ci(deps): bump cosign to v2.2.3 to avoid sigstore TUF invalid key issue

Kong · Mar 20, 2024 · e91359b · e91359b
1 parent 79d3aac
commit e91359b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -33,6 +33,22 @@ updates:
     commit-message:
       prefix: "docker"
       include: "scope"
+
+  - package-ecosystem: "github-actions"
+    directory: "/security-actions/sign-docker-image"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "github-actions"
+      include: "scope"
+
+  - package-ecosystem: docker
+    directory: "/security-actions/sign-docker-image"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "docker"
+      include: "scope"
 
   - package-ecosystem: "github-actions"
     directory: "/code-check-actions/luacheck"

diff --git a/security-actions/sign-docker-image/action.yml b/security-actions/sign-docker-image/action.yml
@@ -45,7 +45,7 @@ runs:
       run: $GITHUB_ACTION_PATH/scripts/cosign-metadata.sh
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@v3.1.1
+      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
 
     - name: Check install!
       shell: bash