From 98c61942aa433342eacf08e4040ded80b1d0efe1 Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Sun, 28 Jun 2026 21:18:12 +0200
Subject: [PATCH] build(sign): move to sigstore (#38250)

drops signing with gpg in favor of sigstore based artifact signing
---
 .github/workflows/release-nightly.yml     | 14 ++++----------
 .github/workflows/release-tag-rc.yml      | 14 ++++----------
 .github/workflows/release-tag-version.yml | 14 ++++----------
 3 files changed, 12 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
index d982dd525bc..483f4b77318 100644
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -13,6 +13,7 @@ jobs:
     runs-on: namespace-profile-gitea-release-binary
     permissions:
       contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -33,19 +34,12 @@ jobs:
       - run: make release
         env:
           TAGS: bindata
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: sign binaries
-        env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
         run: |
           for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
           done
       # clean branch name to get the folder name in S3
       - name: Get cleaned branch name
diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml
index 9e796c47d47..91b6168330d 100644
--- a/.github/workflows/release-tag-rc.yml
+++ b/.github/workflows/release-tag-rc.yml
@@ -14,6 +14,7 @@ jobs:
     runs-on: namespace-profile-gitea-release-binary
     permissions:
       contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -34,19 +35,12 @@ jobs:
       - run: make release
         env:
           TAGS: bindata
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: sign binaries
-        env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
         run: |
           for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
           done
       # clean branch name to get the folder name in S3
       - name: Get cleaned branch name
diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml
index 81a309757b0..d4e3f1da009 100644
--- a/.github/workflows/release-tag-version.yml
+++ b/.github/workflows/release-tag-version.yml
@@ -17,6 +17,7 @@ jobs:
     permissions:
       contents: read
       packages: write # to publish to ghcr.io
+      id-token: write
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
@@ -37,19 +38,12 @@ jobs:
       - run: make release
         env:
           TAGS: bindata
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: sign binaries
-        env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
         run: |
           for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
           done
       # clean branch name to get the folder name in S3
       - name: Get cleaned branch name