From 9a65f6a5dc675ea3326d869f416122f858d00130 Mon Sep 17 00:00:00 2001
From: James Telfer <792299+jamestelfer@users.noreply.github.com>
Date: Sun, 22 Sep 2024 18:16:48 +1000
Subject: [PATCH] fix: include signature bundles only in release archives

This works by naming the bundle file using the
binary name with no OS or architecture
information. This works around the issue with
GoReleaser not working when artifact attributes
are used:
https://github.com/goreleaser/goreleaser/issues/5147

The bundle is part of the release archives, so
builds are verifiable, but they're not published
at the top level of the release. I can live with
this.
---
 .goreleaser.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 048482c..8736476 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -22,7 +22,8 @@ builds:
 # If you do this locally, sign with an OAuth identity you don't mind being permanently
 # published to a transparency log.
 binary_signs:
-  - signature: '${artifact}_{{ .Os }}_{{ .Arch }}.cosign.bundle'
+  - id: cosign
+    signature: '${artifact}.cosign.bundle'
     cmd: './ci-only.sh'
     args:
       - "cosign"
@@ -36,12 +37,13 @@ checksum:
   name_template: "checksums.txt"
 
 archives:
-  - format: tar.gz
+  - id: archives
+    format: tar.gz
     name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
     files:
       # cosign produces a bundle file to allow for verification of the artifacts
       # this is included in the archive to allow for easier verification after download
-      - src: '{{ .ArtifactPath }}_{{ .Os }}_{{ .Arch }}.cosign.bundle'
+      - src: '{{ .ArtifactPath }}.cosign.bundle'
         strip_parent: true
 
 changelog:
@@ -52,6 +54,9 @@ changelog:
 release:
   disable: "{{ .Env.RELEASE_DISABLE }}"
 
+  ids:
+    - archives
+
   prerelease: auto
   header: |
     Distributions for this release are published as binaries and a Docker image.