From c0f5f0830d4df522190351657c928661cf2fd4bd Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Mon, 15 Dec 2025 00:42:45 +0000
Subject: [PATCH] Add signing of the builds

---
 .github/workflows/release.yaml |  1 +
 .goreleaser.yaml               | 15 ++-------------
 README.md                      | 12 +++++++-----
 3 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8ed2dec..826ca4d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,6 +12,7 @@ on:
       - main
 
 permissions:
+  id-token: write
   contents: write
   packages: write
   deployments: write
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 05a0b0b..c5dea95 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -68,17 +68,10 @@ dockers_v2:
 
 signs:
   - cmd: cosign
-    env:
-      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
-    certificate: "${artifact}.pem"
+    signature: "${artifact}.sigstore.json"
     args:
       - sign-blob
-      - "--key"
-      - "env://COSIGN_KEY"
-      - "--output-signature"
-      - "${signature}"
-      - "--output-certificate"
-      - "${certificate}"
+      - "--bundle=${signature}"
       - "${artifact}"
       - "--yes"
     artifacts: checksum
@@ -86,13 +79,9 @@ signs:
 
 docker_signs:
   - cmd: cosign
-    env:
-      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
     artifacts: manifests
     output: true
     args:
       - sign
-      - "--key"
-      - "env://COSIGN_KEY"
       - "${artifact}@${digest}"
       - "--yes"
diff --git a/README.md b/README.md
index ec939d8..281f100 100644
--- a/README.md
+++ b/README.md
@@ -59,18 +59,20 @@ You can find the example of the Kubernetes manifest in the [example standalone d
 
 #### Verifying Release Signatures
 
-All release checksums and Docker images are signed with [cosign](https://github.com/sigstore/cosign). To verify:
+All release checksums and Docker images are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
 
 ```bash
 # Verify checksum signature
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
-  --signature graphql-proxy-checksums.txt.sig \
-  graphql-proxy-checksums.txt
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/graphql-monitoring-proxy/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --bundle "<checksums-file>.sigstore.json" \
+  <checksums-file>
 
 # Verify Docker image
 cosign verify \
-  --key https://raw.githubusercontent.com/lukaszraczylo/lukaszraczylo/main/cosign.pub \
+  --certificate-identity-regexp "https://github.com/lukaszraczylo/graphql-monitoring-proxy/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
   ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest
 ```