mirror of
https://github.com/goreleaser/goreleaser-action
synced 2026-07-09 06:37:31 +00:00
feat: verify release checksum and cosign signature (#550)
* feat: verify release checksum and cosign signature Download checksums.txt for the release and verify the SHA-256 of the downloaded archive against it. When cosign is available in PATH, also download checksums.txt.sigstore.json and verify the signature against the goreleaser/goreleaser-pro release workflow identity. Both steps degrade gracefully (with a warning) when the corresponding artifacts or tooling are missing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: use install() for checksum e2e tests Drop the http-client download helper from verifyChecksum integration tests; call goreleaser.install() instead so the test exercises the public API path and avoids duplicating download logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
committed by
GitHub
parent
01cbe076be
commit
4b462d3d1d
+5
-5
File diff suppressed because one or more lines are too long
Reference in New Issue
Block a user