From 34792a4c83865e2a163baee8006f16f7f6f1bfe1 Mon Sep 17 00:00:00 2001 From: Duc-Tam Nguyen Date: Mon, 29 Jun 2026 19:27:52 +0700 Subject: [PATCH] Pin release actions and cosign to fixed versions Bump the release workflow to the action versions the channel repos already run and pin cosign to the 2.x line so signing keeps its detached .sig and .pem outputs instead of floating to a breaking cosign 3.x. --- .github/workflows/release.yml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2e424c7..bf63cf9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,14 +27,14 @@ jobs: if: github.ref_type != 'tag' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v7.0.0 with: fetch-depth: 0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@v6.4.0 with: go-version-file: go.mod cache: true - - uses: goreleaser/goreleaser-action@v6 + - uses: goreleaser/goreleaser-action@v7.2.2 with: distribution: goreleaser version: "~> v2" @@ -49,28 +49,34 @@ jobs: packages: write # push the image to ghcr.io id-token: write # keyless cosign signing steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v7.0.0 with: fetch-depth: 0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@v6.4.0 with: go-version-file: go.mod cache: true # Build and ship the linux/arm64 image from the amd64 runner. - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 + - uses: docker/setup-qemu-action@v4.1.0 + - uses: docker/setup-buildx-action@v4.1.0 + - uses: docker/login-action@v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Tools GoReleaser shells out to for signing and SBOMs. - - uses: sigstore/cosign-installer@v3 - - uses: anchore/sbom-action/download-syft@v0 + # Pin cosign to the 2.x line. cosign 3.x makes the new bundle format the + # default, which ignores the --output-signature/--output-certificate flags + # the signs block uses and aborts. Pinning keeps the .sig/.pem outputs and + # stops the release tool from floating to a breaking latest. + - uses: sigstore/cosign-installer@v4.1.2 + with: + cosign-release: "v2.6.3" + - uses: anchore/sbom-action/download-syft@v0.24.0 - - uses: goreleaser/goreleaser-action@v6 + - uses: goreleaser/goreleaser-action@v7.2.2 with: distribution: goreleaser version: "~> v2"