Skip to content

ci: Move to cosign v3#4953

Draft
sayboras wants to merge 3 commits into
mainfrom
pr/tammach/cosign-action
Draft

ci: Move to cosign v3#4953
sayboras wants to merge 3 commits into
mainfrom
pr/tammach/cosign-action

Conversation

@sayboras
Copy link
Copy Markdown
Member

@sayboras sayboras commented May 6, 2026
edited
Loading

Description

The current cosign-installer v3.x.x was the last release for cosign v2, it's better to transition to v3 with more recent cosign-installer.

https://github.com/sigstore/cosign-installer/releases/tag/v3.10.1

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

Changelog

ci: Move to cosign v3

@sayboras sayboras added area/ci Related to CI release-note/ci This PR makes changes to the CI. labels May 6, 2026
@sayboras sayboras force-pushed the pr/tammach/cosign-action branch from deb2de5 to 418418f Compare May 6, 2026 13:28
@sayboras sayboras changed the title Pr/tammach/cosign action ci: Move to cosign v3 May 6, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented May 6, 2026
edited
Loading

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 33b5066
🔍 Latest deploy log https://app.netlify.com/projects/tetragon/deploys/6a01cca60db0c40008c346fb
😎 Deploy Preview https://deploy-preview-4953--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@sayboras
.github/actions: add reusable cosign+SBOM action
b6fe8fd 
Centralize image signing and SBOM publication into a composite action
mirroring cilium/cilium .github/actions/cosign so the three image build
workflows can drop their duplicated install-cosign + sign + bom +
attach-sbom + sign-sbom step blocks.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras force-pushed the pr/tammach/cosign-action branch 2 times, most recently from 33b5066 to 9ba5bfb Compare May 11, 2026 12:36
sayboras added 2 commits May 11, 2026 22:40
@sayboras
.github/workflows: switch image builds to reusable cosign action
14ba5fc 
Replace the duplicated Install-Cosign + Sign + Install-Go + Install-Bom +
Generate-SBOM + Attach-SBOM + Sign-SBOM step blocks in the three image
build workflows with calls into the new .github/actions/cosign composite
action.

Behavioral changes carried by the new action:

- cosign-installer v3.1.2 -> v4.1.1.
- SBOM generation: kubernetes-sigs/bom -> anchore/sbom-action (.spdx
  -> .spdx.json).
- SBOM publication: deprecated 'cosign attach sbom' (raw blob attached
  by digest) -> 'cosign attest --type spdxjson' (in-toto attestation).
  Consumers must switch from 'cosign verify' against the .sbom artifact
  to 'cosign verify-attestation --type spdxjson'.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
.github/renovate: drop sigstore/cosign-installer disable rule
bf43b1d 
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras force-pushed the pr/tammach/cosign-action branch from 9ba5bfb to bf43b1d Compare May 11, 2026 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtardy mtardy Awaiting requested review from mtardy mtardy will be requested when the pull request is marked ready for review mtardy is a code owner

@will-isovalent will-isovalent Awaiting requested review from will-isovalent will-isovalent will be requested when the pull request is marked ready for review will-isovalent is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/ci Related to CI release-note/ci This PR makes changes to the CI.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sayboras