Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: sign release artifacts with cosign#5793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
scop wants to merge1 commit intogolangci:main
base:main
Choose a base branch
Loading
fromscop:feat/cosign-artifacts

Conversation

@scop
Copy link
Contributor

@scopscop commentedMay 11, 2025
edited by ldez
Loading

For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#{{ .Major }}{{ .Minor }}{{ .Patch }}).
signs:
Copy link
ContributorAuthor

@scopscopMay 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Non-CIgoreleaser release runs should likely be done with--skip sign in order to not break after we add this.

signs:
-signature:${artifact}.cosign.bundle
cmd:cosign
Copy link
ContributorAuthor

@scopscopMay 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I guess some docs how to verify downloads with cosign would not hurt. But we don't have any for verifying the sha256sums either, so not sure.#5806 contains changes for verifying in the installer script.

@scopscopforce-pushed thefeat/cosign-artifacts branch from12b2fc0 to6898794CompareMay 11, 2025 13:37
@ldezldez self-requested a reviewMay 11, 2025 15:40
@ldezldez added area: installIssue relates to installation or downloading process area: ciPR that update CI labelsMay 11, 2025
@CLAassistant
Copy link

CLAassistant commentedMay 20, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@scopscopforce-pushed thefeat/cosign-artifacts branch from6898794 to840da20CompareMay 23, 2025 13:38
@scopscopforce-pushed thefeat/cosign-artifacts branch from840da20 to7d7647bCompareMay 23, 2025 13:40
@scop
Copy link
ContributorAuthor

Rebased and switched to the new bundle format.

@ldez
Copy link
Member

ldez commentedSep 17, 2025
edited
Loading

I don't forget this PR, but each time I look at it, I'm stuck with the same problems/questions.

  1. Adding a new element inside the release process introduces a new risk of release failure.
  2. The goreleaser configuration inside this PR is different than the suggested one, I don't know why, and I don't find clear references with this configuration.

@ldezldez added the waiting for: contributor feedbackRequires additional feedback labelSep 17, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@ldezldezAwaiting requested review from ldez

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area: ciPR that update CIarea: installIssue relates to installation or downloading processwaiting for: contributor feedbackRequires additional feedback

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sign the artifacts (binaries/images) using cosign

3 participants

@scop@CLAassistant@ldez
[8]ページ先頭
©2009-2025 Movatter.jp