Automated release workflow permission updates (#1802)

* Update Splunk Enterprise version from 10.0.0 to 10.2.0

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* add id-token: write to permissions

* add COSIGN_DOCKER_MEDIA_TYPES to signing steps

* use --recursive for signing distroless image

* remove --recursive from cosign verify

* cleanup

* add --recursive for standard image

---------

Co-authored-by: Gabriel J Mendoza <gabrielm@splunk.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

.env

@@ -8,4 +8,4 @@ EKSCTL_VERSION=v0.215.0
 EKS_CLUSTER_K8_VERSION=1.34
 EKS_INSTANCE_TYPE=m5.2xlarge
 EKS_INSTANCE_TYPE_ARM64=c6g.4xlarge
-SPLUNK_ENTERPRISE_RELEASE_IMAGE=splunk/splunk:10.0.0
+SPLUNK_ENTERPRISE_RELEASE_IMAGE=splunk/splunk:10.2.0

.github/workflows/automated-release-workflow.yml

@@ -22,6 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
       pull-requests: write
     if: github.ref == 'refs/heads/main'
     env:
@@ -111,31 +112,35 @@ jobs:
 
     - name: Sign Splunk Operator image with a key
       run: |
-        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+        cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
       env:
         COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        COSIGN_DOCKER_MEDIA_TYPES: "1"
 
     - name: Verify Splunk Operator image with a key
       run: |
         cosign verify --key env://COSIGN_PUBLIC_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
       env:
         COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+        COSIGN_DOCKER_MEDIA_TYPES: "1"
 
     - name: Promote Distroless RC Image to Release
       run: |
         regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC-distroless splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless
 
     - name: Sign Distroless Splunk Operator image with a key
       run: |
-        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless
+        cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless
       env:
         COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        COSIGN_DOCKER_MEDIA_TYPES: "1"
 
     - name: Verify Distroless Splunk Operator image with a key
       run: |
         cosign verify --key env://COSIGN_PUBLIC_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless
       env:
         COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+        COSIGN_DOCKER_MEDIA_TYPES: "1"