switch to keyless signing

Author: Niklas Burchhardt

.github/workflows/release.yaml

@@ -52,6 +52,4 @@ jobs:
           version: latest
           args: release --clean
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_KEY_PASSWORD}}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -76,11 +76,12 @@ sboms:
 signs:
   - artifacts: checksum
     cmd: cosign
+    certificate: "{artifact}.pem"
     args:
       - "sign-blob"
-      - "--key=env://COSIGN_PRIVATE_KEY"
       - "--output-signature=${signature}"
       - "--bundle=${artifact}.bundle"
+      - "--output-certificate=${certificate}"
       - "--yes"
       - "${artifact}"
 
@@ -89,6 +90,5 @@ docker_signs:
   - cmd: cosign
     args:
       - "sign"
-      - "--key=env://COSIGN_PRIVATE_KEY"
       - "--yes"
       - "${artifact}"