Skip to content

Release 0.4.2: checkout v7, cache v6, cosign-installer v4 (cosign v3)#73

Merged
toshi0806 merged 1 commit into
mainfrom
release-0.4.2-cosign-v3
Jul 4, 2026
Merged

Release 0.4.2: checkout v7, cache v6, cosign-installer v4 (cosign v3)#73
toshi0806 merged 1 commit into
mainfrom
release-0.4.2-cosign-v3

Conversation

@toshi0806

Copy link
Copy Markdown
Member

Reviews Renovate #70 (cache v6) / #71 (checkout v7) / #72 (cosign-installer v4), all in the tag-triggered release.yml.

  • checkout v7 / cache v6: safe — categorically stable, already validated on tenbin_dns #125.
  • cosign-installer v4 → cosign v3.0.6: deliberate v2→v3 migration. Our sign-blob/verify-blob already use --bundle and --certificate-identity-regexp/--certificate-oidc-issuer (all valid in cosign v3, verified against the v3 docs). cosign v3's default bundle is the new Sigstore format → downstream verification now needs cosign v3+; README updated to state this.
  • mix.exs 0.4.1 → 0.4.2: cuts a real release to validate cosign v3 signing end-to-end (the in-workflow verify-blob self-check runs at release time).

Supersedes #70 / #71 / #72. After merge: git tag 0.4.2 && git push origin 0.4.2 triggers the signed release; I'll then verify the bundle + cosign v3 verification.

🤖 Generated with Claude Code

Reviewed Renovate #70 / #71 / #72 (all in the tag-triggered release.yml).

- actions/checkout v4.3.1 -> v7.0.0, actions/cache v4.3.0 -> v6.1.0: safe,
  categorically stable and already validated on tenbin_dns #125.
- sigstore/cosign-installer v3 -> v4: deliberate cosign v2 -> v3 migration.
  Installs cosign v3.0.6. Our sign-blob/verify-blob already use --bundle and
  --certificate-identity-regexp / --certificate-oidc-issuer, all valid in
  cosign v3. cosign v3's default bundle is the new Sigstore format, so
  DOWNSTREAM verification now needs cosign v3+ — README updated to say so.

Bump version to 0.4.2 to cut a real release that validates the cosign v3
signing end-to-end (the in-workflow verify-blob self-check runs at release).

Supersedes #70 / #71 / #72.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JPuooHgsrboSEbfJsNf6iG

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

リリース作業として、CI依存アクションのバージョン更新とcosign v2→v3移行、およびそれに伴うREADMEの更新が適切に行われています。特にcosign v3のバンドル形式が下位互換でない点をREADMEで明示しているのは、利用者への配慮として良い対応です。全体として問題は見当たりません。

Comment thread README.md
This step is optional. If you have **[cosign](https://github.com/sigstore/cosign) v3
or newer** installed and want the stronger guarantee, download the bundle
alongside the manifest and verify (releases from `0.4.2` on are signed with
cosign v3, whose Sigstore-bundle format needs cosign v3+ to verify):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✨ [POSITIVE] cosign v3以降が必要である点、また0.4.2以降のリリースがcosign v3で署名されており検証にはv3+が必要である旨を明記したのは、下位互換性のないバンドル形式への移行に伴う利用者への影響を的確に伝える良い更新です。

@toshi0806 toshi0806 merged commit 560e017 into main Jul 4, 2026
7 checks passed
@toshi0806 toshi0806 deleted the release-0.4.2-cosign-v3 branch July 4, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant