feature: add sbom and signing to the produced binaries

.github/workflows/release.yaml

@@ -94,6 +94,10 @@ jobs:
       run: |
         mkdir -p output
         kustomize build ./config/default > ./output/install.yaml
+    - name: Setup Syft
+      uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
+    - name: Setup Cosign
+      uses: sigstore/[email protected]
     - name: Run goreleaser
       uses: goreleaser/goreleaser-action@v5
       with:

.goreleaser.yaml

@@ -28,6 +28,24 @@ checksum:
     - glob: output/install.yaml
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}-{{ .Version }}-sbom.spdx.json"
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - '--yes'
+    artifacts: checksum
+    output: true
 changelog:
   sort: asc
   filters: