Skip to content

Fix(ci): Bump verify-recipes cosign to v2.6.3 for referrer-stored attestation discovery#201

Merged
allenfbyrd merged 1 commit into
mainfrom
fix/verify-recipes-cosign-pin
Jul 18, 2026
Merged

Fix(ci): Bump verify-recipes cosign to v2.6.3 for referrer-stored attestation discovery#201
allenfbyrd merged 1 commit into
mainfrom
fix/verify-recipes-cosign-pin

Conversation

@allenfbyrd

Copy link
Copy Markdown
Collaborator

Second first-run verify-recipes defect — cosign too old to discover the SLSA attestation

The PEP 740 counting fix (#200) let the dispatched run reach Recipe 3, exposing a second, previously-masked defect: the pinned cosign v2.4.1 cannot discover the SLSA provenance attestation that actions/attest-build-provenance stores via the OCI 1.1 referrers API — it verifies the image signature fine (Recipe 2 passed) but returns no matching attestations for the attestation.

Empirical proof against the published v0.10.18 image:

Tool Result
cosign v2.4.1 (old CI pin) no matching attestations
cosign v2.6.3 (new pin) ✅ exit 0, valid in-toto envelope, json.load assertion passes
gh attestation verify oci://… ✅ exit 0

The attestation exists and is valid — only old-cosign discovery is broken. No release artifact is affected.

Changes: pin cosign-release: v2.6.3 in verify-recipes.yml (with a why-comment); add a requires cosign ≥ 2.6 note + the gh attestation verify fallback to docs/verification.md (+ wiki mirror).

Validation: full local simulation of all 5 recipes against the published v0.10.18 artifacts — PEP 740 8/8, cosign signature, cosign attestation, gh attestation, SBOM+osv — all PASS. check_workflow_tools --strict / audit_workflow_permissions --strict / zizmor / check_docs_health --strict green; recipe-drift guard tokens intact.

…estation discovery

Second first-run defect in verify-recipes, masked until the PEP 740
counting fix (#200) let the run reach Recipe 3: the pinned cosign
v2.4.1 cannot DISCOVER the SLSA provenance attestation that
actions/attest-build-provenance stores via the OCI 1.1 referrers API —
it verifies the image signature fine (Recipe 2 passed) but returns
'no matching attestations' for Recipe 3.

Verified empirically against the published v0.10.18 image:
cosign v2.4.1 fails; cosign v2.6.3 exits 0 with a valid in-toto
envelope; gh attestation verify (any version) also succeeds — the
attestation exists and is valid, only old-cosign discovery is broken.

Fix: pin cosign-release v2.6.3 in verify-recipes.yml (with a comment
recording the why), and add a 'requires cosign >= 2.6' note + the
gh-attestation-verify alternative to docs/verification.md so consumers
on older cosign are not misled by a false negative.

Full local simulation of all 5 recipes against the published v0.10.18
artifacts: PASS (PEP 740 8/8, signature, attestation, gh attestation,
SBOM+osv). check_workflow_tools --strict / audit_workflow_permissions
--strict / zizmor / docs-health --strict all green; recipe-drift guard
tokens intact.
@allenfbyrd
allenfbyrd enabled auto-merge July 18, 2026 19:40
@vercel

vercel Bot commented Jul 18, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
evidentia Ready Ready Preview, Comment Jul 18, 2026 7:41pm

Request Review

@codspeed-hq

codspeed-hq Bot commented Jul 18, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 6 untouched benchmarks


Comparing fix/verify-recipes-cosign-pin (ad41ade) with main (f5d4563)

Open in CodSpeed

@allenfbyrd
allenfbyrd added this pull request to the merge queue Jul 18, 2026
Merged via the queue into main with commit 828a7f9 Jul 18, 2026
34 checks passed
@allenfbyrd
allenfbyrd deleted the fix/verify-recipes-cosign-pin branch July 18, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant