From 8fbf18490ebdec461eba749fdacc12eafe5d7756 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 22 May 2026 22:16:44 +0000 Subject: [PATCH] fix: remove deprecated cosign bundle flag from backend merge workflow Agent-Logs-Url: https://github.com/mudler/LocalAI/sessions/4207dabc-14ec-4655-9594-487338977fcf Co-authored-by: mudler <2420543+mudler@users.noreply.github.com> --- .agents/backend-signing.md | 8 ++++---- .github/workflows/backend_merge.yml | 5 ++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.agents/backend-signing.md b/.agents/backend-signing.md index a072032ba..66c8ea2da 100644 --- a/.agents/backend-signing.md +++ b/.agents/backend-signing.md @@ -16,7 +16,8 @@ side (`pkg/oci/cosignverify` plus the gallery YAML). per-arch manifest before checking signatures. - **Storage:** Signatures are written as OCI 1.1 referrers (`--registry-referrers-mode=oci-1-1`) in the new Sigstore bundle format - (`--new-bundle-format`). No `:sha256-.sig` tag clutter. + (current cosign releases do this by default; no `--new-bundle-format` + flag). No `:sha256-.sig` tag clutter. - **Consumer:** `pkg/oci/cosignverify` discovers the bundle via the referrers API, hands it to `sigstore-go`, and verifies it against the policy declared in the gallery YAML (`Gallery.Verification`). @@ -33,15 +34,14 @@ to sign. The job needs: - `permissions: { id-token: write, contents: read }` at the job level so the runner can exchange its GitHub OIDC token for a Fulcio cert. -- `sigstore/cosign-installer@v3` step (cosign ≥ 2.2 for - `--new-bundle-format`). +- `sigstore/cosign-installer@v3` step (current cosign releases already + default to the new bundle format). - After each `docker buildx imagetools create`, resolve the resulting list digest with `docker buildx imagetools inspect --format '{{.Manifest.Digest}}'` and sign: ```sh cosign sign --yes --recursive \ - --new-bundle-format \ --registry-referrers-mode=oci-1-1 \ "${REGISTRY_REPO}@${DIGEST}" ``` diff --git a/.github/workflows/backend_merge.yml b/.github/workflows/backend_merge.yml index 2a01a6e41..44bd30690 100644 --- a/.github/workflows/backend_merge.yml +++ b/.github/workflows/backend_merge.yml @@ -66,7 +66,8 @@ jobs: # cosign signs each pushed manifest list with --recursive so the # index and every per-arch entry get an attached Sigstore bundle. - # 2.2+ is required for --new-bundle-format. + # Recent cosign releases always emit the new bundle format, so + # there's no extra CLI flag to opt into it. - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3 @@ -153,7 +154,6 @@ jobs: # manifest before checking signatures need the per-arch # signatures, not just the list-level one. cosign sign --yes --recursive \ - --new-bundle-format \ --registry-referrers-mode=oci-1-1 \ "quay.io/go-skynet/local-ai-backends@${digest}" @@ -180,7 +180,6 @@ jobs: ' <<< "$DOCKER_METADATA_OUTPUT_JSON") digest=$(docker buildx imagetools inspect "$first_tag" --format '{{.Manifest.Digest}}') cosign sign --yes --recursive \ - --new-bundle-format \ --registry-referrers-mode=oci-1-1 \ "localai/localai-backends@${digest}"