diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d10d01c..029ca04 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,7 +216,15 @@ jobs: # ───────────────────────────────────────────────────────────────────────── - name: Install cosign if: steps.vercheck.outputs.bumped == 'true' && steps.releasecheck.outputs.exists == 'false' - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 + with: + # Pin the cosign CLI to v2.x. The signing step below uses + # sign-blob --output-signature / --output-certificate to emit the + # detached .sig + .pem alongside each artifact. cosign v3 removed + # those flags in favour of --bundle, so an unpinned installer would + # silently break release signing. Keep the installer action current + # while holding the CLI on the flags this workflow relies on. + cosign-release: 'v2.5.2' - name: Sign release artifacts with cosign (keyless) if: steps.vercheck.outputs.bumped == 'true' && steps.releasecheck.outputs.exists == 'false'