chore(ci): bump pinned nox to 1.1.2#17
Merged
Merged
Conversation
Picks up the deriveChecksumsURL fix (Nox-HQ/nox#109): cosign v3.10+/v4 .sigstore.json plugin bundles now verify, so taint-analysis v0.6.6 installs at community trust instead of failing with "invalid signature". sha256 of nox_1.1.2_linux_amd64.tar.gz: 15d2fc546fe8a531eb9fde8e234d47a8326bd4b03bc0787f893c6cc003a8ed20
There was a problem hiding this comment.
Pull request overview
Updates the reusable Go CI workflow to use nox 1.1.2, addressing signature verification issues with newer cosign-emitted plugin bundle formats so taint-analysis can install cleanly under the community-trust policy.
Changes:
- Bump
nox-versiondefault from1.1.1to1.1.2. - Update the pinned
noxLinux amd64 tarball SHA-256 to match1.1.2.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Picks up the
deriveChecksumsURLfix (Nox-HQ/nox#109).cosign v3.10+/v4 emit
.sigstore.jsonplugin bundles; nox 1.1.1 stripped only the legacy.sig.bundlesuffix and verified the signature against the bundle file →invalid signature. Blocked taint-analysis v0.6.6 install at community trust in CI.With nox 1.1.2 the reusable
go-ciworkflow installs taint-analysis v0.6.6 cleanly (community trust); fmt.Fprintf XSS false positives gone.nox-version:1.1.1→1.1.2nox-sha256:15d2fc546fe8a531eb9fde8e234d47a8326bd4b03bc0787f893c6cc003a8ed20