mirror of
https://github.com/goreleaser/goreleaser-action
synced 2026-07-08 11:47:28 +00:00
docs: document cosign verification in README (#553)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
committed by
GitHub
parent
5e53f8eea2
commit
be2e8a39ba
@@ -16,6 +16,7 @@ ___
|
|||||||
|
|
||||||
* [Usage](#usage)
|
* [Usage](#usage)
|
||||||
* [Workflow](#workflow)
|
* [Workflow](#workflow)
|
||||||
|
* [Verification](#verification)
|
||||||
* [Run on new tag](#run-on-new-tag)
|
* [Run on new tag](#run-on-new-tag)
|
||||||
* [Signing](#signing)
|
* [Signing](#signing)
|
||||||
* [Upload artifacts](#upload-artifacts)
|
* [Upload artifacts](#upload-artifacts)
|
||||||
@@ -77,6 +78,37 @@ jobs:
|
|||||||
|
|
||||||
> **IMPORTANT**: note the `fetch-depth: 0` input in `Checkout` step. It is required for the changelog to work correctly.
|
> **IMPORTANT**: note the `fetch-depth: 0` input in `Checkout` step. It is required for the changelog to work correctly.
|
||||||
|
|
||||||
|
### Verification
|
||||||
|
|
||||||
|
The action verifies the integrity of the downloaded GoReleaser archive
|
||||||
|
against the published `checksums.txt` automatically — no configuration
|
||||||
|
required.
|
||||||
|
|
||||||
|
If [`cosign`](https://docs.sigstore.dev/cosign/) is available on `PATH`, the
|
||||||
|
action will additionally verify the cosign sigstore signature of the
|
||||||
|
checksums file against the GoReleaser release workflow's OIDC identity. If
|
||||||
|
`cosign` isn't installed, this step is silently skipped.
|
||||||
|
|
||||||
|
To enable signature verification, install cosign before running the action:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
-
|
||||||
|
name: Install cosign
|
||||||
|
uses: sigstore/cosign-installer@v3
|
||||||
|
-
|
||||||
|
name: Run GoReleaser
|
||||||
|
uses: goreleaser/goreleaser-action@v7
|
||||||
|
with:
|
||||||
|
distribution: goreleaser
|
||||||
|
version: '~> v2'
|
||||||
|
args: release --clean
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
```
|
||||||
|
|
||||||
|
Both checksum and signature verification work for tagged releases and the
|
||||||
|
`nightly` channel.
|
||||||
|
|
||||||
### Run on new tag
|
### Run on new tag
|
||||||
|
|
||||||
If you want to run GoReleaser only on new tag, you can use this event:
|
If you want to run GoReleaser only on new tag, you can use this event:
|
||||||
|
|||||||
Reference in New Issue
Block a user