Skip to content

fix(ci): sign OCI artifacts by digest instead of tag #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aRustyDev merged 1 commit into from
Jan 6, 2026
Merged

fix(ci): sign OCI artifacts by digest instead of tag #27

aRustyDev merged 1 commit into from
Jan 6, 2026

Conversation

@aRustyDev
Copy link
Owner

@aRustyDev aRustyDev commented Jan 6, 2026

Summary

Fixes Cosign deprecation warning by signing OCI artifacts by digest instead of tag.

Problem

Cosign warns when signing by tag (e.g., chart:0.2.1):

WARNING: Image reference ghcr.io/arustydev/charts/mdbook-htmx:0.2.1 uses a tag, not a digest...

Signing by tag is a security concern because the tag could point to a different image between push and sign operations.

Solution

  • Capture digest from helm push output (format: Digest: sha256:...)
  • Sign using chart@sha256:abc123... instead of chart:version
  • Combined push and sign into single step for atomic operation

Changes

  • publish-ghcr.yaml - Combined publish + sign, uses digest
  • release-please.yaml - Combined push + sign, uses digest

Test plan

  • Run: gh workflow run publish-ghcr.yaml -f charts=all -f sign=true
  • Verify no Cosign deprecation warning
  • Verify signing uses digest format in logs

🤖 Generated with Claude Code

@aRustyDev @claude
fix(ci): sign OCI artifacts by digest instead of tag
4d6a8b8 
### Changed
- Capture digest from `helm push` output
- Sign using `$REGISTRY/chart@sha256:...` instead of `$REGISTRY/chart:version`
- Combined push and sign into single step for atomic operation

This fixes Cosign deprecation warning about signing by tag and ensures
we sign exactly the image we just pushed (more secure).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 6, 2026

Deploying helm-charts with  Cloudflare Pages  Cloudflare Pages

Latest commit: 4d6a8b8
Status: ✅  Deploy successful!
Preview URL: https://7c5dac8a.helm-charts-76l.pages.dev
Branch Preview URL: https://fix-cosign-sign-by-digest.helm-charts-76l.pages.dev

View logs

@aRustyDev aRustyDev merged commit abef252 into main Jan 6, 2026
12 checks passed
@aRustyDev aRustyDev deleted the fix/cosign-sign-by-digest branch January 6, 2026 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@aRustyDev aRustyDev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aRustyDev