From e5c7d1be2557044fbbca9b180a3c798be29ef553 Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Wed, 23 Mar 2022 15:18:07 +0100
Subject: [PATCH 1/2] add job to cut a release

Signed-off-by: cpanato <ctadeu@gmail.com>
---
 .github/workflows/release.yml | 42 +++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..4f92e479
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,42 @@
+name: Cut Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        required: true
+        type: string
+        description: 'Release tag'
+
+jobs:
+  cut-release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+    - uses: actions/setup-go@v2.2.0
+      with:
+        go-version: 1.17.x
+
+    - name: Install cosign
+      uses: sigstore/cosign-installer@v2.1.0
+
+    - name: Install GoReleaser
+      uses: goreleaser/goreleaser-action@v2.9.1
+      with:
+        install-only: true
+
+    - uses: actions/checkout@v2
+
+    - name: Config git
+      run: |
+        git config user.name "$GITHUB_ACTOR"
+        git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+    - name: Mage Release
+      run: go run main.go release ${{ github.event.inputs.release_tag }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 6cb9558654037b603ff4c60c9a2e4afb4b7f646c Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Wed, 23 Mar 2022 15:30:27 +0100
Subject: [PATCH 2/2] add signing

---
 .goreleaser.yml | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 4123b2dc..999f28e2 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,9 +1,14 @@
 project_name: mage
+
+env:
+  - COSIGN_EXPERIMENTAL=true
+
 release:
   github:
     owner: magefile
     name: mage
   draft: true
+
 build:
   binary: mage
   main: .
@@ -26,9 +31,9 @@ build:
       goarm: 6
   env:
     - CGO_ENABLED=0
+
 archives:
-- 
-  name_template: "{{.Binary}}_{{.Version}}_{{.Os}}-{{.Arch}}"
+- name_template: "{{.Binary}}_{{.Version}}_{{.Os}}-{{.Arch}}"
   replacements:
     amd64: 64bit
     386: 32bit
@@ -47,7 +52,17 @@ archives:
       format: zip
   files:
   - LICENSE
+
+signs:
+  - id: all
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
+    artifacts: all
+
 snapshot:
   name_template: SNAPSHOT-{{ .Commit }}
+
 checksum:
   name_template: '{{ .ProjectName }}_{{ .Version }}_checksums.txt'