From ce3d5d4943f725d9cb92ae06eff859bfd1c5672a Mon Sep 17 00:00:00 2001 From: Vaughn Dice Date: Mon, 27 Oct 2025 16:45:27 -0600 Subject: [PATCH 1/2] fix(sbom.yml): fix cosign usage Signed-off-by: Vaughn Dice --- .github/workflows/sbom.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 381d9e4..a3e02a7 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -63,6 +63,7 @@ jobs: cosign sign-blob --yes \ --output-certificate ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.cert \ --output-signature ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.sig \ + --use-signing-config=false \ ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx - name: Attach SBOM file in the container image From f9d2889187f3789aa9a6eb8a8112fe399fb06577 Mon Sep 17 00:00:00 2001 From: Vaughn Dice Date: Tue, 28 Oct 2025 15:05:10 -0600 Subject: [PATCH 2/2] Update .github/workflows/sbom.yml Co-authored-by: Kate Goldenring Signed-off-by: Vaughn Dice --- .github/workflows/sbom.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a3e02a7..4e9e4e0 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -61,9 +61,7 @@ jobs: - name: Sign SBOM file run: | cosign sign-blob --yes \ - --output-certificate ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.cert \ - --output-signature ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.sig \ - --use-signing-config=false \ + --bundle ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.bundle \ ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx - name: Attach SBOM file in the container image