From 0510512074828d6890b3778e1f33a7a4b1e8f3f3 Mon Sep 17 00:00:00 2001 From: TheAbider <51920546+TheAbider@users.noreply.github.com> Date: Mon, 13 Jul 2026 13:37:43 -0700 Subject: [PATCH] ci(deps): bump cosign-installer to v4.1.2, pin cosign CLI to v2.5.2 Supersedes Dependabot #59. Bumping sigstore/cosign-installer from v3 to v4.1.2 changes its default cosign CLI to v3.0.6, which removed the sign-blob --output-signature / --output-certificate flags the release signing step uses (v3 replaced them with --bundle). Pinning cosign-release to v2.5.2 keeps the detached .sig/.pem signing working while taking the updated installer action. --- .github/workflows/ci.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c3057d..125b2ad 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,7 +216,15 @@ jobs: # ───────────────────────────────────────────────────────────────────────── - name: Install cosign if: steps.vercheck.outputs.bumped == 'true' && steps.releasecheck.outputs.exists == 'false' - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 + with: + # Pin the cosign CLI to v2.x. The signing step below uses + # sign-blob --output-signature / --output-certificate to emit the + # detached .sig + .pem alongside each artifact. cosign v3 removed + # those flags in favour of --bundle, so an unpinned installer would + # silently break release signing. Keep the installer action current + # while holding the CLI on the flags this workflow relies on. + cosign-release: 'v2.5.2' - name: Sign release artifacts with cosign (keyless) if: steps.vercheck.outputs.bumped == 'true' && steps.releasecheck.outputs.exists == 'false'