From b108e4db5a0e094c52e665811509286e94794afe Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 08:21:43 +0000 Subject: [PATCH 01/13] feat: add cosign keyless signing and CycloneDX SBOM generation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add supply-chain hygiene for SLSA/NIST SSDF compliance: - release.yml: id-token: write permission added for GitHub OIDC; install cosign + syft; sign versioned and latest container images by digest; generate and attest CycloneDX SBOM to image; upload SBOM as release asset - .goreleaser.yml: signs: block to cosign sign-blob checksums.txt (covers all binaries/archives); sboms: block to generate per-arch CycloneDX JSON via Syft - SECURITY.md: document signing identity (OIDC issuer + cert regexp), what is signed, verify commands for image/blob/attestation, and tampered artifact reporting process No new secrets required — uses GitHub Actions keyless OIDC signing. --- .github/workflows/release.yml | 67 ++++++++++++++++++++++++++++++ .goreleaser.yml | 32 ++++++++++++--- README.md | 58 ++++++++++++++++++++++++++ SECURITY.md | 76 ++++++++++++++++++++++++++++++++++- 4 files changed, 225 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ca9bb8..2d7820d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,9 +11,13 @@ on: permissions: contents: write packages: write + # Required for keyless cosign signing via GitHub OIDC + id-token: write env: GO_VERSION: "1.25" + REGISTRY: ghcr.io + IMAGE: ghcr.io/optiqor/kerno jobs: release: @@ -48,7 +52,16 @@ jobs: - name: Set up QEMU (multi-arch) uses: docker/setup-qemu-action@v4 + - name: Install cosign + uses: sigstore/cosign-installer@v3 + with: + cosign-release: "v2.4.1" + + - name: Install Syft + uses: anchore/sbom-action/download-syft@v0 + - name: Run GoReleaser + id: goreleaser uses: goreleaser/goreleaser-action@v7 with: distribution: goreleaser @@ -56,3 +69,57 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract image digest (versioned tag) + id: digest-tag + run: | + TAG="${{ github.ref_name }}" + DIGEST=$(docker buildx imagetools inspect "${{ env.IMAGE }}:${TAG}" \ + --format '{{json .Manifest}}' | jq -r '.digest') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + echo "tag=${TAG}" >> "$GITHUB_OUTPUT" + + - name: Sign container image (versioned tag) + env: + COSIGN_EXPERIMENTAL: "1" + run: | + cosign sign --yes \ + "${{ env.IMAGE }}:${{ steps.digest-tag.outputs.tag }}@${{ steps.digest-tag.outputs.digest }}" + + - name: Extract image digest (latest tag) + id: digest-latest + run: | + DIGEST=$(docker buildx imagetools inspect "${{ env.IMAGE }}:latest" \ + --format '{{json .Manifest}}' | jq -r '.digest') + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" + + - name: Sign container image (latest tag) + env: + COSIGN_EXPERIMENTAL: "1" + run: | + cosign sign --yes \ + "${{ env.IMAGE }}:latest@${{ steps.digest-latest.outputs.digest }}" + + - name: Generate SBOM (container image) + uses: anchore/sbom-action@v0 + with: + image: "${{ env.IMAGE }}:${{ steps.digest-tag.outputs.tag }}" + format: cyclonedx-json + output-file: "${{ github.workspace }}/kerno_${{ steps.digest-tag.outputs.tag }}_sbom.cyclonedx.json" + artifact-name: "kerno_${{ steps.digest-tag.outputs.tag }}_sbom.cyclonedx.json" + + - name: Attest SBOM to image (versioned tag) + env: + COSIGN_EXPERIMENTAL: "1" + run: | + cosign attest --yes \ + --predicate "${{ github.workspace }}/kerno_${{ steps.digest-tag.outputs.tag }}_sbom.cyclonedx.json" \ + --type cyclonedx \ + "${{ env.IMAGE }}:${{ steps.digest-tag.outputs.tag }}@${{ steps.digest-tag.outputs.digest }}" + + - name: Upload SBOM to GitHub Release + uses: softprops/action-gh-release@v2 + with: + files: "${{ github.workspace }}/kerno_${{ steps.digest-tag.outputs.tag }}_sbom.cyclonedx.json" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml index 7d56f4a..b7ce6f8 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,6 +1,5 @@ # Copyright 2026 Optiqor contributors # SPDX-License-Identifier: Apache-2.0 -# https://goreleaser.com/customization/ version: 2 @@ -9,9 +8,6 @@ project_name: kerno before: hooks: - go mod tidy - # Generate bpf2go bindings (*_bpfel.go) and rewrite their build tag - # so the `ebpf` tag selects them over the no-clang stubs in gen_stub.go. - # The release workflow installs clang + libbpf-dev before invoking goreleaser. - make generate builds: @@ -27,7 +23,6 @@ builds: - arm64 flags: - -trimpath - # `ebpf` tag selects the bpf2go-generated bindings over the no-clang stubs. tags: - ebpf ldflags: @@ -50,6 +45,31 @@ archives: checksum: name_template: "checksums.txt" +signs: + - cmd: cosign + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: + - sign-blob + - --yes + - --output-signature=${artifact}.sig + - --output-certificate=${artifact}.pem + - "${artifact}" + artifacts: checksum + output: true + +sboms: + - id: binary-sbom + artifacts: binary + documents: + - "{{ .ArtifactName }}_sbom.cyclonedx.json" + args: + - "$artifact" + - "--file" + - "$document" + - "--output" + - "cyclonedx-json" + changelog: sort: asc use: github @@ -111,4 +131,4 @@ docker_manifests: - name_template: "ghcr.io/optiqor/kerno:latest" image_templates: - "ghcr.io/optiqor/kerno:{{ .Tag }}-amd64" - - "ghcr.io/optiqor/kerno:{{ .Tag }}-arm64" + - "ghcr.io/optiqor/kerno:{{ .Tag }}-arm64" \ No newline at end of file diff --git a/README.md b/README.md index f71c00b..a929f50 100644 --- a/README.md +++ b/README.md @@ -680,6 +680,64 @@ In another shell, `sudo kerno doctor` will catch the induced incident. --- +## Verifying Release Artifacts + +Every Kerno release is signed using [Sigstore](https://docs.sigstore.dev/cosign/keyless/) keyless signing — no private key to manage or trust. + +### Verify a container image + +```bash +cosign verify ghcr.io/optiqor/kerno:v0.1.0 \ + --certificate-identity-regexp '^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com +``` + +### Verify binary checksums + +```bash +VERSION=v0.1.0 +BASE=https://github.com/optiqor/kerno/releases/download/${VERSION} + +curl -fsSL ${BASE}/checksums.txt -o checksums.txt +curl -fsSL ${BASE}/checksums.txt.sig -o checksums.txt.sig +curl -fsSL ${BASE}/checksums.txt.pem -o checksums.txt.pem + +cosign verify-blob checksums.txt \ + --signature checksums.txt.sig \ + --certificate checksums.txt.pem \ + --certificate-identity-regexp '^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com + +curl -fsSL ${BASE}/kerno_${VERSION}_linux_amd64.tar.gz -o kerno.tar.gz +sha256sum --check --ignore-missing checksums.txt +``` + +### Inspect the SBOM + +```bash +VERSION=v0.1.0 + +# Download SBOM +curl -fsSL https://github.com/optiqor/kerno/releases/download/${VERSION}/kerno_${VERSION}_sbom.cyclonedx.json \ + | jq '.metadata.component, [.components[].name]' + +# Verify SBOM attestation +cosign verify-attestation ghcr.io/optiqor/kerno:${VERSION} \ + --type cyclonedx \ + --certificate-identity-regexp '^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + | jq '.payload | @base64d | fromjson | .predicate.metadata' +``` + +### Install cosign + +```bash +brew install cosign # macOS +go install github.com/sigstore/cosign/v2/cmd/cosign@latest # Go +``` + +--- + ## Contributing Contributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for: diff --git a/SECURITY.md b/SECURITY.md index 650bdd8..6b1c927 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -41,6 +41,78 @@ If you discover a security vulnerability in Kerno, please report it responsibly: | Previous minor | ✅ (security fixes only) | | Older | ❌ | +--- + +## Release Artifact Signing & Verification + +Kerno uses **keyless Sigstore signing** for all release artifacts. No private key — signing is performed by the GitHub Actions OIDC identity and recorded in the public [Rekor](https://rekor.sigstore.dev) transparency log. + +### Signing identity + +| Field | Value | +|-------|-------| +| **OIDC issuer** | `https://token.actions.githubusercontent.com` | +| **Certificate identity (regexp)** | `^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v` | +| **Transparency log** | Sigstore / Rekor (public instance) | +| **Key management** | Keyless — no private key; GitHub OIDC ephemeral cert | + +### What is signed + +| Artifact | How | Where | +|----------|-----|-------| +| Container image (`:v*` tag) | `cosign sign` | OCI registry + Rekor | +| Container image (`:latest` tag) | `cosign sign` | OCI registry + Rekor | +| `checksums.txt` (covers all binaries & archives) | `cosign sign-blob` | Release assets (`.sig` + `.pem`) | +| CycloneDX SBOM | `cosign attest --type cyclonedx` | OCI registry + Rekor | + +### Verify a container image + +```bash +cosign verify ghcr.io/optiqor/kerno:v0.1.0 \ + --certificate-identity-regexp '^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com +``` + +### Verify binary checksums + +```bash +VERSION=v0.1.0 +BASE=https://github.com/optiqor/kerno/releases/download/${VERSION} + +curl -fsSL ${BASE}/checksums.txt -o checksums.txt +curl -fsSL ${BASE}/checksums.txt.sig -o checksums.txt.sig +curl -fsSL ${BASE}/checksums.txt.pem -o checksums.txt.pem + +cosign verify-blob checksums.txt \ + --signature checksums.txt.sig \ + --certificate checksums.txt.pem \ + --certificate-identity-regexp '^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com + +curl -fsSL ${BASE}/kerno_${VERSION}_linux_amd64.tar.gz -o kerno.tar.gz +sha256sum --check --ignore-missing checksums.txt +``` + +### Verify the SBOM attestation + +```bash +cosign verify-attestation ghcr.io/optiqor/kerno:v0.1.0 \ + --type cyclonedx \ + --certificate-identity-regexp '^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + | jq '.payload | @base64d | fromjson | .predicate.metadata' +``` + +### Reporting a tampered artifact + +Agar `cosign verify` fail ho kisi official release tag pe — **artifact use mat karo** aur turant report karo: + +1. Email karo **team.optiqor@gmail.com** — subject: `[SECURITY] Possible tampered artifact` +2. `cosign verify` ka poora output aur exact image digest ya file hash include karo +3. We will investigate and post a GitHub Security Advisory if confirmed + +--- + ## Security Considerations for Kerno Kerno runs with elevated privileges (root or `CAP_BPF` + `CAP_PERFMON` + `CAP_SYS_PTRACE`) to load eBPF programs into the kernel. This means: @@ -59,6 +131,6 @@ Kerno runs with elevated privileges (root or `CAP_BPF` + `CAP_PERFMON` + `CAP_SY ## Contact -- **Security reports:** team.optiqor@gmail.com +- **Security reports:** team.optiqor@gmail.com - **General questions:** GitHub Discussions -- **Maintainer:** Shivam Kumar (@btwshivam) +- **Maintainer:** Shivam Kumar (@btwshivam) \ No newline at end of file From a1bff997249dbdda6c75e31cee830582f550b8d4 Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 08:32:34 +0000 Subject: [PATCH 02/13] fix: fix markdown link and skip signing on snapshot builds --- .goreleaser.yml | 1 + SECURITY.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 7af4a4d..2a17eec 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -57,6 +57,7 @@ signs: - "${artifact}" artifacts: checksum output: true + if: '{{ not .IsSnapshot }}' sboms: - id: binary-sbom diff --git a/SECURITY.md b/SECURITY.md index 6b1c927..6fcf233 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -125,7 +125,7 @@ Kerno runs with elevated privileges (root or `CAP_BPF` + `CAP_PERFMON` + `CAP_SY ## Disclosure Policy -- We follow [coordinated vulnerability disclosure](https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy). +- We follow [coordinated vulnerability disclosure](https://certcc.github.io/CERT-Guide-to-CVD/). - We will credit reporters in security advisories (unless anonymity is requested). - We use GitHub Security Advisories for publishing fixes. From 296046609ec874178ea0768ea204e65b9222f46f Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 08:38:27 +0000 Subject: [PATCH 03/13] =?UTF-8?q?fix:=20update=20sigstore=20docs=20URL=20(?= =?UTF-8?q?keyless=20=E2=86=92=20signing/overview)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .goreleaser.yml | 1 - README.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 2a17eec..7af4a4d 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -57,7 +57,6 @@ signs: - "${artifact}" artifacts: checksum output: true - if: '{{ not .IsSnapshot }}' sboms: - id: binary-sbom diff --git a/README.md b/README.md index 80dac10..a84ccf0 100644 --- a/README.md +++ b/README.md @@ -717,7 +717,7 @@ In another shell, `sudo kerno doctor` will catch the induced incident. ## Verifying Release Artifacts -Every Kerno release is signed using [Sigstore](https://docs.sigstore.dev/cosign/keyless/) keyless signing — no private key to manage or trust. +Every Kerno release is signed using [Sigstore](https://docs.sigstore.dev/cosign/signing/overview/) keyless signing — no private key to manage or trust. ### Verify a container image From 900edf6770f81eae4fe9d6417b74dcc8cc39a5d2 Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 08:46:42 +0000 Subject: [PATCH 04/13] fix: install syft in snapshot job before goreleaser --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2c941df..397597b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -146,6 +146,9 @@ jobs: sudo apt-get install -y --no-install-recommends \ clang llvm libbpf-dev linux-headers-generic + - name: Install Syft + uses: anchore/sbom-action/download-syft@v0 + - name: Run GoReleaser snapshot uses: goreleaser/goreleaser-action@v7 with: From 0f3d50bd75d7857b52cf860202d4976efe55d797 Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 08:51:19 +0000 Subject: [PATCH 05/13] fix: install cosign in snapshot job before goreleaser --- .github/workflows/release.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 397597b..b26031b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,6 +59,11 @@ jobs: with: cosign-release: "v2.4.1" + - name: Install cosign + uses: sigstore/cosign-installer@v3 + with: + cosign-release: "v2.4.1" + - name: Install Syft uses: anchore/sbom-action/download-syft@v0 @@ -146,6 +151,11 @@ jobs: sudo apt-get install -y --no-install-recommends \ clang llvm libbpf-dev linux-headers-generic + - name: Install cosign + uses: sigstore/cosign-installer@v3 + with: + cosign-release: "v2.4.1" + - name: Install Syft uses: anchore/sbom-action/download-syft@v0 From e04c82c46db47d285eaa292d28a705bbd1712792 Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 08:53:31 +0000 Subject: [PATCH 06/13] fix: downgrade cosign to v2.2.4 for bundle compatibility --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b26031b..c7fb25f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,12 +57,12 @@ jobs: - name: Install cosign uses: sigstore/cosign-installer@v3 with: - cosign-release: "v2.4.1" + cosign-release: "v2.2.4" - name: Install cosign uses: sigstore/cosign-installer@v3 with: - cosign-release: "v2.4.1" + cosign-release: "v2.2.4" - name: Install Syft uses: anchore/sbom-action/download-syft@v0 @@ -154,7 +154,7 @@ jobs: - name: Install cosign uses: sigstore/cosign-installer@v3 with: - cosign-release: "v2.4.1" + cosign-release: "v2.2.4" - name: Install Syft uses: anchore/sbom-action/download-syft@v0 From 1c6f181ea8bd5f9cc25da94a1da75ee70954c2cd Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 08:55:47 +0000 Subject: [PATCH 07/13] fix: downgrade goreleaser-action to v6 to avoid cosign bundle error --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c7fb25f..8911932 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -69,7 +69,7 @@ jobs: - name: Run GoReleaser id: goreleaser - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: "~> v2" @@ -160,7 +160,7 @@ jobs: uses: anchore/sbom-action/download-syft@v0 - name: Run GoReleaser snapshot - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: "~> v2" From b41863ce4387f00e80d73cf8cb60628e1723e557 Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 09:05:46 +0000 Subject: [PATCH 08/13] fix: skip cosign signing in snapshot builds --- .goreleaser.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index 7af4a4d..d1c1b25 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -46,6 +46,7 @@ checksum: name_template: "checksums.txt" signs: + # skip signing in snapshot/PR builds - cmd: cosign signature: "${artifact}.sig" certificate: "${artifact}.pem" @@ -56,6 +57,7 @@ signs: - --output-certificate=${artifact}.pem - "${artifact}" artifacts: checksum + if: "{{ not .IsSnapshot }}" output: true sboms: From 667212662584f61d70b7d4e2faaff6733e3f1f52 Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 09:08:42 +0000 Subject: [PATCH 09/13] fix: skip signing in snapshot builds via GORELEASER_SKIP --- .github/workflows/release.yml | 2 ++ .goreleaser.yml | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8911932..9ac7eb1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -166,6 +166,8 @@ jobs: version: "~> v2" args: release --snapshot --clean env: + COSIGN_EXPERIMENTAL: "" + GORELEASER_SKIP: sign GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload snapshot packages diff --git a/.goreleaser.yml b/.goreleaser.yml index d1c1b25..488a77e 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -57,7 +57,6 @@ signs: - --output-certificate=${artifact}.pem - "${artifact}" artifacts: checksum - if: "{{ not .IsSnapshot }}" output: true sboms: From e32a20e74005140d26fe65e17ac5a081e801489a Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 09:17:57 +0000 Subject: [PATCH 10/13] fix: use --skip=sign flag in snapshot build --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9ac7eb1..e686269 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -164,7 +164,7 @@ jobs: with: distribution: goreleaser version: "~> v2" - args: release --snapshot --clean + args: release --snapshot --clean --skip=sign env: COSIGN_EXPERIMENTAL: "" GORELEASER_SKIP: sign From 6d6d761c5241138adda08ce0aa5c4d62f8dedcbd Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 14:32:19 +0000 Subject: [PATCH 11/13] fix: remove duplicate cosign step and arm64 manifest, revert goreleaser to v7, fix SECURITY.md prose --- .github/workflows/release.yml | 9 ++------- .goreleaser.yml | 1 - 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e686269..b32490c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,17 +59,12 @@ jobs: with: cosign-release: "v2.2.4" - - name: Install cosign - uses: sigstore/cosign-installer@v3 - with: - cosign-release: "v2.2.4" - - name: Install Syft uses: anchore/sbom-action/download-syft@v0 - name: Run GoReleaser id: goreleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@v7 with: distribution: goreleaser version: "~> v2" @@ -160,7 +155,7 @@ jobs: uses: anchore/sbom-action/download-syft@v0 - name: Run GoReleaser snapshot - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@v7 with: distribution: goreleaser version: "~> v2" diff --git a/.goreleaser.yml b/.goreleaser.yml index 488a77e..ec6aabc 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -133,7 +133,6 @@ docker_manifests: image_templates: - "ghcr.io/optiqor/kerno:{{ .Tag }}-amd64" - "ghcr.io/optiqor/kerno:{{ .Tag }}-arm64" - - "ghcr.io/optiqor/kerno:{{ .Tag }}-arm64" nfpms: - id: kerno-packages From 54adb8d4c7a5b8091ac2eb5db993bef83033b94a Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 14:53:28 +0000 Subject: [PATCH 12/13] fix: use goreleaser-action@v2 to avoid cosign bundle verification issue --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b32490c..c236e51 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -64,7 +64,7 @@ jobs: - name: Run GoReleaser id: goreleaser - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser version: "~> v2" @@ -155,7 +155,7 @@ jobs: uses: anchore/sbom-action/download-syft@v0 - name: Run GoReleaser snapshot - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser version: "~> v2" From 55df4e7fcc703386fdb0a5d06435c3aed600972b Mon Sep 17 00:00:00 2001 From: Kokila-chandrakar Date: Sun, 7 Jun 2026 15:00:26 +0000 Subject: [PATCH 13/13] ci: retrigger snapshot build