build(): Sign releaser artifacts, not only container manifests (#2789)

.github/workflows/test.yaml

@@ -113,7 +113,7 @@ jobs:
       uses: goreleaser/goreleaser-action@v3
       with:
         version: v1.4.1
-        args: release --snapshot --rm-dist --skip-publish --timeout 90m
+        args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
 
   build-documents:
     name: Documentation Test

goreleaser.yml

@@ -235,6 +235,21 @@ docker_manifests:
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le'
 
+signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  signature: "${artifact}.sig"
+  certificate: "${artifact}.pem"
+  args:
+    - "sign-blob"
+    - "--oidc-issuer=https://token.actions.githubusercontent.com"
+    - "--output-certificate=${certificate}"
+    - "--output-signature=${signature}"
+    - "${artifact}"
+  artifacts: all
+  output: true
+
 docker_signs:
 - cmd: cosign
   env: