Skip to content

ci(deps): bump cosign-installer to v4.1.2, pin cosign CLI to v2.5.2#86

Merged
TheAbider merged 2 commits into
masterfrom
ci/cosign-installer-v4-pin-cli
Jul 13, 2026
Merged

ci(deps): bump cosign-installer to v4.1.2, pin cosign CLI to v2.5.2#86
TheAbider merged 2 commits into
masterfrom
ci/cosign-installer-v4-pin-cli

Conversation

@TheAbider

Copy link
Copy Markdown
Owner

Supersedes #59.

Dependabot #59 bumps sigstore/cosign-installer v3 → v4.1.2. That installer's default cosign CLI is v3.0.6, which removed the sign-blob --output-signature / --output-certificate flags used by the release signing step (v3 replaced them with --bundle). Because that step swallows failures in a Write-Warning, a blind bump would silently ship releases with no .sig/.pem signatures and drop the Signed-Releases posture.

This PR takes the installer bump and pins the cosign CLI to v2.5.2 via cosign-release, so detached signing keeps working unchanged. Closes out #59.

Supersedes Dependabot #59. Bumping sigstore/cosign-installer from v3 to
v4.1.2 changes its default cosign CLI to v3.0.6, which removed the
sign-blob --output-signature / --output-certificate flags the release
signing step uses (v3 replaced them with --bundle). Pinning cosign-release
to v2.5.2 keeps the detached .sig/.pem signing working while taking the
updated installer action.
@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@TheAbider TheAbider merged commit 36c733d into master Jul 13, 2026
6 checks passed
@TheAbider TheAbider deleted the ci/cosign-installer-v4-pin-cli branch July 13, 2026 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant