Skip to content

Commit

Permalink
chore: update cosign version (#1495)
Browse files Browse the repository at this point in the history 
**Description of the change**
- Update `cosign-installer` action to `v3.4.0`
- Use `cosign v2.2.3` in CI

**Benefits**
The version we are using, `v2.0.1`, fails to verify the distroless
images:

```
Error: getting Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
```

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
  • Loading branch information
@alemorcuq
alemorcuq committed Mar 21, 2024
1 parent 7227790 commit 23b8c25
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/ci.yml
View file
Expand Up @@ -107,7 +107,9 @@ jobs:
uses: actions/checkout@v3.1.0

- name: Install Cosign
uses: sigstore/cosign-installer@v3.0.2
uses: sigstore/cosign-installer@v3.4.0
with:
cosign-release: v2.2.3

- name: Distroless verify
run: |
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/publish-release.yaml
View file
Expand Up @@ -65,7 +65,10 @@ jobs:
# Setup Cosign
- name: Install Cosign
uses: sigstore/cosign-installer@v3.0.2
uses: sigstore/cosign-installer@v3.4.0
with:
cosign-release: v2.2.3

if: env.RELEASE == 1
- name: Write Cosign key
if: env.RELEASE == 1
Expand Down

0 comments on commit 23b8c25

Please sign in to comment.