Change: Default cosign version to v2.5.2 (#1649)

pascalholthaus · web-flow · commit c899bee3441a · 2026-03-24T08:22:18.000+01:00
diff --git a/container-signing/README.md b/container-signing/README.md
@@ -65,10 +65,11 @@ jobs:
 
 ## Action Configuration
 
-|Input Variable|Description| |
-|--------------|-----------|--------|
-|image-tags|Set the tags from the docker meta action e.g the output of steps.meta.outputs.tags.|Required|
-|image-digest|Set the digest from the docker build and push action e.g the output of steps.build-and-push.outputs.digest.|Required|
-|cosign-key-password|Set the cosign key password, if not set a keyless signature will be created.|Optional|
-|cosign-key|Set the cosign key, if not set a keyless signature will be created.|Optional|
-|cosign-tlog-upload|Turn on or turn off the cosign tlog upload function. Possible options: true/false Default: true|Optional|
+| Input Variable      | Description                                                                                                 |          |
+|---------------------|-------------------------------------------------------------------------------------------------------------|----------|
+| image-tags          | Set the tags from the docker meta action e.g the output of steps.meta.outputs.tags.                         | Required |
+| image-digest        | Set the digest from the docker build and push action e.g the output of steps.build-and-push.outputs.digest. | Required |
+| cosign-key-password | Set the cosign key password, if not set a keyless signature will be created.                                | Optional |
+| cosign-key          | Set the cosign key, if not set a keyless signature will be created.                                         | Optional |
+| cosign-tlog-upload  | Turn on or turn off the cosign tlog upload function. Possible options: true/false Default: true             | Optional |
+| cosign-release      | Cosign version to install. Default is v2.5.2.                                                               | Optional |
diff --git a/container-signing/action.yaml b/container-signing/action.yaml
@@ -18,6 +18,9 @@ inputs:
   skip-installation-on:
     description: Skip installation on selected runner. Default is self-hosted-generic.
     default: "self-hosted-generic"
+  cosign-release:
+    description: Cosign version to install. Default is v2.5.2.
+    default: "v2.5.2"
 
 branding:
   icon: "package"
@@ -29,6 +32,8 @@ runs:
     - name: Install cosign
       if: ${{ !startsWith(runner.name, inputs.skip-installation-on) }}
       uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+      with:
+        cosign-release: ${{ inputs.cosign-release }}
 
     - name: Sign container image (public/private keypair)
       if: ${{ inputs.cosign-key-password && inputs.cosign-key }}
