ci: add cosign keyless signing for container images#119
Merged
jlebon merged 3 commits intocoreos:mainfrom May 4, 2026
Merged
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces README-dev.md as the primary documentation source for the development version of chunkah and updates the release automation in tools/release.py to generate the stable README.md by stripping development-specific headers. Feedback was provided to improve the robustness of the README generation process by using re.subn to ensure the development header is correctly identified and removed exactly once during the release process.
Our README right now is the main documentation for this project. As new features land, I want to be able to also update the README. But I don't want users to get confused by unreleased features. Let's add a dedicated README for development, and then it gets synced over to the main README at release time. Assisted-by: Pi (Claude Opus 4.6)
Use Sigstore cosign with GitHub Actions OIDC identity tokens to sign container images pushed to quay.io. This allows users to verify that images were built by the CI pipeline without requiring any private key management. Closes: coreos#117 Assisted-by: Pi (Claude Opus 4.6)
And sort them while we're here.
jlebon
added a commit
that referenced
this pull request
May 4, 2026
I had switch to `--certificate-github-workflow-repository` at the last minute in #119, but hadn't tested it properly. It's only an additional filter in cosign v3 which otherwise still requires `--certificate-identity` or `--certificate-identity-regexp`. That makes it less useful since it's redundant with those so let's just use `--certificate-identity-regexp'. Assisted-by: Pi (Claude Opus 4.6)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use Sigstore cosign with GitHub Actions OIDC identity tokens to sign
container images pushed to both ghcr.io and quay.io. This allows users
to verify that images were built by the CI pipeline without requiring
any private key management.
Closes: #117
Assisted-by: Pi (Claude Opus 4.6)