Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Bump Cosign to latest v2.2.3 #3355

Merged
merged 7 commits into from
Mar 20, 2024
Merged

fix: Bump Cosign to latest v2.2.3 #3355

merged 7 commits into from
Mar 20, 2024

Conversation

haydentherapper
Copy link
Contributor

Versions of Cosign before v2.2.0 are not compatible with the latest TUF root.

Fixes #3350

Summary

...

Testing Process

...

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@haydentherapper
Bump Cosign to latest v2.2.3
744e063 
Versions of Cosign before v2.2.0 are not compatible with the latest TUF
root.

Fixes slsa-framework#3350

Signed-off-by: Hayden Blauzvern <[email protected]>
@haydentherapper
Copy link
Contributor Author

@ianlewis @laurentsimon @kpk47 This should fix the linked issue. I'm not sure if it was an intentional decision to not update Cosign though, since I see this picks up a lot of other dependency updates.

@haydentherapper
Copy link
Contributor Author

Ah, I see this bumps to Go 1.21. Don't know if this will be an issue for you. Feel free to ping me offline to chat more.

@haydentherapper
remove toolchain directive
039bebf 
Signed-off-by: Hayden Blauzvern <[email protected]>
laurentsimon
laurentsimon approved these changes Mar 20, 2024
View reviewed changes
Copy link
Collaborator

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Will wait till the pre-submit is fixed.

@laurentsimon
Copy link
Collaborator

Can you also update the cosign-installer at

slsa-github-generator/.github/workflows/generator_container_slsa3.yml

Line 170 in b595e06

cosign-release: v2.2.1
?

@bobcallaway bobcallaway changed the title Bump Cosign to latest v2.2.3 fix: Bump Cosign to latest v2.2.3 Mar 20, 2024
@laurentsimon
Copy link
Collaborator

Thank you all for this fast turnaround!

@laurentsimon laurentsimon merged commit 1fee7c6 into slsa-framework:main Mar 20, 2024
74 checks passed
@saisatishkarra
Copy link
Contributor

@laurentsimon is there an ETA on emergency / patch release tag to made to unblock downstream pipelines with this bumped version? #3392

@laurentsimon
Copy link
Collaborator

We're working on a release as P0 and we'll cut it in the next 24hr

@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Mar 20, 2024
Closed
@sgammon
Copy link
Contributor

sgammon commented Mar 20, 2024

has that release happened @laurentsimon

@laurentsimon
Copy link
Collaborator

We're going thru the release process and testing e2e that things are working. @kpk47 is on it

@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Mar 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

@kpk47 kpk47 Awaiting requested review from kpk47 kpk47 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@haydentherapper @laurentsimon @saisatishkarra @sgammon @bobcallaway