Skip to content

Use cosign bundle for release checksum signing#169

Merged
robzolkos merged 1 commit into
masterfrom
fix-cosign-bundle-signing
Jun 4, 2026
Merged

Use cosign bundle for release checksum signing#169
robzolkos merged 1 commit into
masterfrom
fix-cosign-bundle-signing

Conversation

@robzolkos

@robzolkos robzolkos commented Jun 4, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • updates GoReleaser checksum signing to emit a cosign bundle
  • documents checksum signing as a cosign keyless bundle

Validation

  • GOWORK=off go run github.com/goreleaser/goreleaser/v2@v2.14.1 check
  • git diff --check

Summary by cubic

Switch release checksum signing to a cosign keyless bundle to improve verification and portability. goreleaser now emits a single .bundle per checksum and docs reflect the new flow.

  • Migration
    • Update verification to use cosign verify-blob --bundle <checksum-file>.bundle <checksum-file>.
    • Expect .bundle files instead of separate signature/certificate outputs.

Written for commit 31210e0. Summary will update on new commits.

Review in cubic

Copilot AI review requested due to automatic review settings June 4, 2026 17:30
@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

  • .goreleaser.yaml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

@github-actions github-actions Bot added the enhancement New feature or request label Jun 4, 2026
Copilot AI reviewed Jun 4, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Switches release checksum signing from separate cosign signature/certificate outputs to a single keyless cosign bundle artifact, and updates release documentation to reflect the bundle-based flow.

Changes:

  • Update GoReleaser checksum signing to emit a .bundle file via cosign sign-blob --bundle ....
  • Adjust signing output naming so the generated bundle is uploaded as a release artifact.
  • Refresh release docs to describe checksum signing as a keyless cosign bundle (OIDC).

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
RELEASING.md Updates the release workflow step description to reflect bundle-based checksum signing.
.goreleaser.yaml Switches checksum signing to produce a .bundle output using cosign’s bundle flags.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 4, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@robzolkos robzolkos merged commit 341f75e into master Jun 4, 2026
21 checks passed
@robzolkos robzolkos deleted the fix-cosign-bundle-signing branch June 4, 2026 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@robzolkos