fix(release): drop --oidc-issuer flag for cosign v3 compatibility

adrianbrad · adrianbrad · commit 5468e9479f10 · 2026-04-20T23:43:05.000+03:00
cosign v3 (installed by sigstore/cosign-installer@v4) rejects
--oidc-issuer when it conflicts with its embedded signing config
("cannot specify service URLs and use signing config"). In GitHub
Actions cosign auto-detects the token issuer from the environment,
so the flag is redundant; dropping it lets sign-blob succeed.

Also uses --certificate-oidc-issuer-regexp in the verification
snippet in release notes for the same forward-compat reason.
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -30,7 +30,6 @@ signs:
     certificate: "${artifact}.pem"
     args:
       - sign-blob
-      - --oidc-issuer=https://token.actions.githubusercontent.com
       - --output-certificate=${certificate}
       - --output-signature=${signature}
       - ${artifact}
@@ -54,7 +53,7 @@ release:
       --certificate checksums.txt.pem \
       --signature checksums.txt.sig \
       --certificate-identity-regexp '^https://github.com/adrianbrad/queue/\.github/workflows/release\.yaml@refs/tags/' \
-      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+      --certificate-oidc-issuer-regexp '^https://token\.actions\.githubusercontent\.com' \
       checksums.txt
     ```
 
