Skip to content

Commit 839fdf1

Browse files
authored
Pin release actions and cosign to fixed versions (#3)
Bump the release workflow to the action versions the channel repos already run and pin cosign to the 2.x line so signing keeps its detached .sig and .pem outputs instead of floating to a breaking cosign 3.x.
1 parent 8956021 commit 839fdf1

1 file changed

Lines changed: 17 additions & 11 deletions

File tree

.github/workflows/release.yml

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -27,14 +27,14 @@ jobs:
2727
if: github.ref_type != 'tag'
2828
runs-on: ubuntu-latest
2929
steps:
30-
- uses: actions/checkout@v5
30+
- uses: actions/checkout@v7.0.0
3131
with:
3232
fetch-depth: 0
33-
- uses: actions/setup-go@v6
33+
- uses: actions/setup-go@v6.4.0
3434
with:
3535
go-version-file: go.mod
3636
cache: true
37-
- uses: goreleaser/goreleaser-action@v6
37+
- uses: goreleaser/goreleaser-action@v7.2.2
3838
with:
3939
distribution: goreleaser
4040
version: "~> v2"
@@ -49,28 +49,34 @@ jobs:
4949
packages: write # push the image to ghcr.io
5050
id-token: write # keyless cosign signing
5151
steps:
52-
- uses: actions/checkout@v5
52+
- uses: actions/checkout@v7.0.0
5353
with:
5454
fetch-depth: 0
55-
- uses: actions/setup-go@v6
55+
- uses: actions/setup-go@v6.4.0
5656
with:
5757
go-version-file: go.mod
5858
cache: true
5959

6060
# Build and ship the linux/arm64 image from the amd64 runner.
61-
- uses: docker/setup-qemu-action@v3
62-
- uses: docker/setup-buildx-action@v3
63-
- uses: docker/login-action@v3
61+
- uses: docker/setup-qemu-action@v4.1.0
62+
- uses: docker/setup-buildx-action@v4.1.0
63+
- uses: docker/login-action@v4.2.0
6464
with:
6565
registry: ghcr.io
6666
username: ${{ github.actor }}
6767
password: ${{ secrets.GITHUB_TOKEN }}
6868

6969
# Tools GoReleaser shells out to for signing and SBOMs.
70-
- uses: sigstore/cosign-installer@v3
71-
- uses: anchore/sbom-action/download-syft@v0
70+
# Pin cosign to the 2.x line. cosign 3.x makes the new bundle format the
71+
# default, which ignores the --output-signature/--output-certificate flags
72+
# the signs block uses and aborts. Pinning keeps the .sig/.pem outputs and
73+
# stops the release tool from floating to a breaking latest.
74+
- uses: sigstore/cosign-installer@v4.1.2
75+
with:
76+
cosign-release: "v2.6.3"
77+
- uses: anchore/sbom-action/download-syft@v0.24.0
7278

73-
- uses: goreleaser/goreleaser-action@v6
79+
- uses: goreleaser/goreleaser-action@v7.2.2
7480
with:
7581
distribution: goreleaser
7682
version: "~> v2"

0 commit comments

Comments
 (0)