Release workflow installs a non-existent cosign version #79

Closed
opened 2026-06-17 17:51:41 +00:00 by james · 0 comments
Owner

The release workflow's "Install cosign" step fails on every tag push:

INFO: Downloading bootstrap version 'v2.5.3' of cosign to verify version to be installed...
      https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-linux-amd64
INFO: Custom cosign version 'v3.9.2' requested
INFO: Downloading platform-specific version 'v3.9.2' of cosign...
      https://github.com/sigstore/cosign/releases/download/v3.9.2/cosign-linux-amd64
⚙️ [runner]: exitcode '22': failure

cosign v3.9.2 does not exist — cosign is on the v2.x line; v2.5.3 is the current release (which is exactly what the action's bootstrap step downloads as its own self-verification baseline).

The mix-up landed in #16: I pinned sigstore/cosign-installer@d58896d… and called the tag "v3.9.2", which is correct for the installer action. But I then set COSIGN_VERSION: 3.9.2 in the workflow env: and fed it into cosign-release:, which controls the cosign binary version. Two different version namespaces.

Scope

  • Drop COSIGN_VERSION to 2.5.3 in .forgejo/workflows/release.yml.
  • Tighten the comment next to the env var so the action-version vs binary-version distinction is unambiguous for future bumps.

Acceptance criteria

  • Next tag push (v0.0.1-rc.1) gets past the "Install cosign" step.
  • The comment near COSIGN_VERSION calls out that this is the cosign binary version, distinct from the sigstore/cosign-installer action version pinned on the uses: line.

Part of epic #2. Follow-up from #16.

The release workflow's "Install cosign" step fails on every tag push: ``` INFO: Downloading bootstrap version 'v2.5.3' of cosign to verify version to be installed... https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-linux-amd64 INFO: Custom cosign version 'v3.9.2' requested INFO: Downloading platform-specific version 'v3.9.2' of cosign... https://github.com/sigstore/cosign/releases/download/v3.9.2/cosign-linux-amd64 ⚙️ [runner]: exitcode '22': failure ``` cosign **v3.9.2 does not exist** — cosign is on the v2.x line; v2.5.3 is the current release (which is exactly what the action's bootstrap step downloads as its own self-verification baseline). The mix-up landed in #16: I pinned `sigstore/cosign-installer@d58896d…` and called the tag "v3.9.2", which is correct for the installer **action**. But I then set `COSIGN_VERSION: 3.9.2` in the workflow `env:` and fed it into `cosign-release:`, which controls the cosign **binary** version. Two different version namespaces. ## Scope - Drop `COSIGN_VERSION` to `2.5.3` in `.forgejo/workflows/release.yml`. - Tighten the comment next to the env var so the action-version vs binary-version distinction is unambiguous for future bumps. ## Acceptance criteria - [ ] Next tag push (`v0.0.1-rc.1`) gets past the "Install cosign" step. - [ ] The comment near `COSIGN_VERSION` calls out that this is the cosign **binary** version, distinct from the `sigstore/cosign-installer` action version pinned on the `uses:` line. Part of epic #2. Follow-up from #16.
james closed this issue 2026-06-17 17:54:03 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#79
No description provided.