From 5fe730fd0ca6856c6936e264f79c5fb39c88c09a Mon Sep 17 00:00:00 2001 From: Manas Srivastava Date: Thu, 11 Jun 2026 00:48:14 +0530 Subject: [PATCH] =?UTF-8?q?fix(release):=20bump=20cosign=20v2.4.1=20?= =?UTF-8?q?=E2=86=92=20v2.6.3=20so=20goreleaser-action=20can=20verify=20it?= =?UTF-8?q?s=20download=20bundle?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v0.3.0 release run (27300066093) failed before goreleaser even started: goreleaser-action verifies the downloaded goreleaser binary against checksums.txt.sigstore.json, and cosign v2.4.1 cannot read the new-style protobuf sigstore bundle goreleaser v2.16.0 publishes ('bundle does not contain cert for verification, please provide public key'). v2.6.3 (latest v2 line) reads the new bundle format while keeping our signs: invocation (sign-blob --output-signature --output-certificate --yes) contract-identical. Co-Authored-By: Claude Fable 5 --- .github/workflows/release.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 858a8ce..ffcf31c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,7 +53,15 @@ jobs: # pinned: tag v3.7.0 uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 with: - cosign-release: 'v2.4.1' + # v2.6.3 (latest v2 line). The v0.3.0 release run failed BEFORE + # goreleaser even started: goreleaser-action verifies its own + # download against checksums.txt.sigstore.json, and cosign v2.4.1 + # cannot read the new-style protobuf sigstore bundle goreleaser + # v2.16.0 ships ("bundle does not contain cert for verification"). + # Staying on the v2 line keeps our signs: invocation + # (sign-blob --output-signature/--output-certificate --yes) + # contract-identical. + cosign-release: 'v2.6.3' - name: Install syft (SBOM) # pinned: tag v0.20.0