From 1a30020a82e3cd6b53a613cbd9b6475fa02c42a8 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Sun, 24 May 2026 08:21:05 +0000 Subject: [PATCH] ci(backend-signing): set COSIGN_EXPERIMENTAL=1 for oci-1-1 referrers mode cosign v2.4.1 still gates --registry-referrers-mode=oci-1-1 behind the experimental flag, so the first signing run after the backend-signing merge failed with "you must set COSIGN_EXPERIMENTAL=1". Set it at the job env level so both the quay and dockerhub cosign steps inherit it, and note the requirement in .agents/backend-signing.md so a future cosign bump can drop the flag. Signed-off-by: Ettore Di Giacinto Assisted-by: Claude:claude-opus-4-7 [Claude Code] --- .agents/backend-signing.md | 6 ++++++ .github/workflows/backend_merge.yml | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/.agents/backend-signing.md b/.agents/backend-signing.md index 66c8ea2da..3abb31d7a 100644 --- a/.agents/backend-signing.md +++ b/.agents/backend-signing.md @@ -49,6 +49,12 @@ cosign sign --yes --recursive \ Sign by digest, never by tag — signing by tag binds the signature to whatever the tag points at *now*, and a subsequent tag push orphans it. +`--registry-referrers-mode=oci-1-1` is still gated behind +`COSIGN_EXPERIMENTAL=1` in cosign v2.4.x (set at the job env level in +`backend_merge.yml`). Re-evaluate when bumping the pinned cosign release +— newer versions are expected to graduate this flag and the env var can +then be dropped. + `backend_build_darwin.yml` builds and pushes single-arch darwin images that bypass the manifest-list merge. If/when those entries get a gallery `verification:` policy, the equivalent cosign step has to land there diff --git a/.github/workflows/backend_merge.yml b/.github/workflows/backend_merge.yml index 44bd30690..c05fece8d 100644 --- a/.github/workflows/backend_merge.yml +++ b/.github/workflows/backend_merge.yml @@ -40,6 +40,11 @@ jobs: id-token: write env: quay_username: ${{ secrets.quayUsername }} + # cosign v2.4.x still gates --registry-referrers-mode=oci-1-1 behind + # this flag. Without it, signing fails with: + # invalid argument "oci-1-1" for "--registry-referrers-mode" flag: + # in order to use mode "oci-1-1", you must set COSIGN_EXPERIMENTAL=1 + COSIGN_EXPERIMENTAL: '1' steps: # Sparse checkout: the merge job needs `.github/scripts/` (for the # keepalive cleanup script) but none of the source tree.