chore(deps): use sigstore/cosign v2.6.2

.gitea/workflows/artifacthub-metadata.yaml

@@ -0,0 +1,56 @@
+name: Upload ArtifactHub Metadata
+
+on:
+  schedule:
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
+
+jobs:
+  upload-metadata:
+    name: "Upload artifacthub-repo.yml to OCI registry"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6.0.2
+    - uses: sigstore/cosign-installer@v4.0.0
+      with:
+        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
+    - uses: docker/login-action@v3.7.0
+      with:
+        registry: git.cryptic.systems
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
+    - uses: docker/login-action@v3.7.0
+      with:
+        username: ${{ secrets.DOCKER_IO_USERNAME }}
+        password: ${{ secrets.DOCKER_IO_PASSWORD }}
+    - uses: oras-project/setup-oras@v1.2.4
+      with:
+        version: 1.3.0 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
+    - name: Push artifacthub-repo.yml to git.cryptic.systems
+      run: |
+        oras push git.cryptic.systems/volker.raschek/dcmerge:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to git.cryptic.systems
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          --annotation org.opencontainers.image.title=cosign.pub \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1
+
+    - name: Push artifacthub-repo.yml to docker.io
+      run: |
+        oras push docker.io/volkerraschek/dcmerge:artifacthub.io \
+          --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
+          artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+    - name: Push public cosign key to docker.io
+      env:
+        COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+      run: |
+        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
+        oras push docker.io/volkerraschek/dcmerge:cosign.pub \
+          --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          cosign.pub:application/vnd.dev.cosign.public-key.v1

.gitea/workflows/release.yaml

@@ -31,17 +31,22 @@ jobs:
             "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.deb"
         dpkg -i syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
         rm syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
+    - uses: sigstore/cosign-installer@v4.0.0
+      with:
+        cosign-release: "v2.6.2" # renovate: datasource=github-tags depName=sigstore/cosign
     - uses: docker/setup-qemu-action@v3.7.0
     - uses: docker/setup-buildx-action@v3.12.0
     - uses: actions/setup-go@v6.2.0
       with:
         go-version: stable
-    - uses: docker/login-action@v3.6.0
+    - uses: docker/login-action@v3.7.0
       with:
         registry: git.cryptic.systems
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
     - env:
+        COSIGN_PASSPHRASE: ${{ secrets.COSIGN_PASSPHRASE }}
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         GITEA_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
         GONOSUMDB: ${{ vars.GONOSUMDB }}
         GOPROXY: ${{ vars.GOPROXY }}
@@ -67,6 +72,6 @@ jobs:
           --dest-password ${{ secrets.DOCKER_IO_PASSWORD }} \
           --dest-username ${{ secrets.DOCKER_IO_USERNAME }} \
           --src-password ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }} \
-          --src-username volker.raschek \
+          --src-username ${{ github.repository_owner }} \
             docker://git.cryptic.systems/volker.raschek/dcmerge:${TAG} \
             docker://docker.io/volkerraschek/dcmerge:${TAG}

.goreleaser.yaml

@@ -104,6 +104,7 @@ dockers_v2:
 
     io.artifacthub.package.alternative-locations: "docker.io/volkerraschek/{{ .ProjectName }}:{{ .Version }}"
     io.artifacthub.package.keywords: "docker,docker-compose,merge,ci"
+    io.artifacthub.package.logo-url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}/raw/tag/v{{ .Version }}/icons/icon.png"
     io.artifacthub.package.license: "MIT"
     io.artifacthub.package.readme-url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}/raw/tag/v{{ .Version }}/README.md"
 
@@ -311,6 +312,55 @@ sboms:
   - "--enrich=all"
   - "--output=spdx-json=$document"
 
+docker_signs:
+- # ID of the sign config, must be unique.
+  # Only relevant if you want to produce some sort of signature file.
+  #
+  # Default: 'default'.
+  id: container-images
+
+  # Path to the signature command.
+  #
+  # Default: 'cosign'.
+  cmd: cosign
+
+  # Command line arguments for the command.
+  #
+  # Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"].
+  # Templates: allowed.
+  # Note: Using --registry-referrers-mode=legacy ensures signature is stored as sha256-<digest>.sig tag
+  # which is required by ArtifactHub to display the "Signed" badge
+  args:
+  - "sign"
+  - "--key=env://COSIGN_PRIVATE_KEY"
+  - "--yes"
+  - "${artifact}@${digest}"
+
+  # Which artifacts to sign.
+  #
+  #   all:       all artifacts
+  #   none:      no signing
+  #   images:    only docker images
+  #   manifests: only docker manifests
+  #   '':        images built by dockers_v2
+  #
+  # Default: ''.
+  artifacts: manifests
+
+  # IDs of the artifacts to sign.
+  ids:
+  - container-images
+
+  # Stdin data to be given to the signature command as stdin.
+  #
+  # Templates: allowed.
+  stdin: "{{ .Env.COSIGN_PASSPHRASE }}"
+
+  # StdinFile file to be given to the signature command as stdin.
+  # stdin_file: ./passphrase.key
+
+  output: true
+
 gitea_urls:
   api: https://git.cryptic.systems/api/v1
   download: https://git.cryptic.systems

artifacthub-repo.yml

@@ -1,3 +1 @@
 repositoryID: 2a061ce3-fe96-4fbe-b053-eccdb63001bc
-owners:
-- name: Volker Raschek