mirror of
https://github.com/goreleaser/goreleaser-action.git
synced 2026-05-20 01:11:53 +00:00
feat: verify release checksum and cosign signature (#550)
* feat: verify release checksum and cosign signature Download checksums.txt for the release and verify the SHA-256 of the downloaded archive against it. When cosign is available in PATH, also download checksums.txt.sigstore.json and verify the signature against the goreleaser/goreleaser-pro release workflow identity. Both steps degrade gracefully (with a warning) when the corresponding artifacts or tooling are missing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: use install() for checksum e2e tests Drop the http-client download helper from verifyChecksum integration tests; call goreleaser.install() instead so the test exercises the public API path and avoids duplicating download logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Carlos Alexandro Becker
GitHub
parent
01cbe076be
commit
4b462d3d1d
5 changed files with 199 additions and 13 deletions
|
|
@ -61,6 +61,7 @@ RUN --mount=type=bind,target=.,rw \
|
|||
npm run lint
|
||||
|
||||
FROM deps AS test
|
||||
RUN apk add --no-cache cosign
|
||||
ENV RUNNER_TEMP=/tmp/github_runner
|
||||
ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
|
||||
RUN --mount=type=bind,target=.,rw \
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue