Skip to content

fix(ci): pin cosign to v2 line to unbreak release signing#39

Merged
alxxjohn merged 2 commits into
mainfrom
fix/pin-cosign-v2
Jul 16, 2026
Merged

fix(ci): pin cosign to v2 line to unbreak release signing#39
alxxjohn merged 2 commits into
mainfrom
fix/pin-cosign-v2

Conversation

@alxxjohn

Copy link
Copy Markdown
Contributor

Summary

The v0.8.2 release failed at the artifact-signing step:

Error: signing dist/SHA256SUMS: create bundle file: open : no such file or directory

Root cause: Dependabot's bump of sigstore/cosign-installer v3 → v4 started installing cosign v3, which enables the new sigstore bundle format by default. In that mode cosign ignores the --output-signature/--output-certificate flags passed by .goreleaser.yaml and requires a --bundle path it never receives, so it fails with an empty file path.

Fix: pin cosign-release: v2.6.3 (the latest, still-maintained v2 release). This keeps the .sig/.pem artifact contract that docs/security.md documents for release verification, and makes the one previously floating binary in the release workflow version-pinned like everything else.

Follow-up (separate PR): migrate the goreleaser signs config to the cosign v3 bundle format (--bundle producing a single .sigstore.json) and update the verification docs — that changes the artifact contract for verifiers, so it should be a deliberate, reviewed change rather than part of this unblock.

After merge, re-run the v0.8.2 release workflow.

🤖 Generated with Claude Code

alxxjohn and others added 2 commits July 15, 2026 21:37
….pem contract

The Dependabot bump of sigstore/cosign-installer to v4 started installing
cosign v3, which defaults to the new bundle format: it ignores
--output-signature/--output-certificate and fails with 'create bundle
file: open : no such file or directory' because no --bundle path is set.
Pin cosign-release to v2.6.3 to restore the signing contract documented
in docs/security.md; migrating to the bundle format is a separate change.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ration path

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@alxxjohn
alxxjohn merged commit 218f078 into main Jul 16, 2026
14 checks passed
@alxxjohn
alxxjohn deleted the fix/pin-cosign-v2 branch July 16, 2026 01:43
alxxjohn added a commit that referenced this pull request Jul 16, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.8.3](v0.8.2...v0.8.3)
(2026-07-16)


### Bug Fixes

* **ci:** pin cosign to the v2 line so release signing keeps the
.sig/.pem contract
([9ee93c4](9ee93c4))
* **ci:** pin cosign to v2 line to unbreak release signing
([#39](#39))
([218f078](218f078))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant