ci: generate SBOM and sign artifacts using cosign (#4910)

* ci: sign artifacts using cosign

* include SBOM

.goreleaser.yml

@@ -62,9 +62,18 @@ builds:
       goarm: "5"
   flags:
   - -trimpath
+  - -mod=readonly
   ldflags:
   - -s -w
-
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"]
+    artifacts: all
+sboms:
+  - artifacts: binary
+    cmd: syft
+    args: ["$artifact", "--file", "$sbom", "--output", "cyclonedx-json"]
 archives:
   - format_overrides:
       - goos: windows