From fc3a5c97911fd2c9724d4d3b9f5fa4c5b48cf74b Mon Sep 17 00:00:00 2001 From: Andrey Markelov Date: Sun, 5 Jul 2026 22:35:44 -0700 Subject: [PATCH] Remove disallowed SBOM and Cosign actions from release workflow anchore/sbom-action and sigstore/cosign-installer are not on the org's allowed-actions list, causing the Release workflow to fail at startup (startup_failure) and blocking tag releases. Strip SBOM generation and Cosign signing so the workflow uses only policy-approved actions (checkout, setup-go, golangci-lint-action, action-gh-release), matching the job shape that released v3.6.0. Drop the SBOM/Cosign line from the changelog. --- .github/workflows/release.yml | 15 --------------- CHANGELOG.md | 1 - 2 files changed, 16 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 64347ea..9ca1cfa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: write - id-token: write outputs: asset_version: ${{ steps.version.outputs.asset_version }} steps: @@ -35,29 +34,15 @@ jobs: - run: go test ./... - run: go build ./... - run: mkdir -p dist - - name: Generate SBOM - uses: anchore/sbom-action@v0 - with: - path: . - format: spdx-json - output-file: dist/dbxcli_${{ steps.version.outputs.asset_version }}_sbom.spdx.json - upload-artifact: false - upload-release-assets: false - run: ./build.sh env: VERSION: ${{ github.ref_name }} - run: ./packaging/package-release.sh env: VERSION: ${{ github.ref_name }} - - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.0 - - name: Sign checksums - run: cosign sign-blob --yes --bundle dist/SHA256SUMS.sigstore.json dist/SHA256SUMS - uses: softprops/action-gh-release@v3 with: files: | dist/*.tar.gz dist/*.zip dist/SHA256SUMS - dist/SHA256SUMS.sigstore.json - dist/*_sbom.spdx.json diff --git a/CHANGELOG.md b/CHANGELOG.md index c0f1739..903a7e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,6 @@ - Added scheduled/manual OSSF Scorecard scanning without public Scorecard API publishing. - Replaced standalone Staticcheck workflow steps with a narrow `golangci-lint` configuration. - Added explicit `go.sum` cache dependency paths for `actions/setup-go`. -- Added SBOM generation and Cosign signatures to release artifacts. - Added race detector, workflow linting, and CodeQL security scanning to CI. - Hardened CI workflows with explicit read-only permissions. - Generate a non-constant OAuth2 `state` value to resolve the CodeQL `go/constant-oauth2-state` alert.