ci: sign releases with gpg

.github/workflows/release.yaml

@@ -34,6 +34,11 @@ jobs:
           go-version-file: "go.mod"
         if: ${{ steps.release.outputs.release_created }}
 
+      - name: Import GPG key for signing
+        run: echo "${GPG_PRIVATE_KEY}" | gpg --import
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -42,6 +47,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GENERAL_GITHUB_SECRET }} # The tokens needs access to another repo, so the secret.GITHUB_SECRET won't suffice
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }} # Gemfury token
+          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }} # Fingerprint of GPG signing key
         if: ${{ steps.release.outputs.release_created }}
 
       - name: Comment on prs and issues

.goreleaser.yml

@@ -86,3 +86,6 @@ publishers:
       - packages
     dir: "{{ dir .ArtifactPath }}"
     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/multi-gitter/
+signs:
+  - artifacts: checksum
+    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]