Update cosign to 3.0+ #6623
Merged
Update cosign to 3.0+ #6623
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
added
dependencies
github-actions
bot
removed
the
dependencies
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6623 +/- ##
==========================================
+ Coverage 86.68% 86.82% +0.13%
==========================================
Files 258 258
Lines 11958 11958
==========================================
+ Hits 10366 10382 +16
+ Misses 1592 1576 -16
Flags with carried forward coverage won't be shown. Click here to find out more. |
renovate
bot
force-pushed
the
renovate/github-actions/sigstore-cosign-installer-4.x
branch
from
63c5b53 to
ec573ea
Compare
Kielek
previously requested changes
Oct 21, 2025
Member
Kielek
left a comment
Kielek
left a comment
There was a problem hiding this comment.
It bring new major version of the cosign. It enables couples of other flags.
Before merge, it require manual verification of described process for this tool and potentially adjustments in our pipeline.
Blocked by RC.1 release process.
renovate
bot
force-pushed
the
renovate/github-actions/sigstore-cosign-installer-4.x
branch
12 times, most recently
from
14acb6c to
7e08d73
Compare
Kielek
dismissed
their stale review
It is no longer blocked by RC1 process, still need a review of our documentation.
renovate
bot
force-pushed
the
renovate/github-actions/sigstore-cosign-installer-4.x
branch
7 times, most recently
from
9425764 to
3f250b3
Compare
| datasource | package | from | to | | ----------- | ------------------------- | ------- | ------ | | github-tags | sigstore/cosign-installer | v3.10.1 | v4.0.0 | Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/github-actions/sigstore-cosign-installer-4.x
branch
from
3f250b3 to
d886517
Compare
This was referenced Nov 13, 2025
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3.10.1->v4.0.0Release Notes
sigstore/cosign-installer (sigstore/cosign-installer)
v4.0.0Compare Source
What's Changed?
Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.
In version v3+, using
cosign sign-blobrequires adding the--bundleflag which may require you to update your signing command.Configuration
📅 Schedule: Branch creation - Between 08:00 AM and 05:59 PM, only on Wednesday ( * 8-17 * * 3 ) in timezone Etc/UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.