Remove cosign signing in favor of GitHub native attestation (#148)

* Initial plan * Remove cosign signing and improve GoReleaser configuration - Removed cosign-installer step from release workflow - Removed cosign signing sections (signs and docker_signs) from .goreleaser.yml - Added include_meta: true to release configuration - Added use: github and format to changelog configuration - Added before hooks section for go mod tidy and go generate - Improved comments and structure following best practices - Added proper step names to workflow for better readability - Kept attestation steps for checksums.txt and digests.txt using GitHub's native attestation Co-authored-by: Belphemur <197810+Belphemur@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Belphemur <197810+Belphemur@users.noreply.github.com>
2026-01-11 00:04:43 +01:00 · 2025-12-10 16:39:25 -05:00
parent aefadafc7d
commit 8c52010dfe
2 changed files with 55 additions and 46 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,28 +28,32 @@ jobs:
        with:
          go-version-file: go.mod
          cache: true
-      - uses: sigstore/cosign-installer@v4.0.0 # installs cosign
-      - uses: anchore/sbom-action/download-syft@v0.20.11 # installs syft
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@v0.20.11 # installs syft
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3 # login to ghcr
+      - name: Log in to GHCR
+        uses: docker/login-action@v3 # login to ghcr
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: goreleaser/goreleaser-action@v6 # run goreleaser
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6 # run goreleaser
        with:
          version: nightly
          args: release --clean --verbose
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # After GoReleaser runs, attest all the files in ./dist/checksums.txt:
-      - uses: actions/attest-build-provenance@v3
+      - name: Attest Build Provenance for Archives
+        uses: actions/attest-build-provenance@v3
        with:
          subject-checksums: ./dist/checksums.txt
      # After GoReleaser runs, attest all the images in ./dist/digests.txt:
-      - uses: actions/attest-build-provenance@v3
+      - name: Attest Build Provenance for Docker Images
+        uses: actions/attest-build-provenance@v3
        with:
          subject-checksums: ./dist/digests.txt