fix(ci): drop detached cosign outputs from releases

tazarov · tazarov · commit a6830175d5b1 · 2026-03-19T13:06:23.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -281,8 +281,6 @@ jobs:
             cosign sign-blob --yes \
               --bundle "${f}.sigstore.json" \
               --use-signing-config \
-              --output-signature "${f}.sig" \
-              --output-certificate "${f}.pem" \
               "${f}"
 
             cosign verify-blob \
@@ -296,8 +294,6 @@ jobs:
           cosign sign-blob --yes \
             --bundle SHA256SUMS.sigstore.json \
             --use-signing-config \
-            --output-signature SHA256SUMS.sig \
-            --output-certificate SHA256SUMS.pem \
             SHA256SUMS
 
           cosign verify-blob \
@@ -365,8 +361,6 @@ jobs:
           cosign sign-blob --yes \
             --bundle /tmp/releases.json.sigstore.json \
             --use-signing-config \
-            --output-signature /tmp/releases.json.sig \
-            --output-certificate /tmp/releases.json.pem \
             /tmp/releases.json
 
           cosign verify-blob \
@@ -383,10 +377,6 @@ jobs:
           aws s3 cp /tmp/releases.json.sigstore.json "s3://${BUCKET}/${PROJECT}/releases.json.sigstore.json" \
             --endpoint-url "${R2_ENDPOINT}" \
             --content-type "application/json"
-          aws s3 cp /tmp/releases.json.sig "s3://${BUCKET}/${PROJECT}/releases.json.sig" \
-            --endpoint-url "${R2_ENDPOINT}"
-          aws s3 cp /tmp/releases.json.pem "s3://${BUCKET}/${PROJECT}/releases.json.pem" \
-            --endpoint-url "${R2_ENDPOINT}"
 
       - name: Purge release metadata from CDN cache
         if: vars.CF_ZONE_ID != ''
@@ -419,5 +409,3 @@ jobs:
             dist/*.jar
             dist/SHA256SUMS
             dist/*.sigstore.json
-            dist/*.sig
-            dist/*.pem
diff --git a/README.md b/README.md
@@ -136,7 +136,6 @@ Canonical release asset naming:
 - `chroma-local-java-panama-<version>.jar`
 - `SHA256SUMS`
 - `*.sigstore.json` for each release asset and `SHA256SUMS`
-- `*.sig` + `*.pem` for each release asset and `SHA256SUMS` (for users verifying with Cosign v2)
 
 Architecture note: native archive `<arch>` is derived from the GitHub runner architecture. In the current hosted matrix for this repository, Linux/Windows builds are `amd64` and macOS builds are `arm64`. Runner mappings can change over time.
 
@@ -194,7 +193,7 @@ cosign verify-blob \
   SHA256SUMS
 ```
 
-Cosign v3 bundles (`*.sigstore.json`) are the primary verification material and the only inputs used by the release workflow's own verification step. Detached `*.sig` and `*.pem` files are also published for users verifying with Cosign v2.
+Cosign v3 bundles (`*.sigstore.json`) are the published verification material and the only inputs used by the release workflow's own verification step. Older releases may still include detached `*.sig` and `*.pem` files from the previous signing flow.
 
 Breaking change in `v0.3.1`: shared library filenames changed from `chroma_go_shim` to `chroma_shim`.
 
