chore(deps): update sigstore/cosign-installer action to v4#72
Closed
renovate[bot] wants to merge 1 commit into
Closed
chore(deps): update sigstore/cosign-installer action to v4#72renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
|
||
| - name: Install cosign | ||
| uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 | ||
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 |
Contributor
There was a problem hiding this comment.
cosign sign-blob を使う場合は --bundle フラグの追加が必要になるなどの破壊的変更があります。このワークフロー内で cosign を用いた署名処理(特に sign-blob)を行っている場合は、対応するコマンドの更新が必要か確認してください。
Member
There was a problem hiding this comment.
ご指摘の sign-blob --bundle 要件は既に充足済みです(本 workflow は sign-blob/verify-blob とも --bundle を使用)。
ただし裏取りでより本質的な論点が判明: cosign-installer v4 は既定で cosign v3.0.6 を導入し、cosign v3 は --bundle の既定 bundle 形式が新(Sigstore bundle)形式に変わります。影響:
- workflow 内の sign→verify 自己チェックは同一 cosign(v3)同士なので pass する
- しかし下流ユーザーの検証: 公開される
SHA256SUMS.cosign.bundleが新形式になるため、検証側も cosign v3+ が必要(cosign v2 では検証不可の可能性)。README の検証手順は cosign バージョンを固定していないため、cosign v2 利用者が検証失敗しうる - かつ release.yml はタグ push 起動=実リリースでしか検証できない(0.4.1 で v2 署名は検証済み)
→ 保留推奨。採用するなら「README に cosign v3+ 必須を明記+テストタグで実走検証」を伴う意図的な移行が望ましく、blind merge は避けるべきと判断。cosign v2 は現状問題なく動作中。
toshi0806
added a commit
that referenced
this pull request
Jul 4, 2026
…#73) Reviewed Renovate #70 / #71 / #72 (all in the tag-triggered release.yml). - actions/checkout v4.3.1 -> v7.0.0, actions/cache v4.3.0 -> v6.1.0: safe, categorically stable and already validated on tenbin_dns #125. - sigstore/cosign-installer v3 -> v4: deliberate cosign v2 -> v3 migration. Installs cosign v3.0.6. Our sign-blob/verify-blob already use --bundle and --certificate-identity-regexp / --certificate-oidc-issuer, all valid in cosign v3. cosign v3's default bundle is the new Sigstore format, so DOWNSTREAM verification now needs cosign v3+ — README updated to say so. Bump version to 0.4.2 to cut a real release that validates the cosign v3 signing end-to-end (the in-workflow verify-blob self-check runs at release). Supersedes #70 / #71 / #72. Claude-Session: https://claude.ai/code/session_01JPuooHgsrboSEbfJsNf6iG Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Member
|
Superseded by #73 (0.4.2 release: checkout v7 + cache v6 + cosign-installer v4). Closing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3→v4.1.2Release Notes
sigstore/cosign-installer (sigstore/cosign-installer)
v4.1.2Compare Source
What's Changed
v4.1.1Compare Source
What's Changed
Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1
v4.1.0Compare Source
What's Changed
We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing
with: cosign-releaseand strongly discourage usingcosign-releaseunless you have a specific reason to use an older version of Cosign.Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0
v4.0.0Compare Source
What's Changed?
Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.
In version v3+, using
cosign sign-blobrequires adding the--bundleflag which may require you to update your signing command.Configuration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.