Release workflow installs a non-existent cosign version #79
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#79
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The release workflow's "Install cosign" step fails on every tag push:
cosign v3.9.2 does not exist — cosign is on the v2.x line; v2.5.3 is the current release (which is exactly what the action's bootstrap step downloads as its own self-verification baseline).
The mix-up landed in #16: I pinned
sigstore/cosign-installer@d58896d…and called the tag "v3.9.2", which is correct for the installer action. But I then setCOSIGN_VERSION: 3.9.2in the workflowenv:and fed it intocosign-release:, which controls the cosign binary version. Two different version namespaces.Scope
COSIGN_VERSIONto2.5.3in.forgejo/workflows/release.yml.Acceptance criteria
v0.0.1-rc.1) gets past the "Install cosign" step.COSIGN_VERSIONcalls out that this is the cosign binary version, distinct from thesigstore/cosign-installeraction version pinned on theuses:line.Part of epic #2. Follow-up from #16.