feat: sign release artifacts with cosign

Closes golangci#2462

Author: scop

.github/workflows/tag.yml

@@ -7,6 +7,9 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write  # for cosign
     env:
       # https://github.com/actions/setup-go#supported-version-syntax
       # ex:
@@ -57,6 +60,9 @@ jobs:
       - name: Install snapcraft
         run: sudo snap install snapcraft --classic
 
+      - name: Set up cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 

.goreleaser.yml

@@ -87,6 +87,15 @@ release:
 
     For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#{{ .Major }}{{ .Minor }}{{ .Patch }}).
 
+signs:
+  - cmd: cosign
+    args:
+      - sign-blob
+      - --bundle=${artifact}.cosign.bundle
+      - --yes
+      - ${artifact}
+    artifacts: checksum
+
 source:
   enabled: true
   name_template: '{{ .ProjectName }}-{{ .Version }}-source'