⬆️ (deps): Update sigstore/cosign-installer action to v4#334

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/sigstore-cosign-installer-4.x

Contributor

renovate bot commented Oct 16, 2025 •

edited

Loading

This PR contains the following updates:

Package	Type	Update	Change
sigstore/cosign-installer	action	major	`v3.5.0` → `v4.1.0`

Release Notes

sigstore/cosign-installer (sigstore/cosign-installer)

`v4.1.0`

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

Bump cosign to 3.0.5 in #220
fix: add retry to curl downloads for transient network failures in #210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

`v4.0.0`

What's Changed?

Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.

In version v3+, using cosign sign-blob requires adding the --bundle flag which may require you to update your signing command.

Add support for Cosign v3 releases (#201)

`v3.10.1`

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

Bump default Cosign to v2.6.1 (#203)

`v3.10.0`

What's Changed

Bump default Cosign to v2.6.0 in #200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

`v3.9.2`

What's Changed

not fail fast and setup permissions in #195
drop old unsupported versions <v2.0.0 in #192
Update default to v2.5.3 in #196

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

`v3.9.1`

What's Changed

default action install to use release v2.5.1 by @cpanato in #193
default cosign to v2.5.2 by @cpanato in #194

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

`v3.9.0`

What's Changed

Bump actions/setup-go from 5.4.0 to 5.5.0 by @dependabot in #189
bump cosign install to use release v2.5.0 as default by @cpanato in #191

Full Changelog: sigstore/cosign-installer@v3...v3.9.0

`v3.8.2`

What's Changed

install cosign v2 from main in #186

Full Changelog: sigstore/cosign-installer@v3...v3.8.2

`v3.8.1`

What's Changed

use cosign 2.4.3 and other updates by @cpanato in #182

Full Changelog: sigstore/cosign-installer@v3...v3.8.1

`v3.8.0`

What's Changed

test action against all non-rc releases, verify entry in rekor log by @bobcallaway in #179
bump for cosign v2.4.2 release by @bobcallaway in #181

Full Changelog: sigstore/cosign-installer@v3...v3.8.0

`v3.7.0`

What's Changed

Bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #172
bump for latest cosign v2.4.1 release by @bobcallaway in #173

Full Changelog: sigstore/cosign-installer@v3.6.0...v3.7.0

`v3.6.0`

What's Changed

Bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #161
Bump actions/checkout from 4.1.3 to 4.1.4 by @dependabot in #162
Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #163
Bump actions/checkout from 4.1.4 to 4.1.5 by @dependabot in #164
Bump actions/checkout from 4.1.5 to 4.1.6 by @dependabot in #165
Bump actions/checkout from 4.1.6 to 4.1.7 by @dependabot in #166
Bump actions/setup-go from 5.0.1 to 5.0.2 by @dependabot in #167
pin public key used for verification by @bobcallaway in #169
bump default version to v2.4.0 release by @bobcallaway in #168
update readme for new release by @bobcallaway in #170

Full Changelog: sigstore/cosign-installer@v3...v3.6.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the type: dependencies label


          ⬆️ (deps): Update sigstore/cosign-installer action to v4

cde9621

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

renovate bot force-pushed the renovate/sigstore-cosign-installer-4.x branch from 5e5f6bb to cde9621 Compare

March 15, 2026 02:56

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type: dependencies