Merge pull request #83 from fosrl/github-action-cosign

Upgrade cosign installer to v4.1.2 and pin cosign version
2026-05-18 06:09:53 +00:00 · 2026-05-16 14:55:01 -07:00
parent 77b386ecac 8683a62b4b
commit 65bb3fc101
1 changed files with 3 additions and 2 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -107,8 +107,9 @@ jobs:
        shell: bash

      - name: Install cosign
-        # cosign is used to sign and verify container images (key and keyless)
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+        with:
+          cosign-release: v3.0.6

      - name: Dual-sign and verify (GHCR & Docker Hub)
        # Sign each image by digest using keyless (OIDC) and key-based signing,