Set up GitHub Actions based releasing

Adding signing w/ cosign along the way..

.github/workflows/release.yml

@@ -0,0 +1,31 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: true
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf
+        with:
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_PUBLISH_TOKEN: ${{ secrets.HOMEBREW_TAP_PUBLISH_TOKEN }}

.goreleaser.yaml

@@ -11,8 +11,22 @@ builds:
     goarch:
       - amd64
       - arm64
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - "--oidc-provider=github-actions"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - --yes
+    artifacts: all
+    output: true
 brews:
   - name: git-wip
     repository:
       owner: carhartl
       name: homebrew-tap
+      token: "{{ .Env.HOMEBREW_TAP_PUBLISH_TOKEN }}"

release.sh

@@ -2,8 +2,5 @@
 
 set -eu
 
-git stash --include-untracked # make way for Goreleaser
 git tag "v$1" -m "Release v$1"
 git push --tags
-goreleaser release --clean
-git stash pop --index