Update sigstore/cosign-installer action to v4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
sigstore/cosign-installer	action	major	v3 → v4.1.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

sigstore/cosign-installer (sigstore/cosign-installer)

v4.1.1

Compare Source

What's Changed

• chore: update default cosign-release to v3.0.5 in #​223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

• Bump cosign to 3.0.5 in #​220
• fix: add retry to curl downloads for transient network failures in #​210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

v4.0.0

Compare Source

What's Changed?

Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.

In version v3+, using cosign sign-blob requires adding the --bundle flag which may require you to update your signing command.

• Add support for Cosign v3 releases (#​201)

v3.10.1

Compare Source

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

• Bump default Cosign to v2.6.1 (#​203)

v3.10.0

Compare Source

What's Changed

• Bump default Cosign to v2.6.0 in #​200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

Compare Source

What's Changed

• not fail fast and setup permissions in #​195
• drop old unsupported versions <v2.0.0 in #​192
• Update default to v2.5.3 in #​196

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

v3.9.1

Compare Source

What's Changed

• default action install to use release v2.5.1 by @​cpanato in #​193
• default cosign to v2.5.2 by @​cpanato in #​194

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

v3.9.0

Compare Source

What's Changed

• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in #​189
• bump cosign install to use release v2.5.0 as default by @​cpanato in #​191

Full Changelog: sigstore/cosign-installer@v3...v3.9.0

v3.8.2

Compare Source

What's Changed

• install cosign v2 from main in #​186

Full Changelog: sigstore/cosign-installer@v3...v3.8.2

v3.8.1

Compare Source

What's Changed

• use cosign 2.4.3 and other updates by @​cpanato in #​182

Full Changelog: sigstore/cosign-installer@v3...v3.8.1

v3.8.0

Compare Source

What's Changed

• test action against all non-rc releases, verify entry in rekor log by @​bobcallaway in #​179
• bump for cosign v2.4.2 release by @​bobcallaway in #​181

Full Changelog: sigstore/cosign-installer@v3...v3.8.0

v3.7.0

Compare Source

What's Changed

• Bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot in #​172
• bump for latest cosign v2.4.1 release by @​bobcallaway in #​173

Full Changelog: sigstore/cosign-installer@v3.6.0...v3.7.0

v3.6.0

Compare Source

What's Changed

• Bump actions/checkout from 4.1.2 to 4.1.3 by @​dependabot in #​161
• Bump actions/checkout from 4.1.3 to 4.1.4 by @​dependabot in #​162
• Bump actions/setup-go from 5.0.0 to 5.0.1 by @​dependabot in #​163
• Bump actions/checkout from 4.1.4 to 4.1.5 by @​dependabot in #​164
• Bump actions/checkout from 4.1.5 to 4.1.6 by @​dependabot in #​165
• Bump actions/checkout from 4.1.6 to 4.1.7 by @​dependabot in #​166
• Bump actions/setup-go from 5.0.1 to 5.0.2 by @​dependabot in #​167
• pin public key used for verification by @​bobcallaway in #​169
• bump default version to v2.4.0 release by @​bobcallaway in #​168
• update readme for new release by @​bobcallaway in #​170

Full Changelog: sigstore/cosign-installer@v3...v3.6.0

v3.5.0

Compare Source

What's Changed

• Bump actions/checkout from 4.1.1 to 4.1.2 by @​dependabot in #​157
• use go 1.22 now by @​bobcallaway in #​160
• bump default version to v2.2.4, prep for v3.5.0 release by @​bobcallaway in #​159

Full Changelog: sigstore/cosign-installer@v3.4.0...v3.5.0

v3.4.0

Compare Source

What's Changed

• Use examples that work with multiple tags by @​jkreileder in #​155
• default cosign install to release v2.2.3 by @​cpanato in #​156

New Contributors

• @​jkreileder made their first contribution in #​155

Full Changelog: sigstore/cosign-installer@v3...v3.4.0

v3.3.0

Compare Source

What's Changed

• Bump actions/setup-go from 4.1.0 to 5.0.0 by @​dependabot in #​152
• update action to use latest cosign v2.2.2 by @​cpanato in #​153

Full Changelog: sigstore/cosign-installer@v3.2.0...v3.3.0

v3.2.0

Compare Source

Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP

see https://github.com/sigstore/cosign/releases/tag/v2.2.1

What's Changed

• Support the runner context of gitea act by @​josedev-union in #​147
• bump cosign to v2.2.1 by @​cpanato in #​148
• test with latest go version by @​bobcallaway in #​150

New Contributors

• @​josedev-union made their first contribution in #​147

Full Changelog: sigstore/cosign-installer@v3...v3.2.0

v3.1.2

Compare Source

What's Changed

• Fix build and push step Readme missing id by @​hbenali in #​138
• bump cosign to v2.2.0 by @​cpanato in #​142

New Contributors

• @​hbenali made their first contribution in #​138

Full Changelog: sigstore/cosign-installer@v3...v3.1.2

v3.1.1

Compare Source

What's Changed

• default cosign to v2.1.1 by @​cpanato in #​137

Full Changelog: sigstore/cosign-installer@v3.1.0...v3.1.1

v3.1.0

Compare Source

What's Changed

• update job to use latest action release by @​cpanato in #​130
• Update action example for keyless signing as xarg is not required by @​jbtrystram in #​132
• update examples by @​cpanato in #​133
• bump cosign to default to release v2.1.0 and update docs by @​cpanato in #​136

New Contributors

• @​jbtrystram made their first contribution in #​132

Full Changelog: sigstore/cosign-installer@v3.0.5...v3.1.0

v3.0.5

Compare Source

What's Changed

• download cosign releases from GitHub rather than GCS by @​bobcallaway in #​126

Full Changelog: sigstore/cosign-installer@v3.0.4...v3.0.5

v3.0.4

Compare Source

• Include fix for #​124
• changes download URL for cosign binary to github.com instead of GCS

v3.0.3

Compare Source

What's Changed

• bump to cosign v2.0.2 by @​bobcallaway in #​119
• changes download URL for cosign binary to github.com instead of GCS

Full Changelog: sigstore/cosign-installer@v3.0.2...v3.0.3

v3.0.2

Compare Source

What's Changed

• add --yes to example workflow by @​sebhoss in #​110
• Fix aarch64 action run by @​ananos in #​113
• Bump actions/checkout from 3.3.0 to 3.4.0 by @​dependabot in #​115
• Bump actions/setup-go from 3.5.0 to 4.0.0 by @​dependabot in #​114
• Bump actions/checkout from 3.4.0 to 3.5.0 by @​dependabot in #​116
• default cosign to v2.0.1 by @​cpanato in #​117
• changes download URL for cosign binary to github.com instead of GCS

New Contributors

• @​sebhoss made their first contribution in #​110
• @​ananos made their first contribution in #​113

Full Changelog: sigstore/cosign-installer@v3...v3.0.2

v3.0.1

Compare Source

What's Changed

• make cosign v2.0.0 default version by @​developer-guy in #​109
• changes download URL for cosign binary to github.com instead of GCS

Full Changelog: sigstore/cosign-installer@v3.0.0...v3.0.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.