Closed thepwagner closed 6 months ago
This is what I came up with https://github.com/thepwagner-org/actions/blob/main/.github/workflows/golang-release-attest.yaml
Since GitHub packages the attestation tool as an actions step, it can't run as a post-build hook in goreleaser like cosign ... could.
cosign ...
Luckily GoReleaser leaves the artifacts it generates sitting around in dist/, so we can just sign them after the release action has completed!
dist/
This is what I came up with https://github.com/thepwagner-org/actions/blob/main/.github/workflows/golang-release-attest.yaml
Since GitHub packages the attestation tool as an actions step, it can't run as a post-build hook in goreleaser like
cosign ...could.Luckily GoReleaser leaves the artifacts it generates sitting around in
dist/, so we can just sign them after the release action has completed!Related