ecd374ab1a
cosign keyless sign uses Sigstore Fulcio which requires a Fulcio-trusted OIDC issuer. Forgejo runs don't have one, so cosign falls back to the interactive device flow and times out (error obtaining token: expired_token). Same applies to attest-build-provenance and the SBOM action's signed attestation. Skip all three on Forgejo for now; ISO + sha256 are sufficient for v0.5.x test releases. Re-add when we self-host a Sigstore stack or sign with a key-pair instead of keyless. |
||
|---|---|---|
| .. | ||
| build-bluebuild.yml | ||
| build-iso.yml | ||
| lint.yml | ||