From b9bb3b5c0e4b56b1f34d0a0b9e576fb18c422cec Mon Sep 17 00:00:00 2001 From: amirejaz Date: Fri, 17 Oct 2025 16:44:15 +0100 Subject: [PATCH 1/2] add --bundle flag to cosign signing args for v3 compatibility --- .goreleaser.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 778e22a67..f9dead310 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -106,6 +106,7 @@ signs: - "sign-blob" - "--output-signature=${signature}" - "--output-certificate=${certificate}" + - "--bundle=${signature}" # added for cosign v3: required when using --output-signature or --signing-config - "${artifact}" - "--yes" # needed on cosign 2.0.0+ artifacts: archive From a38e91faa051bebbebe0155d5445b12ab27a668a Mon Sep 17 00:00:00 2001 From: amirejaz Date: Fri, 17 Oct 2025 17:12:37 +0100 Subject: [PATCH 2/2] revert back to cosign v4 --- .github/workflows/image-build-and-publish.yml | 8 ++++---- .github/workflows/releaser-helm-charts.yml | 2 +- .github/workflows/releaser.yml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/image-build-and-publish.yml b/.github/workflows/image-build-and-publish.yml index 382716314..ce9cb5704 100644 --- a/.github/workflows/image-build-and-publish.yml +++ b/.github/workflows/image-build-and-publish.yml @@ -51,7 +51,7 @@ jobs: uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Install Cosign - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Build and Push Image to GHCR env: @@ -149,7 +149,7 @@ jobs: - name: Install Cosign if: startsWith(github.ref, 'refs/tags/') - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Sign container image if: startsWith(github.ref, 'refs/tags/') @@ -214,7 +214,7 @@ jobs: uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Install Cosign - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Build and Push Image to GHCR env: @@ -294,7 +294,7 @@ jobs: uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Install Cosign - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Build and Push Image to GHCR env: diff --git a/.github/workflows/releaser-helm-charts.yml b/.github/workflows/releaser-helm-charts.yml index 5f1df1be7..591663d5a 100644 --- a/.github/workflows/releaser-helm-charts.yml +++ b/.github/workflows/releaser-helm-charts.yml @@ -43,7 +43,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Publish and Sign OCI Charts run: | diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml index fd7567baf..9d629c647 100644 --- a/.github/workflows/releaser.yml +++ b/.github/workflows/releaser.yml @@ -75,7 +75,7 @@ jobs: uses: anchore/sbom-action/download-syft@aa0e114b2e19480f157109b9922bda359bd98b90 # v0.20.8 - name: Install Cosign - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Build and Verify Binary Version env: