From e0e4096f93db0a95fa9e5b40882aef7cc5b03d05 Mon Sep 17 00:00:00 2001 From: Tam Nguyen Duc <1218621+tamnd@users.noreply.github.com> Date: Fri, 19 Jun 2026 22:31:26 +0700 Subject: [PATCH] Pin cosign to 2.x in the release workflow (#49) cosign 3.x flips the new bundle format on by default, which ignores the --output-signature and --output-certificate flags our signs block passes to sign-blob and then aborts trying to write a bundle to an empty path. The last few releases failed at the signing step for exactly this reason. Pin cosign-installer to v2.6.3 so the release keeps producing the checksums.txt.sig and checksums.txt.pem pair, and so the signing tool stops floating to a latest that can break the pipeline without warning. --- .github/workflows/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 108f13b..04a41fe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,7 +71,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} # Tools GoReleaser shells out to for signing and SBOMs. + # Pin cosign to the 2.x line. cosign 3.x makes the new bundle format the + # default, which ignores the --output-signature/--output-certificate flags + # the signs block uses and aborts. Pinning keeps the .sig/.pem outputs and + # stops the release tool from floating to a breaking latest. - uses: sigstore/cosign-installer@v4.1.2 + with: + cosign-release: "v2.6.3" - uses: anchore/sbom-action/download-syft@v0.24.0 - uses: goreleaser/goreleaser-action@v7.2.2