@@ -4,15 +4,21 @@ version: 2
44
55# https://goreleaser.com/customization/builds/go
66builds :
7- - env :
8- - CGO_ENABLED=0
9- goarch :
10- - amd64
11- - arm64
7+ - id : linix-windows
8+ goos : [linux, windows]
9+ goarch : [amd64, arm64]
10+ env : [CGO_ENABLED=0]
11+ # Separating the macos builds so that we can exclude them from cosign
12+ # (since the binary is manupilated by the notarization process).
13+ - id : darwin
14+ goos : [darwin]
15+ goarch : [amd64, arm64]
16+ env : [CGO_ENABLED=0]
1217
1318# https://goreleaser.com/customization/archive
1419archives :
1520 - id : archives
21+ ids : [linix-windows, darwin]
1622 formats : [tar.gz]
1723 # this name template makes the OS and Arch compatible with the results of `uname`.
1824 name_template : >-
@@ -24,6 +30,7 @@ archives:
2430files :
2531 - LICENSE
2632 - CHANGELOG.md
33+ - README.md
2734 - src : " {{ .ArtifactPath }}.sig"
2835 strip_parent : true
2936 # use zip for windows archives
@@ -53,7 +60,10 @@ notarize:
5360
5461# https://goreleaser.com/customization/binary_sign
5562binary_signs :
56- - id : cosign
63+ - id : cosign-binaries
64+ # Annoyingly, build_signs runs before notarize, which messes with the
65+ # macos builds, so we only sign linux and windows builds.
66+ ids : [linux-windows]
5767 signature : " ${artifact}.sig"
5868 cmd : cosign
5969 stdin : " {{ .Env.COSIGN_PWD }}"
@@ -64,6 +74,18 @@ binary_signs:
6474 - ${artifact}
6575 - --yes
6676
77+ # https://goreleaser.com/customization/sign
78+ signs :
79+ - id : cosign-checksum
80+ cmd : cosign
81+ args :
82+ - sign-blob
83+ - --key=env://COSIGN_KEY
84+ - --output-signature=${signature}
85+ - ${artifact}
86+ - --yes
87+ artifacts : checksum
88+
6789# https://goreleaser.com/customization/release
6890release :
69- ids : [archives]
91+ ids : [archives, cosign-checksum ]
0 commit comments