Skip to content

ci(release): goreleaser + cosign signing (Scorecard Packaging + Signed-Releases)#116

Merged
aksOps merged 1 commit into
mainfrom
ci/release-signing
Jun 18, 2026
Merged

ci(release): goreleaser + cosign signing (Scorecard Packaging + Signed-Releases)#116
aksOps merged 1 commit into
mainfrom
ci/release-signing

Conversation

@aksOps

@aksOps aksOps commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

What

Adds a GoReleaser + cosign release pipeline so tagged releases produce signed, published artifacts:

  • .github/workflows/release.yml — triggers on v* tag push. Hardened runner (egress audit), checkout tag (fetch-depth: 0, persist-credentials: false), setup-go from go.mod, setup-node 24, builds the embedded React UI (npm ci && npm run build), installs cosign, then goreleaser release --clean. Job perms scoped to contents: write + id-token: write; workflow default contents: read. All actions SHA-pinned (pins reused from security.yml/scorecard.yml).
  • .goreleaser.yaml — v2 schema. CGO_ENABLED=0 (pure-Go SQLite driver), linux/darwin × amd64/arm64, -trimpath -s -w, tar.gz archives (incl. LICENSE.md + README.md), sha256 checksums.txt, syft SBOMs per archive, cosign keyless signs the checksums file (.sig + .pem), release.mode: append so it coexists with the release shell release.sh --release may create.
  • scripts/release.sh + CLAUDE.md — reconcile the split of duties: release.sh builds the UI + pushes the tag (and --release creates the GitHub release shell, notes only, no artifacts); release.yml owns artifacts + signing.

Why

OpenSSF Scorecard's Packaging (-1, no publishing workflow detected) and Signed-Releases (-1, no signed artifacts) checks. A publishing workflow satisfies Packaging; cosign-signed checksums satisfy Signed-Releases.

Caveat: both checks only score after the next v* tag push actually runs this workflow and produces a signed release. This PR adds the capability; it does not retroactively sign past releases.

Verification

  • goreleaser check — config valid
  • actionlint .github/workflows/release.yml — clean (exit 0)
  • (locally, prior) snapshot build compiled all 4 targets with the UI embedded, producing archives + SBOMs + checksums

The release workflow triggers only on v* tag push, so it does not run in this PR's CI — build · vet · test are unaffected (no Go code changed).

🤖 Generated with Claude Code

Add .github/workflows/release.yml (triggered on v* tag push) and
.goreleaser.yaml (v2 schema) so OpenSSF Scorecard's Packaging and
Signed-Releases checks score.

- release.yml: harden-runner (egress audit), checkout tag (fetch-depth 0,
  persist-credentials false), setup-go from go.mod, setup-node 24, build
  the embedded React UI (npm ci && npm run build), then goreleaser
  release --clean. cosign installed for keyless signing. CGO_ENABLED=0
  for the pure-Go SQLite driver. Job perms: contents: write + id-token:
  write; workflow default read-all.
- .goreleaser.yaml: linux/darwin x amd64/arm64, binary otelcontext,
  -trimpath -s -w, tar.gz archives incl LICENSE.md + README.md, sha256
  checksums, syft SBOMs per archive, cosign keyless signs the checksums
  file (.sig + .pem), release.mode append so it coexists with the GitHub
  release shell that release.sh --release may already have created.
- Reconcile scripts/release.sh + CLAUDE.md: release.sh builds UI + pushes
  the tag (and with --release creates the release shell, notes only, no
  artifacts); release.yml owns artifacts + signing.

All third-party actions SHA-pinned (pins reused from security.yml /
scorecard.yml where they overlap). Validated: goreleaser check passes,
actionlint clean, snapshot build compiles all 4 targets with the UI
embedded and produces archives + SBOMs + checksums.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG
@sonarqubecloud

Copy link
Copy Markdown

@aksOps aksOps merged commit ccf7958 into main Jun 18, 2026
17 checks passed
@aksOps aksOps deleted the ci/release-signing branch June 18, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant