feat: cosign binaries with goreleaser (#83)

* Update release.yaml - install cosign before goreleaser

Signed-off-by: Mathieu Benoit <[email protected]>

* Update .goreleaser.yaml - cosign

Signed-off-by: Mathieu Benoit <[email protected]>

---------

Signed-off-by: Mathieu Benoit <[email protected]>

.github/workflows/release.yaml

@@ -21,6 +21,8 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -48,8 +50,6 @@ jobs:
           tags: |
             ghcr.io/score-spec/score-k8s:${{ github.ref_name }}
             ghcr.io/score-spec/score-k8s:latest
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3
       - name: Sign container image
         run: |
           cosign sign --yes ghcr.io/score-spec/score-k8s@${{ steps.build-push-container.outputs.digest }}

.goreleaser.yaml

@@ -41,3 +41,16 @@ brews:
     commit_author:
       name: rachfop
       email: [email protected]
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - '--oidc-provider=github-actions'
+      - '--output-certificate=${certificate}' 
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - --yes
+    artifacts: all
+    output: true