feat: cosign support for release binaries

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: "Release"
+name: Release
 
 on:
   push:
@@ -14,17 +14,55 @@ jobs:
         run: rm -rf /opt/hostedtoolcache
 
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22
+          go-version: 1.23
 
       - run: echo https://github.com/icon-project/centralized-relay/blob/${GITHUB_REF#refs/tags/}/CHANGELOG.md#${GITHUB_REF#refs/tags/} > ../release_notes.md
 
       - name: release publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         run: make release
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build relayer image
+        id: build-and-push-relayer
+        uses: docker/build-push-action@v6
+        with:
+          context: https://github.com/icon-project/relayer-docker.git#relayer
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            - RELAYER_VERSION=${{ github.ref }}
+          tags: |
+            iconcommunity/centralized-relay:latest
+            iconcommunity/centralized-relay:${{ github.ref }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign relayer image
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY iconcommunity/centralized-relay:latest
+          cosign sign --key env://COSIGN_PRIVATE_KEY iconcommunity/centralized-relay:${{ github.ref }}

.goreleaser.yaml

@@ -104,4 +104,17 @@ checksum:
 
 release:
   prerelease: auto
-  draft: true
+  draft: false
+  extra_files:
+    - glob: dist/*.sig
+
+signs:
+  - cmd: cosign
+    stdin: "{{ .Env.COSIGN_PASSWORD }}"
+    args:
+      - "sign-blob"
+      - "${artifact}"
+      - "--key=env://COSIGN_PRIVATE_KEY"
+      - "--output-signature=${signature}"
+      - "--yes"
+    artifacts: all

Makefile

@@ -47,7 +47,7 @@ test-all:
 	@go test -v ./...
 
 PACKAGE_NAME          := github.com/icon-project/centralized-relay
-GOLANG_CROSS_VERSION  ?= v1.22.4
+GOLANG_CROSS_VERSION  ?= v1.23.3
 LIBWASM_VERSION 		 ?= v2.1.0
 
 SYSROOT_DIR     ?= sysroots
@@ -56,21 +56,25 @@ SYSROOT_ARCHIVE ?= sysroots.tar.bz2
 
 .PHONY: release-dry-run
 release-dry-run:
+	@echo "dry-run release..."
 	@docker run \
 		--rm \
 		--env LIBWASM_VERSION=$(LIBWASM_VERSION) \
+		--env COSIGN_PASSWORD=$(COSIGN_PASSWORD) \
+		--env COSIGN_PRIVATE_KEY=$(COSIGN_PRIVATE_KEY) \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		-v `pwd`:/go/src/$(PACKAGE_NAME) \
 		-w /go/src/$(PACKAGE_NAME) \
 		goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \
 		--clean --auto-snapshot
 
 .PHONY: release
-release:
 	docker run \
 		--rm \
 		--env GITHUB_TOKEN \
 		--env LIBWASM_VERSION=$(LIBWASM_VERSION) \
+		--env COSIGN_PASSWORD=(env COSIGN_PASSWORD) \
+		--env COSIGN_PRIVATE_KEY(env COSIGN_PRIVATE_KEY) \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		-v `pwd`:/go/src/$(PACKAGE_NAME) \
 		-w /go/src/$(PACKAGE_NAME) \

release/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA8aqhFqounF+m2BwOy2N/kYL59tO
+7tKk12iIR5mKhhhfA4ptXopAxGlo79cddKjqXDHtVUzNQg4tccwKK1tWEw==
+-----END PUBLIC KEY-----