From 135fbe6bd84ab891c27562c32c74f472c5eeebc3 Mon Sep 17 00:00:00 2001
From: E Shattow <eshattow@users.noreply.github.com>
Date: Thu, 16 Apr 2026 04:50:39 -0700
Subject: [PATCH] Bump cosign to 3.0.6

* Upgrade to newest cosign version
* Add comment with suggested command for generating cosign_checksums.txt
  snippet to allow additional bootstrap_*_sha env variables linux_ppc64le,
  linux_riscv64, and linux_s390x

Signed-off-by: E Shattow <eshattow@users.noreply.github.com>
---
 README.md  |  2 +-
 action.yml | 22 ++++++++++++++--------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index d385bf9..9aa7332 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,7 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@v4.1.0
         with:
-          cosign-release: 'v3.0.5'
+          cosign-release: 'v3.0.6'
       - name: Check install!
         run: cosign version
 ```
diff --git a/action.yml b/action.yml
index 454ef38..4c29a09 100644
--- a/action.yml
+++ b/action.yml
@@ -10,7 +10,7 @@ inputs:
   cosign-release:
     description: 'cosign release version to be installed'
     required: false
-    default: 'v3.0.5'
+    default: 'v3.0.6'
   install-dir:
     description: 'Where to install the cosign binary'
     required: false
@@ -99,13 +99,19 @@ runs:
           esac
         }
 
-        bootstrap_version='v3.0.5'
-        bootstrap_linux_amd64_sha="db15cc99e6e4837daabab023742aaddc3841ce57f193d11b7c3e06c8003642b2"
-        bootstrap_linux_arm_sha="4866f388e87125f1f492231dbbb347bb73b601c810595b65b2ae09eae4c8a99d"
-        bootstrap_linux_arm64_sha="d098f3168ae4b3aa70b4ca78947329b953272b487727d1722cb3cb098a1a20ab"
-        bootstrap_darwin_amd64_sha="e032c44d3f7c247bbb2966b41239f88ffba002497a4516358d327ad5693c386f"
-        bootstrap_darwin_arm64_sha="4888c898e2901521a6bd4cf4f0383c9465588a6a46ecd2465ad34faf13f09eb7"
-        bootstrap_windows_amd64_sha="44e9e44202b67ddfaaf5ea1234f5a265417960c4ae98c5b57c35bc40ba9dd714"
+        ## curl -sL https://github.com/sigstore/cosign/releases/download/v3.0.6/cosign_checksums.txt |\
+        ##   gawk 'match($2,/^cosign-([[:alnum:]]+)-([[:alnum:]]+)(\.[[:alnum:]]+)?$/,a){printf "bootstrap_%s_%s_sha=\"%s\"\n",a[1],a[2],$1}' |\
+        ##   LANG=C sort
+        bootstrap_version='v3.0.6'
+        bootstrap_darwin_amd64_sha="4c3e7af8372d3ca3296e62fa56f23fcbb5721cc6ac1827900d398f110d7cd280"
+        bootstrap_darwin_arm64_sha="5fadd012ae6381a6a29ff86a7d39aa873878852f1073fc90b15995961ecfb084"
+        bootstrap_linux_amd64_sha="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74"
+        bootstrap_linux_arm64_sha="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8"
+        bootstrap_linux_arm_sha="67bd25d32daff5664caf51208c95defcb2ad7ac1296f394fa677bb8bacee62f5"
+        bootstrap_linux_ppc64le_sha="08c3e5e0a09c440f49e9a69d8639d37fbec522ec8c5c0ac805243b098e6ea512"
+        bootstrap_linux_riscv64_sha="e25952e798958b0f9168d044153ccc353f5469ca4b71a1707dffad0534d27017"
+        bootstrap_linux_s390x_sha="3cf4b769258ed9cc3c2a93268c0d5c1cc3fbd094af8df21035cbac8fb0d7c088"
+        bootstrap_windows_amd64_sha="9b85a88ebff2d9dd30ff4984a6f61f2cedc232dd87d81fa7f2ff3c0ed96c241c"
 
         cosign_executable_name=cosign