feat: sign pulumi binaries with cosign

.github/workflows/ci-build-binaries.yml

@@ -48,6 +48,9 @@ jobs:
     env:
       PULUMI_VERSION: ${{ inputs.version }}
 
+    permissions:
+      id-token: write
+
     steps:
       - name: "Windows cache workaround"
         # https://github.com/actions/cache/issues/752#issuecomment-1222415717

.github/workflows/ci-prepare-release.yml

@@ -3,6 +3,8 @@ name: Prepare
 permissions:
   # To create a draft release
   contents: write
+  # To sign artifacts.
+  id-token: write
 
 on:
   workflow_call:
@@ -63,59 +65,48 @@ jobs:
         uses: actions/download-artifact@v2
         with:
           path: artifacts.tmp
-
+      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
       - name: Flatten artifact directories
         run: |
           mkdir -p ./artifacts
-          mkdir -p ./sums.tmp
           mv ./artifacts.tmp/artifacts-*/* ./artifacts
 
         # Each of these commands strips the ./ prefix to match existing (<=3.39) formatting.
       - name: Checksums with SHA256
         working-directory: artifacts
         env:
           version: ${{ inputs.version }}
-        run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt"
+        run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../artifacts/pulumi-${version}-checksums.txt"
 
       - name: Checksums with BLAKE3
         working-directory: artifacts
-        run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS
+        run: b3sum ./* | sed 's/.\///' | tee ../artifacts/B3SUMS
 
       - name: Checksums with SHA512
         working-directory: artifacts
-        run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS
+        run: sha512sum ./* | sed 's/.\///' | tee ../artifacts/SHA512SUMS
 
-      - name: Sign checksums
-        working-directory: sums.tmp
-        # Requires a signing key to be configured.
-        if: false
+      - name: Sign binaries and checksums
+        working-directory: artifacts
         shell: bash
         env:
-          # RELEASE_KEY: ${{ secrets.RELEASE_KEY }}
           version: ${{ inputs.version }}
         run: |
-          set -u
-          releaseKey="$(mktemp -d)/release.key"
-          echo "$RELEASE_KEY" > "${releaseKey}"
-          set -x
+          ls -la
           for file in *; do
-            echo | rsign sign \
-              -p "${GITHUB_WORKSPACE}/.github/workflows/release.pub" \
-              -s "${releaseKey}" \
-              -t "${{ inputs.project }} v$version signed with automated key" \
-              -c 'see website for signing information' \
-              -x "${file}.auto.minisig" \
-              "${file}"
+              echo "$file"
+              COSIGN_EXPERIMENTAL=1 cosign sign-blob \
+                --output-signature="${file}".sig  \
+                --output-certificate="${file}".pem \
+                "${file}"
           done
-          rm "${releaseKey}"
-          cat ./*.auto.minisig
 
       - uses: actions/upload-artifact@v2
         with:
           name: artifacts-signatures
           retention-days: 1
           path: |
-            sums.tmp/*
+            artifacts/*.sig
           if-no-files-found: error
 
   publish:

.github/workflows/ci.yml

@@ -2,6 +2,7 @@ name: CI
 
 permissions:
   contents: read
+  id-token: write
 
 on:
   workflow_call:

.github/workflows/on-merge.yml

@@ -3,6 +3,8 @@ name: Merge
 permissions:
   # To create a draft release.
   contents: write
+  # To sign artifacts.
+  id-token: write
 
 on:
   push:
@@ -37,6 +39,8 @@ jobs:
     uses: ./.github/workflows/ci.yml
     permissions:
       contents: read
+      # To sign artifacts.
+      id-token: write
     with:
       ref: ${{ github.ref }}
       version: ${{ needs.info.outputs.version }}

.github/workflows/on-pr.yml

@@ -1,8 +1,12 @@
 name: Pull Request
 
 permissions:
+  # To create a draft release.
   contents: write
+  # To comment on PRs.
   pull-requests: write
+  # To sign artifacts.
+  id-token: write
 
 on:
   pull_request:
@@ -42,6 +46,8 @@ jobs:
     uses: ./.github/workflows/ci.yml
     permissions:
       contents: read
+      # To sign artifacts.
+      id-token: write
     with:
       ref: ${{ github.ref }}
       version: ${{ needs.info.outputs.version }}
@@ -65,11 +71,13 @@ jobs:
 
   prepare-release:
     name: prepare
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'ci/test') }}
+    #if: ${{ contains(github.event.pull_request.labels.*.name, 'ci/test') }}
     needs: [info, ci]
     uses: ./.github/workflows/ci-prepare-release.yml
     permissions:
       contents: write
+      # To sign artifacts.
+      id-token: write
     with:
       ref: ${{ github.ref }}
       version: ${{ needs.info.outputs.version }}

.github/workflows/pr-test-acceptance-on-dispatch.yml

@@ -12,6 +12,8 @@ permissions:
   contents: read
   # Only the 'changelog-comment' job should use this permission.
   pull-requests: write
+  # To sign artifacts.
+  id-token: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.client_payload.pull_request.number }}
@@ -51,6 +53,8 @@ jobs:
     uses: pulumi/pulumi/.github/workflows/ci.yml@master
     permissions:
       contents: read
+      # To sign artifacts.
+      id-token: write
     with:
       ref: refs/pull/${{ github.event.client_payload.pull_request.number }}/merge
       version: ${{ needs.info.outputs.version }}

.goreleaser.yml

@@ -58,6 +58,17 @@ archives:
       strip_parent: true
   name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
 
+signs:
+- cmd: cosign
+  certificate: '${artifact}.pem'
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
+  artifacts: binary
+  output: true
+
 snapshot:
   name_template: "{{ .Version }}-SNAPSHOT"
 

changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml

@@ -0,0 +1,4 @@
+changes:
+- type: feat
+  scope: ci
+  description: sign pulumi binaries with cosign