fix(release): pin to existing cosign binary version v2.5.3 (#79) #80
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!80
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "79-cosign-version-fix"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #79.
What happened
The release workflow added in #16 set
COSIGN_VERSION: 3.9.2and fed it into the installer'scosign-release:input. That's the version of the action (sigstore/cosign-installer), not the binary it installs. cosign is on the v2.x line and v3.9.2 doesn't exist onsigstore/cosign/releases, so the installer's platform-specific download 404'd:Fix
COSIGN_VERSIONto2.5.3(the current cosign release; also the bootstrap baseline the action itself runs to self-verify).uses:line; binary version is pinned viaCOSIGN_VERSION. Cross-checkhttps://github.com/sigstore/cosign/releasesbefore bumping the binary.Test plan
python3 -c 'import yaml; yaml.safe_load(open(".forgejo/workflows/release.yml"))'— passes.v0.0.1-rc.1(or whatever) tag after merge; "Install cosign" step now downloadscosign-linux-amd64from a URL that actually exists; pipeline gets to the sign step.