From bf4e6e2fa31c8e247755fdb3e29d11c82bd9c764 Mon Sep 17 00:00:00 2001
From: cannarelladev <cannarella.dev@gmail.com>
Date: Wed, 4 Feb 2026 16:22:03 +0100
Subject: [PATCH] fix(ci): sign OCI artifacts with both OCI 1.1 and legacy
 formats

Signed-off-by: c2ndev <cannarella.dev@gmail.com>
---
 .github/workflows/reusable-publish-oci-artifacts.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-publish-oci-artifacts.yaml b/.github/workflows/reusable-publish-oci-artifacts.yaml
index dcf1e772..9d084802 100644
--- a/.github/workflows/reusable-publish-oci-artifacts.yaml
+++ b/.github/workflows/reusable-publish-oci-artifacts.yaml
@@ -94,5 +94,8 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Sign the artifacts with GitHub OIDC Token
+      - name: Sign the artifacts with GitHub OIDC Token (OCI 1.1 referrers)
         run: cosign sign --yes ${{ matrix.value.repository.ref }}@${{ matrix.value.artifact.digest }}
+
+      - name: Sign the artifacts with GitHub OIDC Token (legacy tag-based)
+        run: cosign sign --yes --registry-referrers-mode=legacy ${{ matrix.value.repository.ref }}@${{ matrix.value.artifact.digest }}