fix(ci): add COSIGN_EXPERIMENTAL=1 for OCI referrer mode in cosign sign by Aureliolo · Pull Request #543 · Aureliolo/synthorg

Aureliolo · 2026-03-18T11:23:30Z

Summary

v0.3.3 Docker workflow failed because cosign sign --registry-referrers-mode=oci-1-1 requires COSIGN_EXPERIMENTAL=1 with cosign-installer v4.1.0
Add COSIGN_EXPERIMENTAL: "1" to the env block of all 3 image signing steps (backend, web, sandbox)
Also replaces em-dashes with ASCII dashes in error messages

Root cause

Error: invalid argument "oci-1-1" for "--registry-referrers-mode" flag:
in order to use mode "oci-1-1", you must set COSIGN_EXPERIMENTAL=1

The --registry-referrers-mode=oci-1-1 flag was added in PR #533 but the cosign version pinned by sigstore/cosign-installer@v4.1.0 gates this behind the experimental flag.

Test plan

Merge this PR, then re-run the Docker workflow for v0.3.3 tag to verify signing succeeds
Alternatively, trigger a workflow_dispatch to test before the next release

cosign-installer v4.1.0 requires COSIGN_EXPERIMENTAL=1 to use --registry-referrers-mode=oci-1-1. Without it, all 3 image signing steps fail with "invalid argument" error, breaking the v0.3.3 release. Also replaces em-dashes with ASCII dashes in error messages.

gemini-code-assist · 2026-03-18T11:23:36Z

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

github-actions · 2026-03-18T11:23:42Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

coderabbitai · 2026-03-18T11:23:45Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d20e77ea-be5c-4049-bbf0-cc76a379165b

📥 Commits

Reviewing files that changed from the base of the PR and between c3de2a2 and 5c0ebb5.

📒 Files selected for processing (1)

.github/workflows/docker.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Build Sandbox
GitHub Check: Build Backend
GitHub Check: Build Web
GitHub Check: Analyze (python)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).

Applied to files:

.github/workflows/docker.yml

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Dependabot: auto-updates Docker image digests and versions daily.

Applied to files:

.github/workflows/docker.yml

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to docker/{Dockerfile*,compose.yml} : Docker: Backend uses 3-stage build (builder → setup → distroless runtime), Chainguard Python, non-root (UID 65532), CIS-hardened. Web uses nginxinc/nginx-unprivileged, Vue 3 SPA with PrimeVue + Tailwind CSS, SPA routing, API/WebSocket proxy to backend.

Applied to files:

.github/workflows/docker.yml

🔇 Additional comments (3)

.github/workflows/docker.yml (3)

376-386: Consistent with backend fix.

Same pattern applied correctly.

544-554: Consistent with backend and web fixes.

Same pattern applied correctly across all three image signing steps.

208-218: Fix correctly addresses the cosign signing issue with OCI 1.1 referrer mode.

The addition of COSIGN_EXPERIMENTAL=1 is the documented requirement for using --registry-referrers-mode=oci-1-1 with cosign. This is a standard practice referenced in cosign integration documentation (e.g., GitLab container registry docs) rather than a temporary workaround or version-specific quirk.

📝 Walkthrough

Summary by CodeRabbit

Chores
- Updated internal CI/CD workflow configurations.

No user-visible changes in this release.

Walkthrough

This PR updates the Docker workflow configuration to add the COSIGN_EXPERIMENTAL environment variable to container image signing steps and standardizes error message formatting in signing failure conditions.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Configuration `.github/workflows/docker.yml`	Added `COSIGN_EXPERIMENTAL: "1"` environment variable to signing steps for backend, web, and sandbox. Updated error message formatting in signing failure conditions (em-dash to double-hyphen, 3 occurrences).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

fix: use cosign --bundle flag for checksums signing #443: Modifies cosign signing steps in the same workflow file, potentially affecting the same signing configuration.
fix(cli): switch cosign verification from .sig tags to OCI referrers #533: Updates cosign sign command in the same .github/workflows/docker.yml signing steps, indicating related changes to the signing pipeline.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding COSIGN_EXPERIMENTAL=1 for OCI referrer mode in cosign sign operations within CI workflows.
Description check	✅ Passed	The description is directly related to the changeset, providing clear context about the Docker workflow failure, the root cause, the fix applied, and a test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch fix/cosign-experimental-flag

✨ Simplify code

Create PR with simplified code
Commit simplified code in branch fix/cosign-experimental-flag

📝 Coding Plan

Generate coding plan for human review comments

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

…ailed) The v0.3.3 release failed because cosign signing required COSIGN_EXPERIMENTAL=1 (fixed in #543). Since the tag and draft release have been deleted, revert the version bump and changelog so Release Please can create a clean release on the next merge. - Revert version 0.3.3 -> 0.3.2 in pyproject.toml, __init__.py, manifest - Remove 0.3.3 changelog section - Revert LICENSE change date

## Summary The v0.3.3 release failed because cosign signing required `COSIGN_EXPERIMENTAL=1` (fixed in #543). The v0.3.3 tag and draft release have been deleted. This PR reverts the release artifacts so Release Please can create a clean release on the next merge to main. - Revert version 0.3.3 -> 0.3.2 in `pyproject.toml`, `__init__.py`, `.release-please-manifest.json` - Remove 0.3.3 changelog section from `CHANGELOG.md` - Revert LICENSE change date ## What happened 1. PR #533 added `--registry-referrers-mode=oci-1-1` to cosign sign commands 2. cosign v3.0.3 (installed by cosign-installer v4.1.0) requires `COSIGN_EXPERIMENTAL=1` for that flag 3. All 3 image signing steps failed on the v0.3.3 tag push 4. Finalize-release never published the draft (waits for Docker + CLI success) 5. PR #543 added the missing env var 6. Tag `v0.3.3` and draft release deleted manually 7. This PR resets version state so Release Please starts fresh ## After merge Release Please will see new commits (including #543 cosign fix) and create a release PR for v0.3.3 with the fix baked in.

🤖 I have created a release *beep* *boop* --- ## [0.3.3](v0.3.2...v0.3.3) (2026-03-18) ### Features * **backup:** implement automated backup and restore system ([#541](#541)) ([867b7c1](867b7c1)) * **providers:** runtime provider management with CRUD, presets, and multi-auth ([#540](#540)) ([936c345](936c345)), closes [#451](#451) * **tools:** wire per-category sandbox backend selection ([#534](#534)) ([311a1ab](311a1ab)) ### Bug Fixes * **ci:** add COSIGN_EXPERIMENTAL=1 for OCI referrer mode in cosign sign ([#543](#543)) ([226ed2f](226ed2f)) * **cli:** switch cosign verification from .sig tags to OCI referrers ([#533](#533)) ([8ee5471](8ee5471)), closes [#532](#532) ### CI/CD * bump wrangler from 4.74.0 to 4.75.0 in /.github in the minor-and-patch group ([#535](#535)) ([de15867](de15867)) ### Maintenance * bump github.com/google/go-containerregistry from 0.21.2 to 0.21.3 in /cli in the minor-and-patch group ([#536](#536)) ([4a09aed](4a09aed)) * bump litellm from 1.82.3 to 1.82.4 in the minor-and-patch group ([#538](#538)) ([9f7f83d](9f7f83d)) * bump vue-tsc from 3.2.5 to 3.2.6 in /web in the minor-and-patch group across 1 directory ([#537](#537)) ([eb3dc4e](eb3dc4e)) * **main:** release 0.3.3 ([#539](#539)) ([c3de2a2](c3de2a2)) * revert v0.3.3 release artifacts (Docker signing failed) ([#544](#544)) ([7f48f52](7f48f52)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

coderabbitai bot approved these changes Mar 18, 2026

View reviewed changes

Aureliolo merged commit 226ed2f into main Mar 18, 2026
29 checks passed

Aureliolo deleted the fix/cosign-experimental-flag branch March 18, 2026 11:34

Aureliolo mentioned this pull request Mar 18, 2026

chore: revert v0.3.3 release artifacts (Docker signing failed) #544

Merged

Aureliolo mentioned this pull request Mar 18, 2026

chore(main): release 0.3.3 #545

Merged

coderabbitai bot mentioned this pull request Mar 18, 2026

fix(cli): support cosign v3 bundle format for signature verification #546

Merged

6 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(ci): add COSIGN_EXPERIMENTAL=1 for OCI referrer mode in cosign sign#543

fix(ci): add COSIGN_EXPERIMENTAL=1 for OCI referrer mode in cosign sign#543
Aureliolo merged 1 commit intomainfrom
fix/cosign-experimental-flag

Aureliolo commented Mar 18, 2026

Uh oh!

gemini-code-assist bot commented Mar 18, 2026

Uh oh!

github-actions bot commented Mar 18, 2026

Uh oh!

coderabbitai bot commented Mar 18, 2026 •

edited

Loading

Summary by CodeRabbit

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

Aureliolo commented Mar 18, 2026

Summary

Root cause

Test plan

Uh oh!

gemini-code-assist bot commented Mar 18, 2026

Uh oh!

github-actions bot commented Mar 18, 2026

Dependency Review

Scanned Files

Uh oh!

coderabbitai bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

coderabbitai bot commented Mar 18, 2026 •

edited

Loading