fix: attempt to fix cosign compatibility issues by gusfcarvalho · Pull Request #5959 · external-secrets/external-secrets

gusfcarvalho · 2026-02-13T18:22:16Z

attempts to fix our image signature process

Summary

Fixes cosign compatibility issues in the image signature process by upgrading cosign from v3.0.3 to v3.0.4, forcing the older bundle format via --new-bundle-format=false and disabling signing-config via --use-signing-config=false for sign/attest/verify steps, relaxing the certificate identity regexp, and improving signing, SBOM, and provenance logging and verification flows.

Changes

.github/actions/sign/action.yml

Upgraded cosign to v3.0.4.
Added --new-bundle-format=false and --use-signing-config=false to sign/attest/verify commands.
Reworked digest retrieval, signing, SBOM (OS + Go modules) generation/attestation/verification, and provenance attestation into grouped, multi-step blocks with clearer logs and explicit certificate-identity-regexp handling.

.github/workflows/helm.yml

Upgraded cosign to v3.0.4.
Added --new-bundle-format=false and --use-signing-config=false to cosign sign/verify.
Relaxed certificate identity regexp from https://github.com/$GITHUB_REPOSITORY/* to https://github.com/$GITHUB_REPOSITORY/.* for verification.

.github/actions/e2e/action.yml

Updated docker/setup-buildx-action reference to v3.12.0 and removed explicit version input.

.github/workflows/e2e.yml

Removed DOCKER_BUILDX_VERSION env variable.

Impact

No public API changes. Improves CI signing/SBOM/provenance robustness and compatibility with cosign.

coderabbitai · 2026-02-13T18:22:41Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Bumps cosign v3.0.3→v3.0.4, adds signing/attestation flags (--new-bundle-format=false, --use-signing-config=false), restructures digest/signing/SBOM/provenance steps into grouped log blocks, loosens certificate identity regexp, updates docker/setup-buildx-action pin, and removes an explicit buildx version env var.

Changes

Cohort / File(s)	Summary
Signing action & workflow `.github/actions/sign/action.yml`, `.github/workflows/helm.yml`	Upgrades cosign v3.0.3 → v3.0.4; adds `--new-bundle-format=false` and `--use-signing-config=false` to sign/attest/verify commands; wraps digest lookup, sign, SBOM (image & Go modules) generation/attest/verify, and provenance attest/verify in grouped log blocks; relaxes certificate-identity-regexp to `https://github.com/$GITHUB_REPOSITORY/.*`.
E2E / buildx updates `.github/actions/e2e/action.yml`, `.github/workflows/e2e.yml`	Pins `docker/setup-buildx-action` to a newer ref (old v2.10.0 commit → v3.12.0 ref) and removes the explicit `version:` input; removes `DOCKER_BUILDX_VERSION` env var from e2e workflow and adjusts comment/indentation.

Possibly related PRs

fix: update cosign and syft for signing #5958: Modifies the same GitHub Actions cosign signing/verification workflow (version bump, signing/attestation flags, and SBOM/provenance steps).

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into `main`

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}