go release yaml updated

.github/workflows/release.yml

@@ -11,7 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     # Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
     permissions:
-      contents: write
+      contents: read
+      packages: write
       id-token: write
     steps:
       - name: Checkout
@@ -43,6 +44,15 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.TAG_NAME }}
 
+      - name: Verify checksums signature
+        run: |
+          cosign verify-blob \
+            --cert ${{ checksums_file_certificate }} \
+            --signature ${{ checksums_file_signature }} \
+            --certificate-identity-regexp=https://github.com/carvel-dev \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            ${{ checksums_file }}
+
       - uses: actions/github-script@v4
         id: get-checksums-from-draft-release
         if: startsWith(github.ref, 'refs/tags/')

.goreleaser.yml

@@ -35,6 +35,19 @@ checksum:
   name_template: 'checksums.txt'
   algorithm: sha256
   disable: false
+
+signs:
+  - artifacts: checksum
+    certificate: '${artifact}.pem'
+    cmd: cosign
+    args:
+      - sign-blob
+      - "--yes"
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    output: true
+
 snapshot:
   name_template: "{{ .Tag }}-next"
 release: