chore(deps): bump sigstore/cosign-installer from f713795cb21599bc4e5c4b58cbad1da852d7eeb9 to 398d4b0eeef1380460a10c8013a76f728fb906ac

[dependabot]

Bumps sigstore/cosign-installer from f713795cb21599bc4e5c4b58cbad1da852d7eeb9 to 398d4b0eeef1380460a10c8013a76f728fb906ac.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[greptile-apps]

Greptile Summary

This PR is a routine automated dependency update generated by Dependabot, bumping the sigstore/cosign-installer GitHub Action from commit f713795cb21599bc4e5c4b58cbad1da852d7eeb9 to 398d4b0eeef1380460a10c8013a76f728fb906ac, both within the v3 major version. The action is used in the sign-release job to install cosign for signing release binaries with Sigstore.

• The change is limited to a single line in .github/workflows/build-binaries.yml.
• The new SHA remains pinned (best practice for supply-chain security), so the update does not introduce a floating tag reference.
• No Python code, logic, or configuration is affected.
• No issues were found in this PR.

Confidence Score: 5/5

• This PR is safe to merge — it is a routine, automated SHA-pinned dependency bump with no logic changes.
• The change is a single-line update to a pinned SHA reference for a well-known, trusted action (sigstore/cosign-installer). It stays within the same v3 major version, uses a commit SHA pin (no floating tag), and does not touch any application code or configuration.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/build-binaries.yml	Single-line bump of sigstore/cosign-installer from f713795c to 398d4b0e (both within v3); no logic changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([push tag / release / workflow_dispatch]) --> B[build job\nmatrix: linux, windows, darwin x amd64/arm64]
    B --> C[Checkout code]
    C --> D[Set up Python 3.12]
    D --> E[Install uv]
    E --> F[Install dependencies & PyInstaller]
    F --> G[Build binary]
    G --> H[Test binary]
    H --> I[Upload binary artifact]
    I --> J{startsWith refs/tags/v?}
    J -- Yes --> K[Upload to release\nsoftprops/action-gh-release]
    J -- No --> Z([end])

    I --> L[sign-release job\nneeds: build\nif: startsWith refs/tags/v]
    L --> M[Install cosign\nsigstore/cosign-installer@398d4b0e ← updated]
    M --> N[Download all artifacts]
    N --> O[Sign artifacts with cosign sign-blob]
    O --> P[Upload .sigstore.json to release]
    P --> Z2([end])

Loading

_{Last reviewed commit: ac6b615}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!