chore(ci): downgrade cosign to v2.6.1 due to goreleaser incompatibility

[rhamzeh]

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

closes #597

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated release pipeline infrastructure to specify a fixed version of a critical build signing component, ensuring more consistent and reproducible automated releases across all build runs.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The goreleaser GitHub Actions workflow now pins Cosign to version v2.6.1 by adding the cosign-release parameter to the cosign-installer step, addressing compatibility issues between goreleaser and Cosign v3.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/main.yaml	Added cosign-release: "v2.6.1" parameter to the sigstore/cosign-installer step to pin Cosign to v2.x for goreleaser compatibility

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks and finishing touches

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: downgrading cosign to v2.6.1 in CI to resolve a goreleaser incompatibility issue.
Linked Issues check	✅ Passed	The code changes successfully implement the solution from issue #597 by pinning cosign to v2.6.1 in the sigstore/cosign-installer step, matching the exact requirement and code example provided.
Out of Scope Changes check	✅ Passed	The PR contains only the necessary change to address the linked issue: adding the cosign-release parameter to the workflow step. No extraneous modifications are present.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR pins the cosign release version to v2.6.1 in the goreleaser workflow job.

• Adds explicit version specification for cosign in the signing step

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/main.yaml (1)

263-276: Consider applying the same cosign version pin to the verification job.

The verification-with-cosign job at line 275 also uses sigstore/cosign-installer, but it does not specify a version pin. If the installer defaults to cosign v3+, this verification step may face the same incompatibility issues or fail unexpectedly. For consistency and to avoid potential runtime issues, consider pinning cosign to v2.6.1 here as well.

Apply this diff to align with the goreleaser job's version pin:

      - name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+       with:
+         cosign-release: "v2.6.1"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 01aa784 and 8770fbc.

📒 Files selected for processing (1)

• .github/workflows/main.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test Release Process
• GitHub Check: Tests

🔇 Additional comments (1)

.github/workflows/main.yaml (1)

157-160: Cosign downgrade applied to the goreleaser job.

The change correctly pins cosign to v2.6.1 in the goreleaser step, addressing the incompatibility with cosign v3 noted in issue #597.