "${artifact}"]
artifacts: all artifacts: all
sboms: sboms:
- artifacts: binary - artifacts: binary