From 8229ffb67477533d423462261895ef69d1fefef3 Mon Sep 17 00:00:00 2001
From: Matheus Pimenta <matheuscscp@gmail.com>
Date: Mon, 20 Oct 2025 15:31:14 +0100
Subject: [PATCH] Pin cosign to v2.6.1

xref: https://github.com/fluxcd/source-controller/issues/1923
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
---
 .github/workflows/release.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 51fcda38..c1f91814 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -37,6 +37,8 @@ jobs:
         uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
       - name: Setup Cosign
         uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        with:
+          cosign-release: v2.6.1 # TODO: remove after Flux 2.8 with support for cosign v3
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
       - name: Login to GitHub Container Registry
@@ -147,6 +149,8 @@ jobs:
           --source=${{ github.repositoryUrl }} \
           --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
       - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        with:
+          cosign-release: v2.6.1 # TODO: remove after Flux 2.8 with support for cosign v3
       - name: Sign manifests
         env:
           COSIGN_EXPERIMENTAL: 1