beluga-cloud · renovate · Mar 15, 2026
diff --git a/.github/workflows/_.images.build.yaml b/.github/workflows/_.images.build.yaml
@@ -163,7 +163,7 @@ jobs:
           DIGEST: ${{ steps.build.outputs.digest }}
 
       # NOTE: on production mode, all images are signed
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
         if: ${{ !inputs.dry-run }}
       - name: Sign 'ghcr.io/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}@${{ steps.build.outputs.digest }}' with GitHub OIDC Token
         if: ${{ !inputs.dry-run }}

diff --git a/.github/workflows/_.images.supply-chain.for-registry.yaml b/.github/workflows/_.images.supply-chain.for-registry.yaml
@@ -30,7 +30,7 @@ jobs:
           format: cyclonedx
           output: sbom.cyclonedx.json
 
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
       - name: Attest SBOM to ${{ inputs.image-ref }}
         run: cosign attest --yes --replace --predicate sbom.cyclonedx.json --type cyclonedx "${{ inputs.image-ref }}"
 
@@ -59,7 +59,7 @@ jobs:
           format: cosign-vuln
           output: vulnerabilities.cosign-vuln.json
 
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
       - name: Attest vulnerability report to ${{ inputs.image-ref }}
         run: cosign attest --yes --replace --predicate vulnerabilities.cosign-vuln.json --type vuln "${{ inputs.image-ref }}"
 

diff --git a/.github/workflows/push.images.release.yaml b/.github/workflows/push.images.release.yaml
@@ -121,6 +121,6 @@ jobs:
             ${{ steps.manifest-options.outputs.images }}
           docker manifest push ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}
 
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
       - name: Sign manifest 'ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}'
         run: cosign sign --yes ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}
diff --git a/.github/workflows/workflow_dispatch.images.release.yaml b/.github/workflows/workflow_dispatch.images.release.yaml
@@ -131,6 +131,6 @@ jobs:
             ${{ steps.manifest-options.outputs.images }}
           docker manifest push ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}
 
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
       - name: Sign manifest 'ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}'
         run: cosign sign --yes ghcr.io/${{ github.repository_owner }}/${{ matrix.artifact.name }}:${{ matrix.artifact.version }}