fix: update CLI release to use cosign v3 bundle format and ubuntu runner#1945
fix: update CLI release to use cosign v3 bundle format and ubuntu runner#1945
Conversation
GoReleaser v2.14.3 updated its cosign integration to use --new-bundle-format by default (cosign v3). The old --output-certificate/--output-signature flags are ignored, causing signing to fail. Switch to --bundle flag and produce a single .sigstore.json bundle file. Also migrate release-cli from windows-latest to ubuntu-latest since the Chocolatey section is commented out and the Windows runner causes filepath issues with GoReleaser's bundle output paths. https://claude.ai/code/session_01MfjLXfzCbZQHTYp69aJxX4
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: 32a461b The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
| version=$(jq -r .version cli/package.json) | ||
| tag="cli/$version" | ||
| git tag -f "$tag" | ||
| echo "Created local tag $tag" |
There was a problem hiding this comment.
🚩 Tag format mismatch with GoReleaser monorepo tag_prefix
The goreleaser config at .goreleaser.yaml:43 specifies tag_prefix: "cli@", but the release workflow at .github/workflows/release.yaml:120 creates a local tag using cli/$version (slash separator). Existing git tags confirm the changeset process creates cli@X.Y.Z tags (with @), while the workflow creates cli/X.Y.Z (with /). This is a pre-existing inconsistency not introduced by this PR — both old PowerShell and new bash produce the same cli/VERSION format. It appears GoReleaser may still find the cli@X.Y.Z tag from the changeset commit (fetched via fetch-depth: 0) rather than relying on the local tag. However, the purpose of the local tag (per the comment) is to give GoReleaser a tag on HEAD, and using / instead of @ may mean GoReleaser doesn't recognize it as matching the tag_prefix. Worth investigating whether this local tag is actually serving its intended purpose.
Was this helpful? React with 👍 or 👎 to provide feedback.
Summary
--output-certificate/--output-signatureflags with--bundleflag, producing a single.sigstore.jsonbundle filewindows-latesttoubuntu-latest: The Chocolatey section is fully commented out, so the Windows runner is unnecessary and causes filepath issues with GoReleaser's bundle output paths~> v2.14: Prevent future breaking changes fromlatestauto-updatesTest plan
checksums.txt.sigstore.jsonappears in GitHub release assetscosign verify-blob --certificate-identity <workflow-url> --certificate-oidc-issuer https://token.actions.githubusercontent.com --bundle checksums.txt.sigstore.json checksums.txthttps://claude.ai/code/session_01MfjLXfzCbZQHTYp69aJxX4