chore(ci): keyless signing

.github/workflows/build.yml

@@ -114,6 +114,9 @@ jobs:
     needs:
       - unit-tests
       - Acceptance-Tests
+    permissions:
+      contents: write
+      id-token: write
     steps:
       -
         name: Checkout
@@ -188,4 +191,3 @@ jobs:
           DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
           DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}

.goreleaser.yml

@@ -146,14 +146,25 @@ furies:
 
 signs:
 - cmd: cosign
-  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign-blob", "-key=/tmp/goreleaser_cosign.key", "-output=${signature}", "${artifact}"]
-  artifacts: checksum
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  certificate: '{{ trimsuffix .Env.artifact ".txt" }}.pem'
+  args:
+    - sign-blob
+    - '--oidc-issuer=https://token.actions.githubusercontent.com'
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
 
 docker_signs:
-- artifacts: manifests
-  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign", "-key=/tmp/goreleaser_cosign.key", "${artifact}"]
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  artifacts: manifests
+  args:
+  - 'sign'
+  - '--oidc-issuer=https://token.actions.githubusercontent.com'
+  - '${artifact}'
 
 changelog:
   sort: asc
@@ -181,8 +192,6 @@ checksum:
   name_template: 'checksums.txt'
 
 release:
-  extra_files:
-    - glob: cosign.pub
   footer: |
     **Full Changelog**: https://github.com/goreleaser/nfpm/compare/{{ .PreviousTag }}...{{ .Tag }}
 

scripts/vercel/build.sh

@@ -1,3 +1,5 @@
 #!/bin/bash
 set -euo pipefail
+version="$(curl -sSf -H "Authorization: Bearer $GITHUB_TOKEN" "https://api.github.com/repos/goreleaser/nfpm/releases/latest" | jq -r '.tag_name')"
+sed -s'' -i "s/__VERSION__/$version/g" www/docs/install.md
 mkdocs build -f www/mkdocs.yml

www/docs/install.md

@@ -69,38 +69,38 @@ go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
 
 Download the pre-compiled binaries from the [releases page][releases] and copy them to the desired location.
 
-## Verifying the binaries
+## Veryifing the artifacts
 
-All artifacts are checksummed and the checksum file is signed with [cosign][].
+### binaries
 
-You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
+All artifacts are checksummed and the checksum is signed with [cosign][].
+
+1. Download the files you want, the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page:
+	```sh
+	wget https://github.com/goreleaser/nfpm/releases/download/__VERSION__/checksums.txt
+	wget https://github.com/goreleaser/nfpm/releases/download/__VERSION__/checksums.txt.sig
+	```
 
-1. Download the files you want, the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page.
 1. Verify the signature:
 	```sh
-	cosign verify-blob \
-		-key https://goreleaser.com/static/goreleaser.pub \
-		-signature checksums.txt.sig \
+	COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+		--signature checksums.txt.sig \
 		checksums.txt
 	```
 1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
 	```sh
 	sha256sum --ignore-missing -c checksums.txt
 	```
 
-## Verifying docker images
+### docker images
 
-Our Docker image is signed with [cosign][].
+Our Docker images are signed with [cosign][].
 
-You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub):
+Verify the signature:
 
 ```sh
-cosign verify \
-	-key https://goreleaser.com/static/goreleaser.pub \
-	goreleaser/nfpm
-cosign verify \
-	-key https://goreleaser.com/static/goreleaser.pub \
-	ghcr.io/goreleaser/nfpm
+COSIGN_EXPERIMENTAL=1 cosign verify	goreleaser/nfpm
+COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/goreleaser/nfpm
 ```
 
 ## Running with Docker