Merge pull request #175 from stackitcloud/fix-pipeline

nburchha · web-flow · commit 5e26216b5880 · 2026-03-11T13:50:51.000+01:00
feat(ci): optimize go caching and wire up release security features
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -22,31 +22,14 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
       - name: Install Go
         uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go-version }}
 
-      - name: Checkout code
-        uses: actions/checkout@v6
-
-      # cache go modules
-      - uses: actions/cache@v5
-        with:
-          # In order:
-          # * Module download cache
-          # * Build cache (Linux)
-          # * Build cache (Mac)
-          # * Build cache (Windows)
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-            ~/Library/Caches/go-build
-            %LocalAppData%\go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
       - name: Downloads the dependencies
         run: make download
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -28,14 +28,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version: stable
-      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+
       - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
 
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -98,3 +98,27 @@ changelog:
     exclude:
       - '^docs:'
       - '^test:'
+
+sboms:
+  - artifacts: archive
+
+# sign checksums/archives using Cosign
+signs:
+  - artifacts: checksum
+    cmd: cosign
+    args:
+      - "sign-blob"
+      - "--key=env://COSIGN_PRIVATE_KEY"
+      - "--output-signature=${signature}"
+      - "--yes"
+      - "${artifact}"
+
+# sign published Docker images using Cosign
+docker_signs:
+  - artifacts: manifests
+    cmd: cosign
+    args:
+      - "sign"
+      - "--key=env://COSIGN_PRIVATE_KEY"
+      - "--yes"
+      - "${artifact}"
