Skip to content

fix(docs): update cosign verification regex to support tag-triggered workflows#205

Merged
bedatty merged 1 commit intodevelopfrom
fix/docs-cosign-regex-and-mdc-exceptions
Apr 6, 2026
Merged

fix(docs): update cosign verification regex to support tag-triggered workflows#205
bedatty merged 1 commit intodevelopfrom
fix/docs-cosign-regex-and-mdc-exceptions

Conversation

@bedatty
Copy link
Copy Markdown
Contributor

@bedatty bedatty commented Apr 6, 2026
edited by coderabbitai bot
Loading

Lerian

GitHub Actions Shared Workflows

Description

Fixes cosign verification regex in documentation to support both branch and tag-triggered workflows.

The previous regex @refs/heads/.* only matched branch-triggered workflow certificates. Since builds are triggered by tag pushes (on: push: tags), the cosign keyless signing embeds refs/tags/<tag> in the certificate identity, causing verification to fail with the documented command.

Updated to @refs/(heads|tags)/.+ across all 4 doc files:

  • docs/build-workflow.md
  • docs/go-release-workflow.md
  • docs/typescript-build.md
  • src/security/cosign-sign/README.md

Also escaped the . in github.com to github\.com for regex correctness.

Type of Change

  • docs: Documentation only (README, docs/, inline comments)

Breaking Changes

None.

Testing

  • YAML syntax validated locally
  • Verified regex matches both refs/heads/main and refs/tags/v1.0.0 patterns
  • Checked that unrelated workflows are not affected

Related Issues

Related to #203

Summary by CodeRabbit

Documentation

  • Updated signature verification documentation examples across build workflow configuration, release automation procedures, and security verification guides. The changes now support container image verification for both branch-based (refs/heads) and tag-based (refs/tags) Git workflow references, providing enhanced flexibility for diverse CI/CD and deployment scenarios.

@bedatty bedatty requested a review from a team as a code owner April 6, 2026 17:15
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 6, 2026
edited
Loading

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 78fc6a26-3611-460f-bccf-1e77954747ab

📥 Commits

Reviewing files that changed from the base of the PR and between f63bad1 and ce70f96.

📒 Files selected for processing (4)
  • docs/build-workflow.md
  • docs/go-release-workflow.md
  • docs/typescript-build.md
  • src/security/cosign-sign/README.md

Walkthrough

Four documentation files updated cosign verify command examples with revised --certificate-identity-regexp patterns: escaped github.com, constrained path segments from .* to .+, and expanded Git reference matching from refs/heads only to both refs/heads and refs/tags.

Changes

Cohort / File(s) Summary
cosign verify regex pattern updates
docs/build-workflow.md, docs/go-release-workflow.md, docs/typescript-build.md, src/security/cosign-sign/README.md		 Updated --certificate-identity-regexp patterns to escape github.com, replace permissive .* with constrained .+ segments, and expand Git reference matching from @refs/heads/.* to @refs/(heads|tags)/.+.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: updating cosign verification regex documentation to support tag-triggered workflows alongside branch-triggered workflows.
Description check ✅ Passed The description covers all critical sections: problem statement, solution details across affected files, regex changes, testing approach, and related issue. Properly formatted with completed type of change checkbox.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/docs-cosign-regex-and-mdc-exceptions

Comment @coderabbitai help to get the list of available commands and usage tips.

@lerian-studio lerian-studio added size/XS PR changes < 50 lines documentation Improvements or additions to documentation labels Apr 6, 2026
@lerian-studio
Copy link
Copy Markdown

lerian-studio commented Apr 6, 2026

🔍 Lint Analysis

Check Files Scanned Status
YAML Lint no changes ⏭️ skipped
Action Lint no changes ⏭️ skipped
Pinned Actions no changes ⏭️ skipped
Markdown Link Check 4 file(s) ✅ success
Spelling Check 4 file(s) ✅ success
Shell Check no changes ⏭️ skipped
README Check no changes ⏭️ skipped
Composite Schema no changes ⏭️ skipped

🔍 View full scan logs

@bedatty bedatty merged commit baa43a2 into develop Apr 6, 2026
15 of 16 checks passed
@github-actions github-actions bot deleted the fix/docs-cosign-regex-and-mdc-exceptions branch April 6, 2026 17:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bedatty bedatty

Labels

documentation Improvements or additions to documentation size/XS PR changes < 50 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bedatty @lerian-studio