From f44828d1ab321fd864f1c5bb1e393a067b78e148 Mon Sep 17 00:00:00 2001
From: John Morrissey <544926+tachyon-beep@users.noreply.github.com>
Date: Sat, 6 Jun 2026 04:48:00 +1000
Subject: [PATCH] ci(release): pin cosign to v2.5.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The cosign-installer's resolved default moved to v3.0.6, whose `sign-blob`
requires a bundle and breaks the `--output-signature`/`--output-certificate`
flow ("create bundle file: open :") — which failed the v1.0.0 GitHub Release
job (PyPI publish was unaffected). v2.5.2 is the version that signed the last
good release (Clarion v1.1.0). Pin it in both cosign-installer steps (sign +
verify-published). Porting to cosign 3.x's bundle API is a separate follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7c340379..9aa27abe 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -461,6 +461,14 @@ jobs:
 
       - name: install cosign
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6
+        with:
+          # Pin cosign 2.x. The installer's resolved default moved to v3.0.6,
+          # whose `sign-blob` requires a bundle and breaks the
+          # --output-signature/--output-certificate flow ("create bundle file:
+          # open :"). v2.5.2 is the version that signed the last good release
+          # (Clarion v1.1.0). Porting sign-blob/verify-blob to cosign 3.x is a
+          # separate follow-up.
+          cosign-release: 'v2.5.2'
 
       - name: sign release archives
         run: |
@@ -573,6 +581,14 @@ jobs:
     steps:
       - name: install cosign
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6
+        with:
+          # Pin cosign 2.x. The installer's resolved default moved to v3.0.6,
+          # whose `sign-blob` requires a bundle and breaks the
+          # --output-signature/--output-certificate flow ("create bundle file:
+          # open :"). v2.5.2 is the version that signed the last good release
+          # (Clarion v1.1.0). Porting sign-blob/verify-blob to cosign 3.x is a
+          # separate follow-up.
+          cosign-release: 'v2.5.2'
 
       - name: download published assets
         env: