[WIP] Update go#818
Conversation
PR Summary by QodoBump golang-cross and securesign image digests
AI Description
Diagram
High-Level Assessment
Files changed (2)
|
Code Review by Qodo
1. Signature check drift
|
|
|
||
| container: | ||
| image: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d | ||
| image: ghcr.io/gythialy/golang-cross:v1.26.3-0@sha256:9f7a53d7205e2f1f2742d624ff0b6e1531e8c22863dfb24ca966be5efbdee48b |
There was a problem hiding this comment.
1. Signature check drift 🐞 Bug ⛨ Security
In .github/workflows/validate-release.yml, validate-release-job now runs inside ghcr.io/gythialy/golang-cross:v1.26.3-0@..., but the check-signature job still verifies the signature and identity for the older v1.25.1-0@... image. This means the workflow can pass while never verifying the provenance/signature of the actual container image used to build the snapshot.
Agent Prompt
### Issue description
The workflow verifies `golang-cross` image **v1.25.1-0** in the `check-signature` job, but the actual build job (`validate-release-job`) runs using **v1.26.3-0**. This breaks the intent of the signature gate.
### Issue Context
`check-signature` must verify the same image digest/tag that will be used by `validate-release-job`, including updating the `--certificate-identity` reference.
### Fix Focus Areas
- .github/workflows/validate-release.yml[26-47]
### Suggested change
- Update the `cosign verify` target image (tag+digest) to `v1.26.3-0@sha256:9f7a...`.
- Update `--certificate-identity` to reference `refs/tags/v1.26.3-0`.
- (Optional, to prevent future drift) define a single env var (e.g. `GOLANG_CROSS_IMAGE`) and reuse it in both `check-signature` and `validate-release-job.container.image`.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
No description provided.