c2b4df8ef9
cosign keyless sign uses Sigstore Fulcio which requires a Fulcio-trusted OIDC issuer. Forgejo runs don't have one, so cosign falls back to the interactive device flow and times out (error obtaining token: expired_token). Same applies to attest-build-provenance and the SBOM action's signed attestation. Skip all three on Forgejo for now; ISO + sha256 are sufficient for v0.5.x test releases. Re-add when we self-host a Sigstore stack or sign with a key-pair instead of keyless. |
||
|---|---|---|
| .. | ||
| workflows | ||
| CODEOWNERS | ||
| PULL_REQUEST_TEMPLATE.md | ||