Set up GoReleaser (#22)

wata727 · web-flow · commit 49a64023a803 · 2023-02-02T00:18:44.000+09:00
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -0,0 +1,27 @@
+name: goreleaser
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: 'go.mod'
+    - name: goreleaser check
+      uses: goreleaser/goreleaser-action@v4
+      with:
+        version: v1.12.3
+        args: check
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,27 +7,29 @@ on:
     tags:
     - v*.*.*
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
       uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
         go-version-file: 'go.mod'
-    - name: Import GPG key
-      id: import_gpg
-      uses: crazy-max/ghaction-import-gpg@v5
-      with:
-        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-        passphrase: ${{ secrets.PASSPHRASE }}
+        cache: true
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v2
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v4
       with:
-        version: latest
+        version: v1.12.3
         args: release --rm-dist
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -21,5 +21,22 @@ archives:
 checksum:
   name_template: 'checksums.txt'
 signs:
-  - artifacts: checksum
-    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
+  - cmd: cosign
+    env:
+    - COSIGN_EXPERIMENTAL=1
+    signature: '${artifact}.keyless.sig'
+    certificate: '${artifact}.pem'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+release:
+  github:
+    owner: terraform-linters
+    name: tflint-ruleset-opa
+  draft: true
+snapshot:
+  name_template: "{{ .Tag }}-dev"
