ci: fix incorrect signing key for sbom signature and wrong public key in release artifacts #2296
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
Since release
v2.9.0
, our releases incorrectly use our development cosign key to sign the sboms for that release, and also include the public part of that development cosign key in the release.Proposed change(s)
Update the
release-cli
workflow to not rely on branch naming, but on workflow inputs for selecting the correct key.Additional info
Other release artifacts (CLI binaries) are not affected, as they were correctly signed using our production key
Checklist