Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci(deps): bump cosign to v2.2.3 to avoid sigstore TUF invalid key issue #100

Merged
merged 1 commit into from
Mar 20, 2024

Conversation

saisatishkarra
Copy link
Collaborator

@saisatishkarra saisatishkarra commented Mar 20, 2024

Issue:

Failure of build pipelines due to missing dependabot config for sign image action and due to deprecated cosign version 2.2.1.

getting signer: getting key from Fulcio: getting CTFE public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key

Ex:
https://github.com/Kong/kong-ee/actions/runs/8345534028/job/22864504377#step:11:619
slsa-framework/slsa-github-generator#3350
https://github.com/Kong/public-shared-actions/actions/runs/8353600274

Solution:

Bump cosign installaer to use v2.2.3 cosign

@saisatishkarra saisatishkarra requested review from a team as code owners March 20, 2024 04:24
Copy link

Luacheck Report

1 files  ±0  1 suites  ±0   0s ⏱️ ±0s
4 tests ±0  4 ✅ ±0  0 💤 ±0  0 ❌ ±0 
8 runs  ±0  8 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit e91359b. ± Comparison against base commit 79d3aac.

@saisatishkarra saisatishkarra merged commit 590c699 into main Mar 20, 2024
11 checks passed
@saisatishkarra saisatishkarra deleted the bump/cosign branch March 20, 2024 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants