Pin cosign to 2.x in the release workflow (#49)
cosign 3.x flips the new bundle format on by default, which ignores the --output-signature and --output-certificate flags our signs block passes to sign-blob and then aborts trying to write a bundle to an empty path. The last few releases failed at the signing step for exactly this reason. Pin cosign-installer to v2.6.3 so the release keeps producing the checksums.txt.sig and checksums.txt.pem pair, and so the signing tool stops floating to a latest that can break the pipeline without warning.
This commit is contained in:
@@ -71,7 +71,13 @@ jobs:
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# Tools GoReleaser shells out to for signing and SBOMs.
|
||||
# Pin cosign to the 2.x line. cosign 3.x makes the new bundle format the
|
||||
# default, which ignores the --output-signature/--output-certificate flags
|
||||
# the signs block uses and aborts. Pinning keeps the .sig/.pem outputs and
|
||||
# stops the release tool from floating to a breaking latest.
|
||||
- uses: sigstore/cosign-installer@v4.1.2
|
||||
with:
|
||||
cosign-release: "v2.6.3"
|
||||
- uses: anchore/sbom-action/download-syft@v0.24.0
|
||||
|
||||
- uses: goreleaser/goreleaser-action@v7.2.2
|
||||
|
||||
Reference in New Issue
Block a user