ci: remove signing (#394)

* ci: remove signing * docs: remove signing docs
SchwarzIT · Aug 1, 2024 · 2f6fb3c · 2f6fb3c
1 parent 6c36459
commit 2f6fb3c
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 27 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -31,8 +31,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-      - uses: anchore/sbom-action/download-syft@719133684c7d294116626d1344fe64f0d2ff3e9e # v0.15.2
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
         with:

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -35,19 +35,6 @@ source:
 checksum:
   name_template: 'checksums.txt'
 
-signs:
-  - cmd: cosign
-    env:
-      - COSIGN_EXPERIMENTAL=1
-    certificate: '${artifact}.pem'
-    args:
-      - sign-blob
-      - '--output-certificate=${certificate}'
-      - '--output-signature=${signature}'
-      - '${artifact}'
-    artifacts: checksum
-    output: true
-
 archives:
   - format: tar.gz
     name_template: '{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}'

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -83,30 +83,22 @@ Values can then be accessed with template expressions like for example `{{ .Exte
 
 ### Release via GoReleaser
 
-We use for the release of the `go-template` project [GoReleaser](https://goreleaser.com/). `GoReleaser` is a tool that 
+We use for the release of the `go-template` project [GoReleaser](https://goreleaser.com/). `GoReleaser` is a tool that
 helps you to release your projects in a fast and easy way.
 
 Important is the `.goreleaser.yaml` file which is used to configure the release process.
 
-We can start locale builds with adding the `--snapshot` flag to the `goreleaser` command. The `--snapshot` flag will 
+We can start locale builds with adding the `--snapshot` flag to the `goreleaser` command. The `--snapshot` flag will
 disable some of the phases, like creating a release tag and pushing to the remote.
 
 ```bash
 goreleaser build --rm-dist --snapshot
 ```
 
-or even a release with: 
+or even a release with:
+
 ```bash
 goreleaser release --snapshot --rm-dist
 ```
 
 Check the great documentation of GoReleaser [here](https://goreleaser.com/intro/) for further information.
-
-#### Cosign and Syft
-
-During the release process we use `cosign` to keyless sign the release artifacts.
-
-On top of that, we use `syft` to generate a Software Bill of Materials (SBOM) from our go modules.
-
-Check the docs for [`syft`](https://github.com/anchore/syft) and [`cosign`](https://github.com/sigstore/cosign) 
-for further information.