fix: update cosign and syft for signing

[Skarlso]

Problem Statement

What is the problem you're trying to solve?

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Summary

Bumps cosign and Syft versions and updates signing/attestation steps in GitHub Actions to use non-interactive signing/attestation and stricter certificate-based verification for SBOMs, Go module SBOMs and provenance. Removes some flags and tightens certificate identity/issuer regexp checks; commit message indicates a regexp fix.

Changes

.github/actions/sign/action.yml

• Upgraded sigstore/cosign-installer to v4.0.0 and cosign-release to v3.0.3.
• Updated anchore/sbom-action/download-syft to v0.22.2 and set syft-version to v1.41.2.
• Sign/attest steps now use non-interactive --yes for cosign sign/attest.
• Added cosign verify-attestation checks with --certificate-identity-regexp and --certificate-oidc-issuer for SPDX (image and gomod) and slsaprovenance attestations.
• Note: the slsa-provenance-action step still sets COSIGN_EXPERIMENTAL: "0" in its environment.

.github/workflows/helm.yml

• Installed cosign via sigstore/cosign-installer@v4.0.0 with cosign-release v3.0.3 in the release job.
• Release job uses cosign sign --yes and verify with certificate-identity-regexp and certificate-oidc-issuer when signing pushed Helm chart artifacts.

Lines changed: +25/-16 (per PR metadata)

[coderabbitai]

Walkthrough

Cosign and Syft versions bumped (cosign installer v4.0.0, cosign release v3.0.3; Syft v0.22.2 with syft-version: v1.41.2). Sign/attest/verify steps now use --yes, removed COSIGN_EXPERIMENTAL, and require certificate-based verification with identity regexp and OIDC issuer checks for SBOM and provenance attestations.

Changes

Cohort / File(s)	Summary
Signing action .github/actions/sign/action.yml	Bumped cosign-installer to v4.0.0 and cosign release to v3.0.3; upgraded Syft to v0.22.2 and added syft-version: v1.41.2; replaced explicit sign flow with --yes usage; removed COSIGN_EXPERIMENTAL; added certificate-based verification flags (identity regexp, OIDC issuer) for SPDX, go.mod and provenance attestations.
Helm workflow .github/workflows/helm.yml	Updated cosign release version from v2.4.1 to v3.0.3 in the Release job; no other workflow logic changed.

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	⚠️ Unable to check for merge conflicts: Stream setup permanently failed: 14 UNAVAILABLE: read ECONNRESET

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

.github/actions/sign/action.yml (1)

76-91: Past review issues addressed; minor commented-out code remains.

The regex fix (/.*), the gomod SBOM filename fix, and the --yes flag additions all look correct. The commented-out old commands on lines 78, 80, and 87 are leftover reference lines — consider removing them to reduce clutter once the new commands are validated in CI.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/actions/sign/action.yml (2)

69-87: ⚠️ Potential issue | 🔴 Critical

cosign verify-attestation missing --certificate-identity and --certificate-oidc-issuer in cosign v3.x.

Starting with cosign v2.0, cosign verify-attestation requires explicit certificate identity and OIDC issuer flags for keyless verification (the COSIGN_EXPERIMENTAL env var no longer enables implicit trust). The calls on lines 81, 87, and 111 will fail without these flags.

The helm workflow already demonstrates the correct pattern on lines 161-163.

Proposed fix for verify-attestation commands

Line 81:

-        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= `@base64d` | .payload | fromjson'
+        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} \
+            --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq '.payload |= `@base64d` | .payload | fromjson'

Line 87:

-        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= `@base64d` | .payload | fromjson'
+        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} \
+            --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq '.payload |= `@base64d` | .payload | fromjson'

Line 111:

-        cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST}
+        cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST} \
+            --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com

---

60-67: ⚠️ Potential issue | 🔴 Critical

Add --yes flag to all cosign commands and remove obsolete COSIGN_EXPERIMENTAL — cosign v2.0+ requires this for non-interactive CI/CD.

With cosign v2.0+, non-interactive signing requires the --yes flag to skip confirmation prompts. Without it, these commands will hang in CI. The COSIGN_EXPERIMENTAL environment variable is also obsolete since v2.0—keyless signing is the default behavior now.

Apply --yes to lines 67, 80, 86, and 110, and remove COSIGN_EXPERIMENTAL from lines 63, 73, 97, and 104. The helm workflow (line 160) already uses this pattern correctly.

Proposed fixes

Line 67:

-      run: cosign sign -a GITHUB_ACTOR=${GITHUB_TRIGGERING_ACTOR} "${IMAGE_NAME}@${CONTAINER_DIGEST}"
+      run: cosign sign --yes -a GITHUB_ACTOR=${GITHUB_TRIGGERING_ACTOR} "${IMAGE_NAME}@${CONTAINER_DIGEST}"

Line 80:

-        cosign attest --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
+        cosign attest --yes --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"

Line 86:

-        cosign attest --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
+        cosign attest --yes --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"

Line 110:

-        cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
+        cosign attest --yes --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"

Remove COSIGN_EXPERIMENTAL: "1" from env blocks on lines 63, 73, and 104 (line 97 already uses COSIGN_EXPERIMENTAL: "0").

🤖 Fix all issues with AI agents

In @.github/actions/sign/action.yml:
- Around line 26-30: The Syft version pinned (syft-version: v1.42.0) conflicts
with the bundled Syft in the pinned action release (uses:
anchore/sbom-action/download-syft@28d71544...), so either change syft-version to
the bundled patch (v1.41.2) to match sbom-action v0.22.2 or add a short inline
comment/documentation near the uses and syft-version entries explaining why the
newer v1.42.0 is intentionally required (e.g., a bugfix or feature) and that you
accept the slight mismatch with the sbom-action release.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/actions/sign/action.yml:
- Around line 88-90: The cosign attest command is using the wrong SBOM file name
and re-attests the image SBOM instead of the Go modules SBOM; update the
predicate path in the cosign attest invocation to use the generated Go modules
SBOM filename (sbom.gomod.${IMAGE_TAG}.spdx.json) so the command attests
sbom.gomod.${IMAGE_TAG}.spdx.json for "${IMAGE_NAME}@${CONTAINER_DIGEST}" (keep
--yes and --type spdx flags unchanged).
- Around line 83-85: The cert identity regex passed to cosign's
--certificate-identity-regexp is wrong: replace the trailing "/*" with "/.*" in
the values used with cosign verify-attestation (i.e., change
"https://github.com/$GITHUB_REPOSITORY/*" to
"https://github.com/$GITHUB_REPOSITORY/.*") so the Go regexp matches GitHub
Actions OIDC identities; update all occurrences of that pattern used with the
--certificate-identity-regexp flag.

🧹 Nitpick comments (1)

.github/actions/sign/action.yml (1)

60-67: COSIGN_EXPERIMENTAL is deprecated in cosign v2+; --yes is the correct replacement.

Since you've already added --yes (which is the v2+ way to enable keyless/non-interactive signing), the COSIGN_EXPERIMENTAL: "1" env var is vestigial. Consider removing it to avoid confusion. This applies to all steps that still set it (lines 63, 73, 110).

♻️ Remove deprecated env var

      env:
-       COSIGN_EXPERIMENTAL: "1"
        IMAGE_NAME: ${{ inputs.image-name }}

Apply similarly at lines 73 and 110.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Skarlso]

I tried to read up on the doc as well and found a couple of places on Github where it's done like this:

$ cosign verify-attestation --certificate-github-workflow-repository cilium/cilium \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com/ \
    --certificate-identity-regexp https://github.com/cilium/cilium/.github/workflows \
    --type spdxjson <IMAGE URI> 2>&1 | head -n 13

so hopefully, this will work on main.