feat: sign pulumi binaries with cosign

.github/workflows/ci-build-binaries.yml

@@ -48,6 +48,9 @@ jobs:
     env:
       PULUMI_VERSION: ${{ inputs.version }}
 
+    permissions:
+      id-token: write
+
     steps:
       - name: "Windows cache workaround"
         # https://github.com/actions/cache/issues/752#issuecomment-1222415717
@@ -80,6 +83,7 @@ jobs:
       - name: Setup versioning env vars
         run: |
           ./scripts/versions.sh | tee -a "${GITHUB_ENV}"
+      - uses: sigstore/cosign-installer@v2
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -116,4 +120,5 @@ jobs:
           retention-days: 1
           path: |
             goreleaser/*.tar.gz
+            goreleaser/*.sig
             goreleaser/*.zip

.goreleaser.yml

@@ -58,6 +58,17 @@ archives:
       strip_parent: true
   name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
 
+signs:
+- cmd: cosign
+  certificate: '${artifact}.pem'
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
+  artifacts: binary
+  output: true
+
 snapshot:
   name_template: "{{ .Version }}-SNAPSHOT"