From ae2d677fc7e670da8e0f2fcce1a022b384762e21 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 3 Jul 2023 12:31:37 +0000
Subject: [PATCH 1/2] Bump sigstore/cosign-installer

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 9becc617647dfa20ae7b1151972e9b3a2c338a2b to 6e04d228eb30da1757ee4e1dd75a0ec73a653e06.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/9becc617647dfa20ae7b1151972e9b3a2c338a2b...6e04d228eb30da1757ee4e1dd75a0ec73a653e06)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6e3f7d..aac3dd6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -74,7 +74,7 @@ jobs:
       - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3  # v3
         with:
           ref: main
-      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b  # v2
+      - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06  # v2
       - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c  # v2  # needed for self-hosted builds
 
       - name: Login to Docker Hub

From 57beb5d4cf8ac08a49544b0a8deab1eb60a6546b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anton=20Gr=C3=BCbel?= <anton.gruebel@gmail.com>
Date: Wed, 1 Nov 2023 14:30:04 +0100
Subject: [PATCH 2/2] update sigstore GHA

---
 .github/workflows/release.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aac3dd6..2eccab0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -74,7 +74,7 @@ jobs:
       - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3  # v3
         with:
           ref: main
-      - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06  # v2
+      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19  # v3
       - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c  # v2  # needed for self-hosted builds
 
       - name: Login to Docker Hub
@@ -122,20 +122,17 @@ jobs:
       - name: Sign and attest image
         run: |
           # sign image
-          cosign sign ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
-          cosign sign -f ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
+          cosign sign -y ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
 
           # attest SBOM
-          cosign attest \
+          cosign attest -y \
             --type cyclonedx \
             --predicate cyclonedx.json \
             ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
-          cosign attest -f \
+          cosign attest -y \
             --type cyclonedx \
             --predicate cyclonedx.json \
             ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
-        env:
-          COSIGN_EXPERIMENTAL: 1  # needed for keyless signing
 
       - name: Update deployment
         uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0  # v3