Skip to content

Commit 96a2883

Browse files
authored
[fix] Adopt cosign new bundle format for goreleaser signing (#326)
[fix] Adopt cosign new bundle format so goreleaser signing succeeds cosign v3 (shipped with sigstore/cosign-installer@v4.1.2) enables --new-bundle-format by default, which silently ignores --output-signature / --output-certificate and expects --bundle instead. With no --bundle path supplied, cosign opened an empty path and aborted with "create bundle file: open : no such file or directory". Replace the signs block with the bundle format: a single checksums.txt.bundle file that embeds both signature and cert.
1 parent 562fd46 commit 96a2883

2 files changed

Lines changed: 38 additions & 3 deletions

File tree

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
name: Release Dry-Run
2+
3+
on:
4+
push:
5+
branches: [main]
6+
paths:
7+
- ".goreleaser.yaml"
8+
- ".github/workflows/release.yml"
9+
pull_request:
10+
branches: [main]
11+
paths:
12+
- ".goreleaser.yaml"
13+
- ".github/workflows/release.yml"
14+
15+
permissions:
16+
contents: read
17+
id-token: write
18+
19+
jobs:
20+
release-dryrun:
21+
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
22+
runs-on: ubuntu-latest
23+
steps:
24+
- uses: actions/checkout@v6
25+
with:
26+
fetch-depth: 0
27+
- uses: actions/setup-go@v6
28+
with:
29+
go-version-file: go.mod
30+
- uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
31+
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
32+
- uses: goreleaser/goreleaser-action@v7
33+
with:
34+
args: release --snapshot --clean
35+
env:
36+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yaml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,11 +34,10 @@ sboms:
3434

3535
signs:
3636
- cmd: cosign
37-
certificate: "${artifact}.pem"
37+
signature: "${artifact}.bundle"
3838
args:
3939
- sign-blob
40-
- "--output-certificate=${certificate}"
41-
- "--output-signature=${signature}"
40+
- "--bundle=${signature}"
4241
- "${artifact}"
4342
- "--yes"
4443
artifacts: checksum

0 commit comments

Comments
 (0)