Update release notes to use cosign bundle format

[saschagrunert]

What type of PR is this?

/kind documentation

What this PR does / why we need it:

The packaging repository now uses --bundle flag for cosign instead of separate .sig and .cert files. This updates the release notes template to reference .bundle files and updates the verification instructions.

Which issue(s) this PR fixes:

Fixes #9653

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fixed release description to use cosigns new bundle format.

[coderabbitai]

Walkthrough

The release-notes generator was updated to replace separate .sig and .cert artifact references with single .bundle files (and corresponding .spdx.bundle SBOM variants); cosign verification commands and template insertions were updated to use the bundle-based names.

Changes

Cohort / File(s)	Summary
Bundle-based artifact verification scripts/release-notes/release_notes.go	Replaced .sig/.cert references with .bundle variants for artifacts and SBOMs; updated download lists and cosign verification commands to use --bundle and bundle filenames; removed redundant bundleVersion template insertions

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify all .sig and .cert occurrences were removed or replaced with .bundle and .spdx.bundle.
• Confirm cosign --bundle command examples match sigstore expectations and filename patterns.
• Check template substitution to ensure reduced bundleVersion duplications did not alter content formatting.

Poem

🐰 I hopped through lines of code today,
Replaced two files with one neat way—
Bundles bundled, signatures too,
One small change, a cleaner view. 🎐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: updating release notes to use cosign bundle format instead of separate .sig and .cert files.
Linked Issues check	✅ Passed	The PR addresses the issue #9653 by updating release notes to reference .bundle files and new cosign verification instructions instead of missing .sig/.cert files.
Out of Scope Changes check	✅ Passed	All changes are directly related to updating the release notes template to use bundle format, consistent with the PR objectives and linked issue requirements.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/release-notes/release_notes.go (1)

150-160: Remove COSIGN_EXPERIMENTAL=1—it is unnecessary and deprecated since Cosign 2.0 (February 2023).

The COSIGN_EXPERIMENTAL environment variable is no longer required for cosign verify-blob --bundle. While the command will still work with the flag, the release notes should reflect current best practices by removing it. Add a note specifying a minimum cosign version requirement (e.g., Cosign 2.0 or later) to ensure users have the patched behavior and all required flags (e.g., --certificate-identity, --certificate-oidc-issuer) documented here.

🧹 Nitpick comments (1)

scripts/release-notes/release_notes.go (1)

120-214: Guard against fmt.Fprintf placeholder drift (%!s(MISSING)) in the generated markdown.
The template string has a large number of %s placeholders; changes like this PR are exactly where it’s easy to silently break formatting. Suggest formatting into a string first and failing fast if fmt reports missing args.

-	if _, err := fmt.Fprintf(templateFile, `# CRI-O %s
+	rendered := fmt.Sprintf(`# CRI-O %s
@@
-	); err != nil {
+	)
+	if strings.Contains(rendered, "%!s(MISSING)") || strings.Contains(rendered, "%!(EXTRA") {
+		return fmt.Errorf("release notes template format mismatch (missing/extra fmt args)")
+	}
+	if _, err := templateFile.WriteString(rendered); err != nil {
 		return fmt.Errorf("writing template to file: %w", err)
 	}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22417ca and df9fd7e.

📒 Files selected for processing (1)

• scripts/release-notes/release_notes.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Use interface-based design and dependency injection patterns in Go code
Propagate context.Context through function calls in Go code
Use fmt.Errorf with %w for error wrapping in Go code
Use logrus with structured fields for logging in Go code
Add comments explaining 'why' not 'what' in Go code
Use platform-specific file naming: *_{linux,freebsd}.go for platform-dependent code

Files:

• scripts/release-notes/release_notes.go

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: cri-o/cri-o PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-03T18:27:19.593Z
Learning: When adding/changing features, update related repositories: cri-o.io website and packaging repositories

📚 Learning: 2025-12-03T18:27:19.593Z

Learnt from: CR
Repo: cri-o/cri-o PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-03T18:27:19.593Z
Learning: When adding/changing features, update related repositories: cri-o.io website and packaging repositories

Applied to files:

• scripts/release-notes/release_notes.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (38)

• GitHub Check: integration / conmon-rs / crun / amd64
• GitHub Check: critest / conmon-rs / crun / arm64
• GitHub Check: integration / userns / crun / amd64
• GitHub Check: critest / conmon / crun / arm64
• GitHub Check: critest / conmon-rs / crun / amd64
• GitHub Check: integration / conmon / crun / arm64
• GitHub Check: critest / conmon / crun / amd64
• GitHub Check: integration / conmon / crun / amd64
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: unit / amd64 / rootless
• GitHub Check: build static / s390x
• GitHub Check: security-checks
• GitHub Check: codeql-build
• GitHub Check: unit / arm64 / root
• GitHub Check: unit / amd64 / root
• GitHub Check: build static / amd64
• GitHub Check: build static / arm64
• GitHub Check: build static / ppc64le
• GitHub Check: build
• GitHub Check: lint
• GitHub Check: docs

🔇 Additional comments (1)

scripts/release-notes/release_notes.go (1)

129-148: The release notes update is correct. The .bundle and .spdx.bundle filenames match exactly what the packaging repository produces:

• cosign sign-blob --bundle "$TARBALL.bundle" creates cri-o.<arch>.<version>.tar.gz.bundle
• cosign sign-blob --bundle "$SBOM.bundle" creates cri-o.<arch>.<version>.tar.gz.spdx.bundle

These files are generated for all four architectures (amd64, arm64, ppc64le, s390x) in the packaging repository's build workflow. The cosign verify-blob --bundle command usage is correct, and COSIGN_EXPERIMENTAL=1 is properly required for certificate-based verification of the artifacts.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/release-notes/release_notes.go (1)

150-160: Remove COSIGN_EXPERIMENTAL=1 from the cosign command—it is not required for modern cosign versions (v2.0+). The --bundle flag is correct for current versions. Clean up the template to use only the necessary environment variables and flags:

> cosign verify-blob cri-o.amd64.%s.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.%s.tar.gz.bundle

🧹 Nitpick comments (1)

scripts/release-notes/release_notes.go (1)

120-148: Add explicit signature verification instructions for the .spdx.bundle SBOM artifacts.

The template provides .spdx.bundle download links but the SBOM section only documents bom validate (format/integrity check) without showing how to verify the SBOM's cryptographic signature using the bundle. Add a verification step using cosign similar to the artifact verification example, such as:

cosign verify-blob cri-o.amd64.%s.tar.gz.spdx \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.%s.tar.gz.spdx.bundle

This ensures users have complete verification guidance for all downloadable artifacts.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between df9fd7e and cf4aab9.

📒 Files selected for processing (1)

• scripts/release-notes/release_notes.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Use interface-based design and dependency injection patterns in Go code
Propagate context.Context through function calls in Go code
Use fmt.Errorf with %w for error wrapping in Go code
Use logrus with structured fields for logging in Go code
Add comments explaining 'why' not 'what' in Go code
Use platform-specific file naming: *_{linux,freebsd}.go for platform-dependent code

Files:

• scripts/release-notes/release_notes.go

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: cri-o/cri-o PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-03T18:27:19.593Z
Learning: When adding/changing features, update related repositories: cri-o.io website and packaging repositories

📚 Learning: 2025-12-03T18:27:19.593Z

Learnt from: CR
Repo: cri-o/cri-o PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-03T18:27:19.593Z
Learning: When adding/changing features, update related repositories: cri-o.io website and packaging repositories

Applied to files:

• scripts/release-notes/release_notes.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (37)

• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: integration / conmon-rs / crun / amd64
• GitHub Check: critest / conmon-rs / crun / amd64
• GitHub Check: integration / conmon / crun / amd64
• GitHub Check: integration / userns / crun / amd64
• GitHub Check: critest / conmon / crun / amd64
• GitHub Check: critest / conmon-rs / crun / arm64
• GitHub Check: critest / conmon / crun / arm64
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: build static / amd64
• GitHub Check: unit / amd64 / rootless
• GitHub Check: unit / arm64 / root
• GitHub Check: build static / s390x
• GitHub Check: codeql-build
• GitHub Check: unit / amd64 / root
• GitHub Check: security-checks
• GitHub Check: build static / arm64
• GitHub Check: build static / ppc64le
• GitHub Check: build
• GitHub Check: lint
• GitHub Check: docs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.17%. Comparing base (22417ca) to head (cf4aab9).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9655      +/-   ##
==========================================
+ Coverage   66.97%   67.17%   +0.19%     
==========================================
  Files         208      208              
  Lines       29017    29017              
==========================================
+ Hits        19435    19493      +58     
+ Misses       7921     7856      -65     
- Partials     1661     1668       +7     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[saschagrunert]

/retest

[bitoku]

/lgtm

[bitoku]

/retest

[openshift-ci]

@saschagrunert: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ci-e2e-conmonrs	cf4aab9	link	unknown	/test ci-e2e-conmonrs

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.