Skip to content

chore(deps): update sigstore/cosign-installer action to v4#72

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/sigstore-cosign-installer-4.x
Closed

chore(deps): update sigstore/cosign-installer action to v4#72
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/sigstore-cosign-installer-4.x

Conversation

@renovate

@renovate renovate Bot commented Jul 4, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
sigstore/cosign-installer action major v3v4.1.2

Release Notes

sigstore/cosign-installer (sigstore/cosign-installer)

v4.1.2

Compare Source

What's Changed

v4.1.1

Compare Source

What's Changed

  • chore: update default cosign-release to v3.0.5 in #​223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

  • Bump cosign to 3.0.5 in #​220
  • fix: add retry to curl downloads for transient network failures in #​210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

v4.0.0

Compare Source

What's Changed?

Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.

In version v3+, using cosign sign-blob requires adding the --bundle flag which may require you to update your signing command.

  • Add support for Cosign v3 releases (#​201)

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • "before 6am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cosign-installer を v3 から v4.1.2 へ更新する変更です。SHA ピン留めとバージョンコメントも整合しており、問題ありません。ただし v4 はメジャーアップグレードのため、破壊的変更の影響がないか確認してください。


- name: Install cosign
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [MEDIUM] v4 はメジャーアップグレードであり、cosign v3 系がインストールされるようになります。リリースノートにあるように cosign sign-blob を使う場合は --bundle フラグの追加が必要になるなどの破壊的変更があります。このワークフロー内で cosign を用いた署名処理(特に sign-blob)を行っている場合は、対応するコマンドの更新が必要か確認してください。

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ご指摘の sign-blob --bundle 要件は既に充足済みです(本 workflow は sign-blob/verify-blob とも --bundle を使用)。

ただし裏取りでより本質的な論点が判明: cosign-installer v4 は既定で cosign v3.0.6 を導入し、cosign v3 は --bundle既定 bundle 形式が新(Sigstore bundle)形式に変わります。影響:

  • workflow 内の sign→verify 自己チェックは同一 cosign(v3)同士なので pass する
  • しかし下流ユーザーの検証: 公開される SHA256SUMS.cosign.bundle が新形式になるため、検証側も cosign v3+ が必要(cosign v2 では検証不可の可能性)。README の検証手順は cosign バージョンを固定していないため、cosign v2 利用者が検証失敗しうる
  • かつ release.yml はタグ push 起動=実リリースでしか検証できない(0.4.1 で v2 署名は検証済み)

保留推奨。採用するなら「README に cosign v3+ 必須を明記+テストタグで実走検証」を伴う意図的な移行が望ましく、blind merge は避けるべきと判断。cosign v2 は現状問題なく動作中。

toshi0806 added a commit that referenced this pull request Jul 4, 2026
…#73)

Reviewed Renovate #70 / #71 / #72 (all in the tag-triggered release.yml).

- actions/checkout v4.3.1 -> v7.0.0, actions/cache v4.3.0 -> v6.1.0: safe,
  categorically stable and already validated on tenbin_dns #125.
- sigstore/cosign-installer v3 -> v4: deliberate cosign v2 -> v3 migration.
  Installs cosign v3.0.6. Our sign-blob/verify-blob already use --bundle and
  --certificate-identity-regexp / --certificate-oidc-issuer, all valid in
  cosign v3. cosign v3's default bundle is the new Sigstore format, so
  DOWNSTREAM verification now needs cosign v3+ — README updated to say so.

Bump version to 0.4.2 to cut a real release that validates the cosign v3
signing end-to-end (the in-workflow verify-blob self-check runs at release).

Supersedes #70 / #71 / #72.


Claude-Session: https://claude.ai/code/session_01JPuooHgsrboSEbfJsNf6iG

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@toshi0806

Copy link
Copy Markdown
Member

Superseded by #73 (0.4.2 release: checkout v7 + cache v6 + cosign-installer v4). Closing.

@toshi0806 toshi0806 closed this Jul 4, 2026
@toshi0806 toshi0806 deleted the renovate/sigstore-cosign-installer-4.x branch July 4, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant