fix(release): pin to existing cosign binary version v2.5.3 (#79) #80

Merged
james merged 1 commit from 79-cosign-version-fix into main 2026-06-17 17:54:03 +00:00
Owner

Closes #79.

What happened

The release workflow added in #16 set COSIGN_VERSION: 3.9.2 and fed it into the installer's cosign-release: input. That's the version of the action (sigstore/cosign-installer), not the binary it installs. cosign is on the v2.x line and v3.9.2 doesn't exist on sigstore/cosign/releases, so the installer's platform-specific download 404'd:

INFO: Custom cosign version 'v3.9.2' requested
INFO: Downloading platform-specific version 'v3.9.2' of cosign...
      https://github.com/sigstore/cosign/releases/download/v3.9.2/cosign-linux-amd64
⚙️ [runner]: exitcode '22': failure

Fix

  • Drop COSIGN_VERSION to 2.5.3 (the current cosign release; also the bootstrap baseline the action itself runs to self-verify).
  • Expand the comment on that env var so future bumps don't repeat the mix-up: installer-action version is pinned on the uses: line; binary version is pinned via COSIGN_VERSION. Cross-check https://github.com/sigstore/cosign/releases before bumping the binary.

Test plan

  • python3 -c 'import yaml; yaml.safe_load(open(".forgejo/workflows/release.yml"))' — passes.
  • Push a fresh v0.0.1-rc.1 (or whatever) tag after merge; "Install cosign" step now downloads cosign-linux-amd64 from a URL that actually exists; pipeline gets to the sign step.
Closes #79. ## What happened The release workflow added in #16 set `COSIGN_VERSION: 3.9.2` and fed it into the installer's `cosign-release:` input. That's the version of the **action** (`sigstore/cosign-installer`), not the **binary** it installs. cosign is on the v2.x line and v3.9.2 doesn't exist on `sigstore/cosign/releases`, so the installer's platform-specific download 404'd: ``` INFO: Custom cosign version 'v3.9.2' requested INFO: Downloading platform-specific version 'v3.9.2' of cosign... https://github.com/sigstore/cosign/releases/download/v3.9.2/cosign-linux-amd64 ⚙️ [runner]: exitcode '22': failure ``` ## Fix - Drop `COSIGN_VERSION` to `2.5.3` (the current cosign release; also the bootstrap baseline the action itself runs to self-verify). - Expand the comment on that env var so future bumps don't repeat the mix-up: installer-action version is pinned on the `uses:` line; binary version is pinned via `COSIGN_VERSION`. Cross-check `https://github.com/sigstore/cosign/releases` before bumping the binary. ## Test plan - [x] `python3 -c 'import yaml; yaml.safe_load(open(".forgejo/workflows/release.yml"))'` — passes. - [ ] Push a fresh `v0.0.1-rc.1` (or whatever) tag after merge; "Install cosign" step now downloads `cosign-linux-amd64` from a URL that actually exists; pipeline gets to the sign step.
fix(release): pin to existing cosign binary version v2.5.3 (#79)
All checks were successful
Secrets / gitleaks (pull_request) Successful in 14s
PR / OSV-Scanner (pull_request) Successful in 40s
PR / Trivy (image) (pull_request) Successful in 43s
PR / Static analysis (Semgrep) (pull_request) Successful in 49s
PR / Typecheck (pull_request) Successful in 51s
PR / Lint (pull_request) Successful in 52s
PR / npm audit (pull_request) Successful in 56s
PR / Test (sqlite) (pull_request) Successful in 1m7s
PR / Test (postgres) (pull_request) Successful in 1m9s
PR / Build (pull_request) Successful in 1m14s
Release / Build, sign, and publish (push) Successful in 15s
f1179ef21d
The previous COSIGN_VERSION (3.9.2) was the version of the
sigstore/cosign-installer ACTION, not the cosign binary itself.
cosign is on the v2.x line; v3.9.2 does not exist, so the installer
404'd on every tag push. v2.5.3 is the current release and matches
the action's own bootstrap baseline.

Tightened the comment so future bumps don't conflate the installer-
action version (pinned on `uses:`) with the binary version (pinned
in `cosign-release:` via COSIGN_VERSION).

Closes #79.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
james merged commit 57cde21cad into main 2026-06-17 17:54:03 +00:00
Sign in to join this conversation.
No description provided.