From eaf50902ac7026bf39a2740e1c7c7b8264c94c55 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Fri, 10 Jan 2025 07:22:48 -0500
Subject: [PATCH 1/4] dynamically fetch all cosign releases to test install,
 verify tlog inclusion

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 .github/workflows/test-action.yml | 24 ++++++++++++++++++++++--
 action.yml                        |  2 +-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
index cbcbdd9..98777fc 100644
--- a/.github/workflows/test-action.yml
+++ b/.github/workflows/test-action.yml
@@ -7,7 +7,25 @@ on:
       - 'main'
 
 jobs:
-  test_cosign_action:
+  get_all_cosign_releases:
+    runs-on: ubuntu-latest
+    permissions: {}
+    name: Fetch current list of all Cosign releases for testing
+    outputs:
+      releases: ${{ steps.get_tags.outputs.result }}
+    steps:
+      - name: Get release tags
+        id: get_tags
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          retries: 3
+          script: |
+            const response = await github.rest.repos.listReleases({'sigstore','cosign'});
+            return response.data.map(release => release.tag_name);
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  test_default_version_cosign_action:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -55,9 +73,11 @@ jobs:
 
   test_cosign_action_custom:
     runs-on: ${{ matrix.os }}
+    needs: get_all_cosign_releases
     strategy:
       matrix:
         os: [macos-latest, ubuntu-latest, windows-latest]
+        cosign_release: ${{ fromJson(needs.get_all_cosign_releases.outputs.releases) }}
     permissions: {}
     name: Install Custom Cosign and test presence in path
     steps:
@@ -65,7 +85,7 @@ jobs:
       - name: Install Cosign
         uses: ./
         with:
-          cosign-release: 'v2.2.3'
+          cosign-release: ${{ matrix.cosign_release }}
       - name: Check install!
         run: cosign version
       - name: Check root directory
diff --git a/action.yml b/action.yml
index 5baa246..4a7fa59 100644
--- a/action.yml
+++ b/action.yml
@@ -253,7 +253,7 @@ runs:
           fi
 
           log_info "Using bootstrap cosign to verify signature of desired cosign version"
-          ./cosign verify-blob --insecure-ignore-tlog --key public.key --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
+          ./cosign verify-blob --key public.key --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
 
           $SUDO rm cosign
           $SUDO mv cosign_${{ inputs.cosign-release }} ${cosign_executable_name}

From e8a7ef563b6e2d4d12dc17de5cf8d0b0b361906d Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Fri, 10 Jan 2025 07:25:57 -0500
Subject: [PATCH 2/4] fix js

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 .github/workflows/test-action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
index 98777fc..a56f94e 100644
--- a/.github/workflows/test-action.yml
+++ b/.github/workflows/test-action.yml
@@ -20,7 +20,7 @@ jobs:
         with:
           retries: 3
           script: |
-            const response = await github.rest.repos.listReleases({'sigstore','cosign'});
+            const response = await github.rest.repos.listReleases({owner:'sigstore',repo:'cosign'});
             return response.data.map(release => release.tag_name);
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 0adb91e4f7495f074bf26b5e4dccd6e2221079c1 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Fri, 10 Jan 2025 07:27:04 -0500
Subject: [PATCH 3/4] dynamically set name

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 .github/workflows/test-action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
index a56f94e..9795720 100644
--- a/.github/workflows/test-action.yml
+++ b/.github/workflows/test-action.yml
@@ -79,7 +79,7 @@ jobs:
         os: [macos-latest, ubuntu-latest, windows-latest]
         cosign_release: ${{ fromJson(needs.get_all_cosign_releases.outputs.releases) }}
     permissions: {}
-    name: Install Custom Cosign and test presence in path
+    name: "Install Cosign ${{ matrix.cosign_release }} on ${{ matrix.os }} and test presence in path"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install Cosign

From 659ab63fdfb39c65b1b855f19f93d95b44e4fd90 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Fri, 10 Jan 2025 07:40:01 -0500
Subject: [PATCH 4/4] bump go, zizmor, omit 0.5.0 and 0.6.0

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 .github/workflows/test-action.yml | 33 ++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
index 9795720..451b6be 100644
--- a/.github/workflows/test-action.yml
+++ b/.github/workflows/test-action.yml
@@ -21,7 +21,10 @@ jobs:
           retries: 3
           script: |
             const response = await github.rest.repos.listReleases({owner:'sigstore',repo:'cosign'});
-            return response.data.map(release => release.tag_name);
+            const releases = response.data.map(release => release.tag_name);
+            console.log("Found releases: " + releases);
+            // omits 0.5.0 and 0.6.0 releases because they are tested separately
+            return releases.filter(rel => !['0.5.0', '0.6.0'].includes(rel));
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -31,9 +34,11 @@ jobs:
       matrix:
         os: [macos-latest, ubuntu-latest, windows-latest]
     permissions: {}
-    name: Install Cosign and test presence in path
+    name: Install default version Cosign and test presence in path
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: ./
       - name: Check install!
@@ -58,6 +63,8 @@ jobs:
     name: Install existing release of Cosign and test presence in path
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
       - name: Check install!
@@ -79,9 +86,11 @@ jobs:
         os: [macos-latest, ubuntu-latest, windows-latest]
         cosign_release: ${{ fromJson(needs.get_all_cosign_releases.outputs.releases) }}
     permissions: {}
-    name: "Install Cosign ${{ matrix.cosign_release }} on ${{ matrix.os }} and test presence in path"
+    name: Install Cosign ${{ matrix.cosign_release }} on ${{ matrix.os }} and test presence in path
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: ./
         with:
@@ -107,6 +116,8 @@ jobs:
     name: Install Cosign v0.5.0 and test presence in path
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: ./
         with:
@@ -132,6 +143,8 @@ jobs:
     name: Install Cosign v0.6.0 and test presence in path
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: ./
         with:
@@ -158,6 +171,8 @@ jobs:
     name: Install Cosign v0.6.0 and test presence in path with pre installed libpcsclite1 package
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install libpcsclite1
         run: |
           sudo apt-get update -q
@@ -186,6 +201,8 @@ jobs:
     name: Try to install a wrong Cosign
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: ./
         with:
@@ -201,6 +218,8 @@ jobs:
     name: Install Custom Cosign and test presence in path
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: ./
         with:
@@ -225,6 +244,8 @@ jobs:
     name: Install Custom Cosign and test presence in path with custom root dir
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Cosign
         uses: ./
         with:
@@ -251,11 +272,13 @@ jobs:
           - ubuntu-latest
           - windows-latest
         go_version:
-          - '1.21'
           - '1.22'
-    name: Try to install cosign with go ${{ matrix.go_version }}
+          - '1.23'
+    name: Try to install cosign with go ${{ matrix.go_version }} on ${{ matrix.os }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: ${{ matrix.go_version }}