From c43d59a69a220f82142677fe9fc624d9203f416e Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Tue, 25 Oct 2022 21:26:50 -0700
Subject: [PATCH] [action] keyless cosign for all release artifacts

---
 .github/workflows/release.yml | 38 +++++++++++++++++------------------
 .goreleaser.yml               |  9 +++++----
 make/docker.mk                |  2 +-
 3 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4c00ad04..48bbf730 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,8 +13,8 @@ jobs:
 
   create_release:
     name: Create Release
-      #needs: ci
-    runs-on: ubuntu-20.04
+    needs: ci
+    runs-on: ubuntu-latest
     outputs:
       is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
     steps:
@@ -25,7 +25,7 @@ jobs:
           echo ${{ github.ref }} | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
-          echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
+          echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1
@@ -39,8 +39,11 @@ jobs:
 
   goreleaser:
     name: Upload Assets To Github w/ goreleaser
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: create_release
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -50,17 +53,14 @@ jobs:
           go-version: 1.19
           check-latest: true
       - name: Install cosign
-        uses: sigstore/cosign-installer@v2.7.0
+        uses: sigstore/cosign-installer@v2
         with:
-          cosign-release: 'v1.12.1'
-      - name: Write cosign key to disk
-        id: write_key
-        run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
+          cosign-release: 'v1.13.1'
       - name: Get Release Date
         id: release_date
         run: |
           RELEASE_DATE=$(date +"%y-%m-%d")
-          echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
+          echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -68,13 +68,16 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
-          RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
+          RELEASE_DATE: ${RELEASE_DATE}
+          COSIGN_EXPERIMENTAL: 1
 
   build_upload_docker:
     name: Build & Upload Docker Images
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: ci
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -84,12 +87,9 @@ jobs:
           go-version: '1.19'
           check-latest: true
       - name: Install cosign
-        uses: sigstore/cosign-installer@v1.1.0
+        uses: sigstore/cosign-installer@v2
         with:
-          cosign-release: 'v1.1.0'
-      - name: Write cosign key to disk
-        id: write_key
-        run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
+          cosign-release: 'v1.13.1'
       - name: Build
         id: build
         run: |
@@ -98,4 +98,4 @@ jobs:
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          COSIGN_EXPERIMENTAL: 1
diff --git a/.goreleaser.yml b/.goreleaser.yml
index c8650d5b..43ffadb3 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -87,8 +87,9 @@ checksum:
 
 signs:
 - cmd: cosign
-  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
+  signature: "${artifact}.sig"
+  certificate: "${artifact}.pem"
+  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
   artifacts: all
 
 snapshot:
@@ -154,8 +155,8 @@ release:
 
     ```
     cosign verify-blob \
-      -key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \
-      -signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig
+      --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
+      --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
       ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
     ```
 
diff --git a/make/docker.mk b/make/docker.mk
index edb82423..0d56e663 100644
--- a/make/docker.mk
+++ b/make/docker.mk
@@ -54,7 +54,7 @@ define DOCKER_BUILDX
 	# $(1) -- Image Tag
 	# $(2) -- Push (empty is no push | --push will push to dockerhub)
 	docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
-	echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
+	cosign sign -r $(DOCKER_IMAGE_NAME):$(1)
 
 endef