[PR #3090] [MERGED] Upgrade cosign installer to v4.1.2 and pin cosign version #18336

New Issue

Closed

opened 2026-05-18 18:30:40 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-18 18:30:40 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/3090
Author: @marcschaeferger
Created: 5/16/2026
Status: ✅ Merged
Merged: 5/16/2026
Merged by: @oschwartz10612

Base: main ← Head: github-action-cosign

---

📝 Commits (2)

• 1b17fba Upgrade cosign installer to v4.1.2 and pin cosign version
• 3322f1c Update cosign installer version in CI workflow

📊 Changes

1 file changed (+3 additions, -1 deletions)

View changed files

📝 .github/workflows/cicd.yml (+3 -1)

📄 Description

Description

Updates the Cosign installer workflow usage and explicitly pins the installed Cosign binary to v3.0.6.

Why

Cosign versions below 3.0.6 are affected by CVE-2026-39395. While this workflow was not explicitly pinned to an older vulnerable Cosign binary, the installed Cosign version was implicit and therefore less deterministic.

Changes

• Updates sigstore/cosign-installer to v4.1.2 https://github.com/sigstore/cosign-installer/releases/tag/v4.1.2
• Adds an explicit cosign-release: v3.0.6
• Keeps the workflow behavior unchanged apart from using the fixed Cosign version

References

• CVE: https://www.suse.com/security/cve/CVE-2026-39395.html
• Cosign installer usage: https://github.com/sigstore/cosign-installer#usage

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/3090 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 5/16/2026 **Status:** ✅ Merged **Merged:** 5/16/2026 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `github-action-cosign` --- ### 📝 Commits (2) - [`1b17fba`](https://github.com/fosrl/pangolin/commit/1b17fba19fb421b3d7c2ee073db6a487eb6d63b4) Upgrade cosign installer to v4.1.2 and pin cosign version - [`3322f1c`](https://github.com/fosrl/pangolin/commit/3322f1ccb4467f4440cc93ebf00ed014adf74884) Update cosign installer version in CI workflow ### 📊 Changes **1 file changed** (+3 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/cicd.yml` (+3 -1) </details> ### 📄 Description ## Description Updates the Cosign installer workflow usage and explicitly pins the installed Cosign binary to `v3.0.6`. ## Why Cosign versions below `3.0.6` are affected by CVE-2026-39395. While this workflow was not explicitly pinned to an older vulnerable Cosign binary, the installed Cosign version was implicit and therefore less deterministic. ## Changes - Updates `sigstore/cosign-installer` to `v4.1.2` https://github.com/sigstore/cosign-installer/releases/tag/v4.1.2 - Adds an explicit `cosign-release: v3.0.6` - Keeps the workflow behavior unchanged apart from using the fixed Cosign version ## References - CVE: https://www.suse.com/security/cve/CVE-2026-39395.html - Cosign installer usage: https://github.com/sigstore/cosign-installer#usage --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-18 18:30:40 -05:00

GiteaMirror closed this issue 2026-05-18 18:30:42 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

fix-3104

dev

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

crowdin_dev

rdp-ssh

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#18336