[PR #360] [MERGED] Upgrade cosign installer to v4.1.2 and pin cosign version #8561

Closed
opened 2026-07-13 14:54:00 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/360
Author: @marcschaeferger
Created: 5/16/2026
Status: Merged
Merged: 5/16/2026
Merged by: @oschwartz10612

Base: mainHead: github-action-cosign


📝 Commits (1)

  • 8736f89 fix(security): update cosign to v3.0.6 and installer to 4.1.2

📊 Changes

1 file changed (+2 additions, -2 deletions)

View changed files

📝 .github/workflows/cicd.yml (+2 -2)

📄 Description

Description

Updates the Cosign installer workflow usage and explicitly pins the installed Cosign binary to v3.0.6.

Why

Cosign versions below 3.0.6 are affected by CVE-2026-39395. While this workflow was not explicitly pinned to an older vulnerable Cosign binary, the installed Cosign version was implicit and therefore less deterministic.

Changes

References


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/360 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 5/16/2026 **Status:** ✅ Merged **Merged:** 5/16/2026 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `github-action-cosign` --- ### 📝 Commits (1) - [`8736f89`](https://github.com/fosrl/newt/commit/8736f89291076ef66ce9477ef0ccfbea43001319) fix(security): update cosign to v3.0.6 and installer to 4.1.2 ### 📊 Changes **1 file changed** (+2 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/cicd.yml` (+2 -2) </details> ### 📄 Description ## Description Updates the Cosign installer workflow usage and explicitly pins the installed Cosign binary to `v3.0.6`. ## Why Cosign versions below `3.0.6` are affected by CVE-2026-39395. While this workflow was not explicitly pinned to an older vulnerable Cosign binary, the installed Cosign version was implicit and therefore less deterministic. ## Changes - Updates `sigstore/cosign-installer` to `v4.1.2` https://github.com/sigstore/cosign-installer/releases/tag/v4.1.2 - Adds an explicit `cosign-release: v3.0.6` - Keeps the workflow behavior unchanged apart from using the fixed Cosign version ## References - CVE: https://www.suse.com/security/cve/CVE-2026-39395.html - Cosign installer usage: https://github.com/sigstore/cosign-installer#usage --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-07-13 14:54:00 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/newt#8561