build(sign): move to sigstore (#38250)

drops signing with gpg in favor of sigstore based artifact signing
2026-06-29 14:21:25 +00:00 · 2026-06-28 21:18:12 +02:00
parent cc1df1976b
commit 98c61942aa
3 changed files with 12 additions and 30 deletions
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -13,6 +13,7 @@ jobs:
    runs-on: namespace-profile-gitea-release-binary
    permissions:
      contents: read
+      id-token: write
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -33,19 +34,12 @@ jobs:
      - run: make release
        env:
          TAGS: bindata
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
      - name: sign binaries
-        env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name
--- a/.github/workflows/release-tag-rc.yml
+++ b/.github/workflows/release-tag-rc.yml
@@ -14,6 +14,7 @@ jobs:
    runs-on: namespace-profile-gitea-release-binary
    permissions:
      contents: read
+      id-token: write
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -34,19 +35,12 @@ jobs:
      - run: make release
        env:
          TAGS: bindata
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
      - name: sign binaries
-        env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name
--- a/.github/workflows/release-tag-version.yml
+++ b/.github/workflows/release-tag-version.yml
@@ -17,6 +17,7 @@ jobs:
    permissions:
      contents: read
      packages: write # to publish to ghcr.io
+      id-token: write
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -37,19 +38,12 @@ jobs:
      - run: make release
        env:
          TAGS: bindata
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
      - name: sign binaries
-        env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name