Release 0.4.2: checkout v7, cache v6, cosign-installer v4 (cosign v3)#73
Merged
Conversation
Reviewed Renovate #70 / #71 / #72 (all in the tag-triggered release.yml). - actions/checkout v4.3.1 -> v7.0.0, actions/cache v4.3.0 -> v6.1.0: safe, categorically stable and already validated on tenbin_dns #125. - sigstore/cosign-installer v3 -> v4: deliberate cosign v2 -> v3 migration. Installs cosign v3.0.6. Our sign-blob/verify-blob already use --bundle and --certificate-identity-regexp / --certificate-oidc-issuer, all valid in cosign v3. cosign v3's default bundle is the new Sigstore format, so DOWNSTREAM verification now needs cosign v3+ — README updated to say so. Bump version to 0.4.2 to cut a real release that validates the cosign v3 signing end-to-end (the in-workflow verify-blob self-check runs at release). Supersedes #70 / #71 / #72. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JPuooHgsrboSEbfJsNf6iG
| This step is optional. If you have **[cosign](https://github.com/sigstore/cosign) v3 | ||
| or newer** installed and want the stronger guarantee, download the bundle | ||
| alongside the manifest and verify (releases from `0.4.2` on are signed with | ||
| cosign v3, whose Sigstore-bundle format needs cosign v3+ to verify): |
Contributor
There was a problem hiding this comment.
✨ [POSITIVE] cosign v3以降が必要である点、また0.4.2以降のリリースがcosign v3で署名されており検証にはv3+が必要である旨を明記したのは、下位互換性のないバンドル形式への移行に伴う利用者への影響を的確に伝える良い更新です。
This was referenced Jul 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reviews Renovate #70 (cache v6) / #71 (checkout v7) / #72 (cosign-installer v4), all in the tag-triggered
release.yml.sign-blob/verify-blobalready use--bundleand--certificate-identity-regexp/--certificate-oidc-issuer(all valid in cosign v3, verified against the v3 docs). cosign v3's default bundle is the new Sigstore format → downstream verification now needs cosign v3+; README updated to state this.verify-blobself-check runs at release time).Supersedes #70 / #71 / #72. After merge:
git tag 0.4.2 && git push origin 0.4.2triggers the signed release; I'll then verify the bundle + cosign v3 verification.🤖 Generated with Claude Code