From 8770fbc2f56e2aa0b37c02c415c75e5d948fd7aa Mon Sep 17 00:00:00 2001
From: Raghd Hamzeh <raghd.hamzeh@openfga.dev>
Date: Tue, 4 Nov 2025 13:16:25 -0500
Subject: [PATCH 1/2] chore(ci): downgrade cosign to v2.6.1 due to goreleaser
 incompatibility

---
 .github/workflows/main.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index e6a50eb5..053badb7 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -155,6 +155,9 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: "v2.6.1"
+
       - uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
 
       - name: Run GoReleaser

From c14b399f73f5548a3cc04f82db8edd6ccc1c4589 Mon Sep 17 00:00:00 2001
From: Raghd Hamzeh <raghd.hamzeh@openfga.dev>
Date: Tue, 4 Nov 2025 13:29:55 -0500
Subject: [PATCH 2/2] chore(ci): pin cosign for verification

---
 .github/workflows/main.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 053badb7..b4b1554e 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -273,6 +273,8 @@ jobs:
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: "v2.6.1"
 
       - name: Verify image
         env: