Skip to content

ci(fix): temporary removing cosign verification #564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tobiasehlert merged 1 commit into from
Dec 7, 2025
Merged

ci(fix): temporary removing cosign verification #564

tobiasehlert merged 1 commit into from
Dec 7, 2025

Conversation

@tobiasehlert
Copy link
Member

@tobiasehlert tobiasehlert commented Dec 7, 2025
edited
Loading

rel #565

@tobiasehlert tobiasehlert requested a review from Copilot December 7, 2025 11:13
@tobiasehlert tobiasehlert self-assigned this Dec 7, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 7, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link

codecov bot commented Dec 7, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.44%. Comparing base (11ad54d) to head (541bd93).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #564   +/-   ##
=======================================
  Coverage   79.44%   79.44%           
=======================================
  Files          22       22           
  Lines        2807     2807           
=======================================
  Hits         2230     2230           
  Misses        439      439           
  Partials      138      138
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tobiasehlert tobiasehlert mentioned this pull request Dec 7, 2025
Open
@tobiasehlert tobiasehlert merged commit ba4cc7f into main Dec 7, 2025
14 checks passed
@tobiasehlert tobiasehlert deleted the ci(fix)-temporary-removing-cosign-verification branch December 7, 2025 11:15
Copilot AI reviewed Dec 7, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR temporarily disables cosign signature verification in the CI build pipeline by commenting out the verification step. The signing process remains active, but the verification that would validate those signatures is being removed.

  • Cosign verification step for both DockerHub and GitHub Container Registry is commented out
  • Images continue to be signed via cosign but are no longer verified in the pipeline

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/build.yml
Comment on lines +242 to +256
# - name: Verify cosign signatures
# run: |
# echo "::group::Verify signature (DockerHub)"
# cosign verify --rekor-url https://rekor.sigstore.dev \
# --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
# --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
# ${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
# echo "::endgroup::"

# echo "::group::Verify signature (GitHub Container Registry)"
# cosign verify --rekor-url https://rekor.sigstore.dev \
# --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
# --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
# ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
# echo "::endgroup::"
Copy link

Copilot AI Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a temporary removal (as indicated by the PR title), consider adding a TODO comment with a tracking issue or explanation. This will help ensure the verification step is re-enabled in the future and provide context for why it was temporarily disabled.

Example:

# TODO: Re-enable cosign verification once [issue/reason] is resolved
# Temporarily disabled due to [specific reason]
# - name: Verify cosign signatures

Copilot uses AI. Check for mistakes.
.github/workflows/build.yml
Comment on lines +242 to +256
# - name: Verify cosign signatures
# run: |
# echo "::group::Verify signature (DockerHub)"
# cosign verify --rekor-url https://rekor.sigstore.dev \
# --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
# --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
# ${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
# echo "::endgroup::"

# echo "::group::Verify signature (GitHub Container Registry)"
# cosign verify --rekor-url https://rekor.sigstore.dev \
# --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
# --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
# ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
# echo "::endgroup::"
Copy link

Copilot AI Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commenting out the verification step while keeping the signing step (lines 214-220) creates an inconsistency in the CI pipeline. Images are still being signed but the signatures are no longer being verified, which defeats the purpose of signing.

If verification is causing issues, consider whether the signing step should also be temporarily disabled, or ensure there's a plan to re-enable verification soon to maintain the security benefits of the signing process.

Suggested change
# - name: Verify cosign signatures
# run: |
# echo "::group::Verify signature (DockerHub)"
# cosign verify --rekor-url https://rekor.sigstore.dev \
# --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
# --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
# ${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
# echo "::endgroup::"
# echo "::group::Verify signature (GitHub Container Registry)"
# cosign verify --rekor-url https://rekor.sigstore.dev \
# --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
# --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
# ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
# echo "::endgroup::"
- name: Verify cosign signatures
run: |
echo "::group::Verify signature (DockerHub)"
cosign verify --rekor-url https://rekor.sigstore.dev \
--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
echo "::endgroup::"
echo "::group::Verify signature (GitHub Container Registry)"
cosign verify --rekor-url https://rekor.sigstore.dev \
--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
echo "::endgroup::"

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@tobiasehlert tobiasehlert

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tobiasehlert