v1.222.0-rc.4

🚀 Enhancements

fix(toolchain): harden cosign verifier bootstrap Erik Osterman (Cloud Posse) (@osterman) (#2627)

## what

• Keep verifier bootstrap version resolution latest-first, using the existing authenticated GitHub/Aqua lookup path.
• Add a sigstore/cosign@v3.0.6 fallback only when latest-version lookup fails.
• Add Renovate regex-manager coverage for the fallback cosign version so the safety pin is updateable.
• Update installer tests to prove latest wins when available, cosign falls back when lookup fails, and non-pinned verifier lookup errors still surface.

why

• Prevent OpenTofu toolchain installs from failing when cosign auto-install hits a slow or unavailable GitHub releases API.
• Avoid making the fallback version the default forever; normal installs still use the latest resolved cosign release when GitHub lookup succeeds.
• Preserve existing escape hatches: existing cosign on PATH still wins, and verifier_install: path_only still disables auto-install.

references

• Failing run: https://github.com/cloudposse/atmos/actions/runs/27661641040/job/81808473011
• Fallback cosign release: https://github.com/sigstore/cosign/releases/tag/v3.0.6

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved reliability of verifier bootstrap installation by introducing a safe fallback for Cosign when “latest” version lookups fail, reducing dependence on temporary registry issues.

• Tests

  • Updated and expanded version-resolution coverage to validate new “latest” behavior, including fallback selection and call-attempt expectations across registries.
  • Refined scenarios to ensure “latest” is not requested in flows where it shouldn’t be.

• Chores

  • Enhanced automated update rules to keep the Cosign bootstrap version aligned with the defined fallback.