Fix(ci): Bump verify-recipes cosign to v2.6.3 for referrer-stored attestation discovery#201
Merged
Merged
Conversation
…estation discovery Second first-run defect in verify-recipes, masked until the PEP 740 counting fix (#200) let the run reach Recipe 3: the pinned cosign v2.4.1 cannot DISCOVER the SLSA provenance attestation that actions/attest-build-provenance stores via the OCI 1.1 referrers API — it verifies the image signature fine (Recipe 2 passed) but returns 'no matching attestations' for Recipe 3. Verified empirically against the published v0.10.18 image: cosign v2.4.1 fails; cosign v2.6.3 exits 0 with a valid in-toto envelope; gh attestation verify (any version) also succeeds — the attestation exists and is valid, only old-cosign discovery is broken. Fix: pin cosign-release v2.6.3 in verify-recipes.yml (with a comment recording the why), and add a 'requires cosign >= 2.6' note + the gh-attestation-verify alternative to docs/verification.md so consumers on older cosign are not misled by a false negative. Full local simulation of all 5 recipes against the published v0.10.18 artifacts: PASS (PEP 740 8/8, signature, attestation, gh attestation, SBOM+osv). check_workflow_tools --strict / audit_workflow_permissions --strict / zizmor / docs-health --strict all green; recipe-drift guard tokens intact.
allenfbyrd
enabled auto-merge
July 18, 2026 19:40
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Second first-run verify-recipes defect — cosign too old to discover the SLSA attestation
The PEP 740 counting fix (#200) let the dispatched run reach Recipe 3, exposing a second, previously-masked defect: the pinned cosign v2.4.1 cannot discover the SLSA provenance attestation that
actions/attest-build-provenancestores via the OCI 1.1 referrers API — it verifies the image signature fine (Recipe 2 passed) but returnsno matching attestationsfor the attestation.Empirical proof against the published v0.10.18 image:
no matching attestationsjson.loadassertion passesgh attestation verify oci://…The attestation exists and is valid — only old-cosign discovery is broken. No release artifact is affected.
Changes: pin
cosign-release: v2.6.3inverify-recipes.yml(with a why-comment); add a requires cosign ≥ 2.6 note + thegh attestation verifyfallback todocs/verification.md(+ wiki mirror).Validation: full local simulation of all 5 recipes against the published v0.10.18 artifacts — PEP 740 8/8, cosign signature, cosign attestation, gh attestation, SBOM+osv — all PASS.
check_workflow_tools --strict/audit_workflow_permissions --strict/ zizmor /check_docs_health --strictgreen; recipe-drift guard tokens intact.