From 18b8a5305bc58e4cbe7acf425075fb6f9d9b64fe Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 17 Oct 2025 06:22:23 +0000
Subject: [PATCH 1/4] Bump sigstore/cosign-installer from 3.10.0 to 4.0.0

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.10.0 to 4.0.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/d7543c93d881b35a8faa02e8e3605f69b7a1ce62...faadad0cce49287aee09b3a48701e75088a2c6ad)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/image-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
index 832dcdaa3e..17c7ebcd30 100644
--- a/.github/workflows/image-publish.yml
+++ b/.github/workflows/image-publish.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62  # v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
       - name: Job information
         run: |
           echo "Job information"

From b7bf145c23a24cd1da6bd0ffda58f1276d35fe21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Misbach?= <mickael@misba.ch>
Date: Tue, 25 Nov 2025 11:37:13 +0100
Subject: [PATCH 2/4] setup temporary config for testing signing in CI

---
 .github/workflows/image-publish.yml | 19 ++++++++++---------
 build/build_and_push.sh             |  3 ++-
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
index 17c7ebcd30..badfe19f6c 100644
--- a/.github/workflows/image-publish.yml
+++ b/.github/workflows/image-publish.yml
@@ -6,14 +6,15 @@
 
 name: Publish monitoring image to Docker Registry (on new release tag)
 on:
-  push:
-    tags:
-      # To modify to trigger the job for fork's releases
-      # Note: GitHub's filter pattern capabilities are limited[1], so this
-      # pattern matches more often than it should.  A more correct regex would
-      # be the one found in scripts/tag.sh.
-      # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
-      - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
+  pull_request: # TODO: added for testing purposes, remove me before merging
+#  push:
+#    tags:
+#      # To modify to trigger the job for fork's releases
+#      # Note: GitHub's filter pattern capabilities are limited[1], so this
+#      # pattern matches more often than it should.  A more correct regex would
+#      # be the one found in scripts/tag.sh.
+#      # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
+#      - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
 permissions:
   contents: read
 jobs:
@@ -54,7 +55,7 @@ jobs:
       - name: Build, push and sign image
         env:
           DOCKER_URL: ${{ secrets.DOCKER_URL }}
-          DOCKER_UPDATE_LATEST: true
+          DOCKER_UPDATE_LATEST: false # TODO: changed for testing purposes, revert me to 'true' before merging
           DOCKER_SIGN: true
           CERT_IDENTITY: https://github.com/${{ github.workflow_ref }}
           CERT_ISSUER: https://token.actions.githubusercontent.com
diff --git a/build/build_and_push.sh b/build/build_and_push.sh
index 97dff81bd0..c7ed537ff2 100755
--- a/build/build_and_push.sh
+++ b/build/build_and_push.sh
@@ -27,7 +27,8 @@ else
 fi
 cd "${BASEDIR}"
 
-VERSION=$(./scripts/git/version.sh monitoring)
+#VERSION=$(./scripts/git/version.sh monitoring)
+VERSION=cosign-test-bis
 LATEST_TAG="latest"
 
 if [[ -z "${DOCKER_URL}" ]]; then

From bfedba616161f863226d067f129301e0df3504a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Misbach?= <mickael@misba.ch>
Date: Tue, 25 Nov 2025 12:58:18 +0100
Subject: [PATCH 3/4] use cosign v2.6.1

---
 .github/workflows/image-publish.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
index badfe19f6c..57813e2b90 100644
--- a/.github/workflows/image-publish.yml
+++ b/.github/workflows/image-publish.yml
@@ -29,6 +29,8 @@ jobs:
     steps:
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+        with:
+          cosign-release: 'v2.6.1'
       - name: Job information
         run: |
           echo "Job information"

From 8c9662bdb4f1906e46c76f2afc12900096d82838 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Misbach?= <mickael@misba.ch>
Date: Tue, 25 Nov 2025 13:02:28 +0100
Subject: [PATCH 4/4] revert changes made for testing signature

---
 .github/workflows/image-publish.yml | 19 +++++++++----------
 build/build_and_push.sh             |  3 +--
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
index 57813e2b90..43ebbaad74 100644
--- a/.github/workflows/image-publish.yml
+++ b/.github/workflows/image-publish.yml
@@ -6,15 +6,14 @@
 
 name: Publish monitoring image to Docker Registry (on new release tag)
 on:
-  pull_request: # TODO: added for testing purposes, remove me before merging
-#  push:
-#    tags:
-#      # To modify to trigger the job for fork's releases
-#      # Note: GitHub's filter pattern capabilities are limited[1], so this
-#      # pattern matches more often than it should.  A more correct regex would
-#      # be the one found in scripts/tag.sh.
-#      # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
-#      - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
+  push:
+    tags:
+      # To modify to trigger the job for fork's releases
+      # Note: GitHub's filter pattern capabilities are limited[1], so this
+      # pattern matches more often than it should.  A more correct regex would
+      # be the one found in scripts/tag.sh.
+      # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
+      - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
 permissions:
   contents: read
 jobs:
@@ -57,7 +56,7 @@ jobs:
       - name: Build, push and sign image
         env:
           DOCKER_URL: ${{ secrets.DOCKER_URL }}
-          DOCKER_UPDATE_LATEST: false # TODO: changed for testing purposes, revert me to 'true' before merging
+          DOCKER_UPDATE_LATEST: true
           DOCKER_SIGN: true
           CERT_IDENTITY: https://github.com/${{ github.workflow_ref }}
           CERT_ISSUER: https://token.actions.githubusercontent.com
diff --git a/build/build_and_push.sh b/build/build_and_push.sh
index c7ed537ff2..97dff81bd0 100755
--- a/build/build_and_push.sh
+++ b/build/build_and_push.sh
@@ -27,8 +27,7 @@ else
 fi
 cd "${BASEDIR}"
 
-#VERSION=$(./scripts/git/version.sh monitoring)
-VERSION=cosign-test-bis
+VERSION=$(./scripts/git/version.sh monitoring)
 LATEST_TAG="latest"
 
 if [[ -z "${DOCKER_URL}" ]]; then