fix(release): pin cosign to v2.x for goreleaser compatibility

adrianbrad · adrianbrad · commit aabd29aee971 · 2026-04-20T23:47:01.000+03:00
cosign v3 mandates new bundle format (single .sigstore.json per
artifact) when the default signing config is active, which breaks
goreleaser's legacy --output-signature / --output-certificate layout.
Rather than migrate goreleaser's signing layout, pin cosign to the
latest v2.x line (which still emits .sig + .pem files alongside each
artifact). Scorecard's Signed-Releases check accepts either format.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -31,6 +31,8 @@ jobs:
 
       - name: Install cosign
         uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        with:
+          cosign-release: 'v2.6.0'
 
       - name: Install syft (for SBOM generation)
         uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -30,7 +30,6 @@ signs:
     certificate: "${artifact}.pem"
     args:
       - sign-blob
-      - --new-bundle-format=false
       - --output-certificate=${certificate}
       - --output-signature=${signature}
       - ${artifact}
