Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): upgrade Cosign to v2.2.3 #12850

Merged
merged 1 commit into from Mar 30, 2024
Merged

chore(deps): upgrade Cosign to v2.2.3 #12850

merged 1 commit into from Mar 30, 2024

Conversation

suzuki-shunsuke
Copy link
Contributor

@suzuki-shunsuke suzuki-shunsuke commented Mar 27, 2024
edited

Fixes #12828

Motivation

Recently, Sigstore has published a new TUF trust root.

https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299
https://blog.sigstore.dev/tuf-root-update/

A new TUF trust root doesn't support Cosign v1.13.2, so we should upgrade Cosign to v1.13.6 or v2.

Modifications

  • Upgrade Cosign to v2
  • Set the command line option -y
    -y, --yes=false:
	skip confirmation prompts for non-destructive operations

Without this option, cosign sign and cosign sign-blob don't work in CI.

Verification

@suzuki-shunsuke
chore: upgrade Cosign to v2.2.3
d6e63d2 
#12828
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
@suzuki-shunsuke
Copy link
Contributor Author

Is there any way to test the release workflow?

@suzuki-shunsuke suzuki-shunsuke marked this pull request as ready for review March 27, 2024 13:25
@agilgur5 agilgur5 self-requested a review March 27, 2024 17:24
@agilgur5 agilgur5 self-assigned this Mar 27, 2024
@agilgur5 agilgur5 added type/dependencies PRs and issues specific to updating dependencies github_actions Pull requests that update Github_actions dependencies type/security Security related labels Mar 27, 2024
@agilgur5 agilgur5 changed the title chore: upgrade Cosign to v2.2.3 chore(deps): upgrade Cosign to v2.2.3 Mar 27, 2024
@terrytangyuan terrytangyuan merged commit 1b09539 into argoproj:main Mar 30, 2024
19 checks passed
@suzuki-shunsuke suzuki-shunsuke deleted the chore-upgrade-cosign-to-v2 branch March 30, 2024 02:22
@agilgur5
Copy link
Member

Is there any way to test the release workflow?

Not easily unfortunately -- I mentioned this in #12775 etc. The closest way would be to either run act locally or to run in your fork. But then you need to change the registries to your fork and respective secrets for those as well, which is a bit easier said than done.

Much of the release workflow runs on main though, and the merged commit did pass on main

@agilgur5
Copy link
Member

so we should upgrade Cosign to v1.13.6 or v2.

Cosign v2 should also upload the transparency log by default, which was previously experimental (see my comment #12828 (comment))

@agilgur5 agilgur5 added this to the v3.5.x patches milestone Apr 3, 2024
agilgur5 pushed a commit that referenced this pull request Apr 3, 2024
@suzuki-shunsuke @agilgur5
chore(deps): upgrade Cosign to v2.2.3 (#12850)
43630bd 
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
@agilgur5
Copy link
Member

agilgur5 commented Apr 3, 2024

Cherry-picked into release-3.5 as 43630bd

@agilgur5 agilgur5 mentioned this pull request Apr 4, 2024
Merged
isubasinghe pushed a commit to isubasinghe/argo-workflows that referenced this pull request May 7, 2024
@suzuki-shunsuke @isubasinghe
chore(deps): upgrade Cosign to v2.2.3 (argoproj#12850)
6030af4 
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blkperl blkperl blkperl approved these changes

@terrytangyuan terrytangyuan terrytangyuan approved these changes

@agilgur5 agilgur5 Awaiting requested review from agilgur5

Assignees

@agilgur5 agilgur5

Labels
github_actions Pull requests that update Github_actions dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
v3.5.x patches
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@suzuki-shunsuke @agilgur5 @blkperl @terrytangyuan