Example goreleaser + github actions config with keyless signing and SBOM generation

Overview

supply-chain-example

GoReleaser + Go Mod proxying + Cosign keyless signing + Syft SBOM generation example.

How it works

GoReleaser manages the entire thing, basically.

It will:

  • build using the Go Mod Proxy as source of truth
  • call syft to create the SBOMs
  • create the checksum file
  • sign it with cosign
  • create a docker image using the binary it just built (thus, the binary inside the docker image is the same as the one released)
  • sign the docker image with cosign as well

Verifying

Checksums

wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt
wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.sig

# then, either:
wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.pem
cosign verify-blob --cert checksums.txt.pem --signature checksums.txt.sig checksums.txt

# or:
COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature checksums.txt.sig checksums.txt

You can then download any file you want from the release, and verify it with, for example:

wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/supply-chain-example_1.2.0_linux_amd64.tar.gz.sbom
wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/supply-chain-example_1.2.0_linux_amd64.tar.gz
sha256sum --ignore-missing -c checksums.txt

And both should say "OK".

You can then inspect the .sbom file to see the entire dependency tree of the binary.

Docker image

COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/goreleaser/supply-chain-example:v1.2.0
Comments
  • chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1

    chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1

    Bumps sigstore/cosign-installer from 2.8.0 to 2.8.1.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.8.1

    What's Changed

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2...v2.8.1

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 1
  • chore(deps): bump sigstore/cosign-installer from 1.4.1 to 2.0.0

    chore(deps): bump sigstore/cosign-installer from 1.4.1 to 2.0.0

    Bumps sigstore/cosign-installer from 1.4.1 to 2.0.0.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.0.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v1.4.1...v2.0.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 1
  • chore(deps): bump anchore/sbom-action from 0.13.0 to 0.13.1

    chore(deps): bump anchore/sbom-action from 0.13.0 to 0.13.1

    Bumps anchore/sbom-action from 0.13.0 to 0.13.1.

    Release notes

    Sourced from anchore/sbom-action's releases.

    v0.13.1

    Changes in v0.13.1

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump anchore/sbom-action from 0.12.0 to 0.13.0

    chore(deps): bump anchore/sbom-action from 0.12.0 to 0.13.0

    Bumps anchore/sbom-action from 0.12.0 to 0.13.0.

    Release notes

    Sourced from anchore/sbom-action's releases.

    v0.13.0

    Changes in v0.13.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.0

    chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.0

    Bumps sigstore/cosign-installer from 2.7.0 to 2.8.0.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.8.0

    What's Changed

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2.7.0...v2.8.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump sigstore/cosign-installer from 2.6.0 to 2.7.0

    chore(deps): bump sigstore/cosign-installer from 2.6.0 to 2.7.0

    Bumps sigstore/cosign-installer from 2.6.0 to 2.7.0.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.7.0

    What's Changed

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2...v2.7.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.6.0

    chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.6.0

    Bumps sigstore/cosign-installer from 2.5.1 to 2.6.0.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.6.0

    What's Changed

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2.5.1...v2.6.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump anchore/sbom-action from 0.11.0 to 0.12.0

    chore(deps): bump anchore/sbom-action from 0.11.0 to 0.12.0

    Bumps anchore/sbom-action from 0.11.0 to 0.12.0.

    Release notes

    Sourced from anchore/sbom-action's releases.

    v0.12.0

    Changes in v0.12.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1

    chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1

    Bumps sigstore/cosign-installer from 2.5.0 to 2.5.1.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.5.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2...v2.5.1

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0

    chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0

    Bumps sigstore/cosign-installer from 2.4.1 to 2.5.0.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.5.0

    What's Changed

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2.4.1...v2.5.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump sigstore/cosign-installer from 2.4.0 to 2.4.1

    chore(deps): bump sigstore/cosign-installer from 2.4.0 to 2.4.1

    Bumps sigstore/cosign-installer from 2.4.0 to 2.4.1.

    Release notes

    Sourced from sigstore/cosign-installer's releases.

    v2.4.1

    If you use a custom installation directory and that need sudo permissions you will need to set the use-sudo to true as well

    What's Changed

    New Contributors

    Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2...v2.4.1

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    size/XS dependencies 
    opened by dependabot[bot] 0
Releases(v1.2.0)
Owner
GoReleaser
Deliver Go binaries as fast and easily as possible
GoReleaser
Keyless Git signing with cosign!

THIS PROJECT HAS MOVED! See https://github.com/sigstore/gitsign ?? smimecosign Keyless Git signing with cosign! This is heavily inspired by https://gi

Billy Lynch 11 May 12, 2022
github-actions-merger is github actions that merges pull request with commit message including pull request labels.

github-actions-merger github-actions-merger is github actions that merges pull request with commit message including pull request labels. Usage Write

ABEMA 6 Oct 31, 2022
K8s-network-config-operator - Kubernetes network config operator to push network config to switches

Kubernetes Network operator Will add more to the readme later :D Operations The

Daniel Hertzberg 6 May 16, 2022
sget is a keyless safe script retrieval and execution tool

sget ⚠️ Not ready for use yet! sget is a keyless safe script retrieval and execution tool Security Should you discover any security issues, please ref

sigstore 22 Nov 1, 2022
Sbom-operator - Catalogue all images of a Kubernetes cluster to multiple targets with Syft

sbom-operator Catalogue all images of a Kubernetes cluster to multiple targets w

Christian Kotzbauer 131 Nov 29, 2022
A simple Go app and GitHub workflow that shows how to use GitHub Actions to test, build and deploy a Go app to Docker Hub

go-pipeline-demo A repository containing a simple Go app and GitHub workflow that shows how to use GitHub Actions to test, build and deploy a Go app t

Marat Bogatyrev 0 Nov 17, 2021
Simple example using Git actions + Argo CD + K8S + Docker and GO lang

CICD-simple_example Simple example using Git actions + Argo CD + K8S + Docker and GO lang Intro Pre reqs Have an ArgoCD account and Installed. Docker

Diogo Miyake 1 Oct 28, 2021
Automatic sync from IMDb to Trakt (watchlist, lists, ratings and history) using GitHub actions

imdb-trakt-sync GoLang app that can sync IMDb and Trakt user data - watchlist, ratings and lists. For its data needs, the app is communicating with th

Tsvetoslav Dimov 18 Nov 19, 2022
toghsh translates github actions workflows to shell scripts

togsh - extracts shell commands from github actions workflows toghsh is a helper tool to translate github action workflows into equivalent shell scrip

Francesco Romani 1 Nov 16, 2021
CI/CD with Jenkins, GitHub Actions, Travis CI etc

CI/CD with Jenkins, GitHub Actions, Travis CI etc This is a simple repository built using Golang with the main purpose to try out different CI/CD tool

null 0 Nov 11, 2021
A reverse engineered github actions compatible self-hosted runner using nektos/act to execute your workflow steps

github-act-runner A reverse engineered github actions compatible self-hosted runner using nektos/act to execute your workflow steps. Unlike the offici

null 103 Dec 7, 2022
Gophercon lab "Get Go-ing with GitHub Actions"

GitHub Action Using Go This is a starting point for a GitHub Action based in Go. This repo provides all the structure needed to build a robust GitHub

Doug Graiser 0 Dec 8, 2021
Dominik Robert 0 Jan 4, 2022
Generic inquiry tool to OPA server for CI process, such as GitHub Actions

opaq opaq is a generic inquiry tool to OPA server. A major purpose of this tool is for inquiry in GitHub Actions. Features Data formatting: OPA server

Masayoshi Mizutani 3 Jan 20, 2022
kubectl plugin for signing Kubernetes manifest YAML files with sigstore

k8s-manifest-sigstore kubectl plugin for signing Kubernetes manifest YAML files with sigstore ⚠️ Still under developement, not ready for production us

sigstore 70 Nov 28, 2022
General-purpose actions for test and release in Go

go-actions This repository provides general-purpose actions for Go. setup This action runs actions/setup-go with actions/cache. For example, jobs: l

Hidetake Iwata 1 Nov 28, 2021
Container actions using Golang Docker SDK

container-go Prototyping continuous integration for microservices using only Gol

null 0 Dec 28, 2021
Provider-generic-workflows - A generic provider which uses argo workflows to define the backend actions.

provider-generic-workflows provider-generic-workflows is a generic provider which uses argo workflows for managing the external resource. This will re

Shailendra Sirohi 0 Jan 1, 2022
Pulumi-k8s-operator-example - OpenGitOps Compliant Pulumi Kubernetes Operator Example

Pulumi GitOps Example OpenGitOps Compliant Pulumi Kubernetes Operator Example Pr

Christian Hernandez 3 May 6, 2022