e0e4096f93
cosign 3.x flips the new bundle format on by default, which ignores the --output-signature and --output-certificate flags our signs block passes to sign-blob and then aborts trying to write a bundle to an empty path. The last few releases failed at the signing step for exactly this reason. Pin cosign-installer to v2.6.3 so the release keeps producing the checksums.txt.sig and checksums.txt.pem pair, and so the signing tool stops floating to a latest that can break the pipeline without warning.