From 823aad9a9ee8e056cdd746188a8b6566da420125 Mon Sep 17 00:00:00 2001
From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Date: Mon, 27 Apr 2026 21:11:29 -0700
Subject: [PATCH] feat(release): cosign-sign published docker images

Adds a docker_signs block to .goreleaser.yml so each released image
gets a keyless cosign signature (same OIDC trust chain as the existing
checksum signing). Updates the release footer with the cosign verify
command for users.

Refs #108 (item 9)
---
 .goreleaser.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 635d160..3b46564 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -52,6 +52,15 @@ signs:
       - "--bundle=${signature}"
       - "${artifact}"
 
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - "sign"
+      - "--yes"
+      - "${artifact}@${digest}"
+
 changelog:
   sort: asc
   filters:
@@ -132,4 +141,9 @@ release:
       --certificate-identity-regexp "github.com/Infisical/agent-vault" \
       --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
       checksums.txt
+
+    # Verify Docker image signature (requires cosign)
+    cosign verify infisical/agent-vault:{{ .Version }} \
+      --certificate-identity-regexp "github.com/Infisical/agent-vault" \
+      --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
     ```