fix: use cosign --bundle flag for checksums signing

[Aureliolo]

Summary

• Newer cosign defaults to --new-bundle-format, which ignores the deprecated --output-signature/--output-certificate flags, causing the CLI Release job to fail with create bundle file: open : no such file or directory
• Switch to --bundle checksums.txt.cosign.bundle to produce a single bundle file
• Update release asset upload to include .cosign.bundle instead of .sig/.pem
• Update embedded verification instructions to use cosign verify-blob --bundle

Context

This broke the v0.2.4 CLI Release job: https://github.com/Aureliolo/synthorg/actions/runs/23110427175/job/67126909396

The Docker workflow succeeded and container images are on GHCR, but CLI binaries were never uploaded to the draft release. After merging this, a new tag push (v0.2.5) will be needed to ship CLI binaries with correct cosign signatures.

Test plan

• CLI Release job succeeds on next tag push
• checksums.txt.cosign.bundle appears in release assets
• cosign verify-blob --bundle command works against the release
• finalize-release extracts updated cosign verification instructions correctly

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 218b17fe-8093-453b-a400-8ee2be749dc2

📥 Commits

Reviewing files that changed from the base of the PR and between 63b03c4 and 505f603.

📒 Files selected for processing (1)

• .github/workflows/cli.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (python)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Commits: <type>: <description> — types: feat, fix, refactor, docs, test, chore, perf, ci. Enforced by commitizen (commit-msg hook). Signed commits: required on main via branch protection — all commits must be GPG/SSH signed.

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).

Applied to files:

• .github/workflows/cli.yml

🔇 Additional comments (3)

.github/workflows/cli.yml (3)

301-310: Asset upload correctly updated to include the bundle file.

The upload command consistently references the bundle file created in the signing step. The --clobber flag ensures idempotent behavior on re-runs.

---

398-405: Verification instructions correctly updated.

The cosign verify-blob command now uses --bundle instead of separate --signature/--certificate flags, matching the new signing approach. The relative path checksums.txt.cosign.bundle is appropriate for users who download assets from the release.

---

296-299: Correct migration to --bundle flag.

The change from deprecated --output-signature/--output-certificate to --bundle aligns with modern cosign defaults (--new-bundle-format). The syntax is correct—cosign sign-blob --yes <file> --bundle <output> matches documented patterns where flags can precede or follow the positional argument. The --yes flag properly enables non-interactive mode for CI environments.

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Streamlined the signature verification process in the CI/CD pipeline to use a unified bundle format for improved artifact handling.

Walkthrough

The pull request updates .github/workflows/cli.yml to consolidate Cosign signing operations by replacing separate signature and certificate outputs with a single bundle. Signing steps now use the --bundle flag, asset uploads switch from checksums.txt.sig and checksums.txt.pem to checksums.txt.cosign.bundle, and verification steps use --bundle instead of --signature and --certificate flags.

Changes

Cohort / File(s)	Summary
Cosign Workflow Updates .github/workflows/cli.yml	Replaced separate cosign signature and certificate outputs with unified bundle artifacts. Updated signing steps to use --bundle flag, consolidated asset uploads from individual .sig/.pem files to .cosign.bundle, and updated verification steps to reference bundle instead of separate signature/certificate parameters. Inline COSIGN_DATA snippet also adjusted accordingly.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix: attach cosign signatures and provenance bundle to release assets #438: Modifies the CLI release workflow's cosign signing and asset handling for checksums with different artifact format (added .sig/.pem and provenance bundle).
• fix: create git tag explicitly for draft releases #432: Updates .github/workflows/cli.yml asset upload and verification flow with changes to cosign artifact handling.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: switching from separate signature/certificate outputs to cosign's --bundle flag for checksums signing.
Description check	✅ Passed	The description is directly related to the changeset, explaining the cosign deprecation issue, the bundle migration, and providing context about the workflow failure and test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/cosign-bundle-format

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/cosign-bundle-format

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes a broken CLI Release workflow caused by newer versions of cosign defaulting to --new-bundle-format, which silently ignores the deprecated --output-signature / --output-certificate flags and produces no output file, resulting in a create bundle file: open : no such file or directory error when the (empty) path was referenced downstream.

• Replaces the two deprecated cosign output flags with --bundle cli/dist/checksums.txt.cosign.bundle in the signing step.
• Updates the gh release upload asset list to include checksums.txt.cosign.bundle instead of checksums.txt.sig / checksums.txt.pem.
• Updates the embedded <!-- CLI_COSIGN_DATA --> verification snippet from cosign verify-blob --signature ... --certificate ... to cosign verify-blob --bundle ..., keeping --certificate-identity-regexp and --certificate-oidc-issuer in place (still required to validate the signer identity from within the bundle).

All three hunks are consistent with each other and align with the cosign v2 bundle format. No issues found.

Confidence Score: 5/5

• This PR is safe to merge; it is a minimal, well-scoped fix that restores a broken release workflow with no risk to other jobs.
• The change is confined to a single workflow file, touches only the three locations that reference the old cosign output flags/assets, and all three changes are mutually consistent. The --bundle flag is the correct cosign v2 replacement for the deprecated flags, the upload step correctly references the new artifact name, and the embedded verification command is updated to match. No logic errors, security concerns, or unintended side-effects are present.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/cli.yml	Three targeted changes: switch cosign sign-blob from deprecated --output-signature/--output-certificate flags to --bundle; update the release-upload asset list; and update the embedded cosign verify-blob instruction to use --bundle. All three changes are internally consistent and correct.

_{Last reviewed commit: 505f603}