From 23b8c250b9e46c79c8cf27f7d0f1144e102725a5 Mon Sep 17 00:00:00 2001
From: Alejandro Moreno <amorenoc@vmware.com>
Date: Thu, 21 Mar 2024 12:24:58 +0100
Subject: [PATCH] chore: update cosign version (#1495)

**Description of the change**
- Update `cosign-installer` action to `v3.4.0`
- Use `cosign v2.2.3` in CI

**Benefits**
The version we are using, `v2.0.1`, fails to verify the distroless
images:

```
Error: getting Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
```

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
---
 .github/workflows/ci.yml               | 4 +++-
 .github/workflows/publish-release.yaml | 5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a85b7c646..65a33fb63 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -107,7 +107,9 @@ jobs:
       uses: actions/checkout@v3.1.0
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@v3.0.2
+      uses: sigstore/cosign-installer@v3.4.0
+      with:
+        cosign-release: v2.2.3
 
     - name: Distroless verify
       run: |
diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml
index f80f7fc86..bbc5ada5c 100644
--- a/.github/workflows/publish-release.yaml
+++ b/.github/workflows/publish-release.yaml
@@ -65,7 +65,10 @@ jobs:
 
       # Setup Cosign
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.0.2
+        uses: sigstore/cosign-installer@v3.4.0
+        with:
+          cosign-release: v2.2.3
+
         if: env.RELEASE == 1
       - name: Write Cosign key
         if: env.RELEASE == 1