mirror of
https://github.com/goreleaser/goreleaser-action
synced 2026-06-29 21:29:42 +00:00
ci: drop pre-cosign-v3 goreleaser versions from tests (#554)
GoReleaser v2.13.0 was the first release to ship the cosign v3 sigstore-bundle 'checksums.txt.sigstore.json' alongside the archive. Earlier releases only publish a cosign v2 detached '.sig', which the action's verifier does not understand and silently skips. Drop '~> 1.26' / '~> 2.6' / 'v0.182.0' / '~> v1' from the matrix and the install tests; pin '~> 2.13' as the minimum-supported version we actively exercise in CI. Document v2.13.0 as the minimum cosign- verifiable version in the README. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
committed by
GitHub
parent
be2e8a39ba
commit
e24998b8b6
@@ -89,6 +89,13 @@ action will additionally verify the cosign sigstore signature of the
|
||||
checksums file against the GoReleaser release workflow's OIDC identity. If
|
||||
`cosign` isn't installed, this step is silently skipped.
|
||||
|
||||
> **Note**: cosign signature verification requires GoReleaser **v2.13.0 or
|
||||
> newer** (and the matching `nightly`). Earlier releases ship a `.sig`
|
||||
> detached signature signed with cosign v2, which is not compatible with
|
||||
> the cosign v3 sigstore-bundle format the action verifies. For older
|
||||
> versions the cosign step is silently skipped — only the `checksums.txt`
|
||||
> SHA-256 verification runs.
|
||||
|
||||
To enable signature verification, install cosign before running the action:
|
||||
|
||||
```yaml
|
||||
@@ -106,8 +113,8 @@ To enable signature verification, install cosign before running the action:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
```
|
||||
|
||||
Both checksum and signature verification work for tagged releases and the
|
||||
`nightly` channel.
|
||||
Both checksum and signature verification work for tagged releases (≥ v2.13.0)
|
||||
and the `nightly` channel.
|
||||
|
||||
### Run on new tag
|
||||
|
||||
|
||||
Reference in New Issue
Block a user