tektoncd · tekton-robot · Apr 21, 2026 · Apr 20, 2026
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -42,8 +42,8 @@ jobs:
           # If no files are changed at all, then `grep -v` will match even though no change outputs
           # should be true. Skipping output on an empty set of changes eliminates the false positive
           if [[ -n "${CHANGED_FILES}" ]]; then
-            NON_DOCS=$(echo "${CHANGED_FILES}" | grep -Eqv '\.md$' && echo 'true' || echo 'false')
-            YAML=$(echo "${CHANGED_FILES}" | grep -Eq '\.ya?ml$' && echo 'true' || echo 'false')
+            NON_DOCS=$(echo "${CHANGED_FILES}" | grep -Ev '\.md$' > /dev/null 2>&1 && echo 'true' || echo 'false')
+            YAML=$(echo "${CHANGED_FILES}" | grep -E '\.ya?ml$' > /dev/null 2>&1 && echo 'true' || echo 'false')
             echo "non-docs=${NON_DOCS}" | tee -a $GITHUB_OUTPUT
             echo "yaml=${YAML}" | tee -a $GITHUB_OUTPUT
           fi

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/pkg/chains/signing/x509/x509.go b/pkg/chains/signing/x509/x509.go
@@ -202,7 +202,7 @@ func cosignSigner(ctx context.Context, secretPath string, privateKey []byte) (*S
 	if err != nil {
 		return nil, errors.Wrap(err, "reading cosign.password file")
 	}
-	signer, err := cosign.LoadPrivateKey(privateKey, password)
+	signer, err := cosign.LoadPrivateKey(privateKey, password, nil)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/chains/signing/x509/x509_test.go b/pkg/chains/signing/x509/x509_test.go
@@ -49,8 +49,10 @@ const ed25519Priv = `-----BEGIN PRIVATE KEY-----
 MC4CAQAwBQYDK2VwBCIEIGQn0bJwshjwuVdnd/FylMk3Gvb89aGgH49bQpgzCY0n
 -----END PRIVATE KEY-----`
 
-// npx jwtgen -a HS256 -s "my-secret" -c "iss=user123" -e 3600
-const token = `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2Nzc1NjAyMTgsImV4cCI6MTY3NzU2MzgxOCwiaXNzIjoidXNlcjEyMyJ9.c-sDgCyuZA6VaIGl7Y3-9XxttW1PUkBeNBLE9gCKG8s`
+// Generated with RS256 algorithm (required for cosign v2.6.0+)
+// openssl genrsa -out private.pem 2048
+// python3 -c "import jwt; import time; private_key = open('/tmp/private.pem').read(); payload = {'iat': int(time.time()), 'exp': int(time.time()) + 3600 * 24 * 365 * 10, 'iss': 'user123'}; print(jwt.encode(payload, private_key, algorithm='RS256'))"
+const token = `eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NjIzMTIzOTQsImV4cCI6MjA3NzY3MjM5NCwiaXNzIjoidXNlcjEyMyJ9.Adm27mf955gZA2pcWLqF4LLrqzFbXYsdYNg1sScF9MbyeuE-4eVpqV91Rk-iRwwIrtKuOVkEDdulrAqeuIhMxGB7jNXWXxf6sVEHV57_QgB0KR_z-JVxEbTZBu6nIVBwDxmVFGQFVMtZbqsyX8J4F_jp0pSInFPqYQbS9xAGhvOnni_owp325Siev2Z-kWsnTTFOTi0C9g9BApPxXQEE17COYdXjxsBCJQQttb1Ww7IQLCf59wU5ZpNM7npzxvKuOBT1kmHPp1ZDCNxfA_a6JMIB4NQAzYV0ULRbXNftxwglFoyitWge-SyxohnTVfV1gplE8qi6kR2CQJORBMvx6w`
 
 func TestCreateSignerFulcioEnabledDefaultTokenFileMissing(t *testing.T) {
 	ctx := logtesting.TestContextWithLogger(t)

diff --git a/test/clients.go b/test/clients.go
@@ -237,7 +237,7 @@ func setupSecret(ctx context.Context, t *testing.T, c kubernetes.Interface, opts
 		}
 		s.StringData[p] = string(b)
 	}
-	cosignPriv, err := cosign.LoadPrivateKey([]byte(s.StringData["cosign.key"]), []byte(s.StringData["cosign.password"]))
+	cosignPriv, err := cosign.LoadPrivateKey([]byte(s.StringData["cosign.key"]), []byte(s.StringData["cosign.password"]), nil)
 	if err != nil {
 		t.Fatal(err)
 	}

diff --git a/vendor/cel.dev/expr/BUILD.bazel b/vendor/cel.dev/expr/BUILD.bazel
diff --git a/vendor/cel.dev/expr/MODULE.bazel b/vendor/cel.dev/expr/MODULE.bazel