Skip to content

Tighten cosign OIDC subject ref matchers (@.+) on OCIRepository verify rules #2402

Description

@devantler

🤖 Generated by the Daily AI Assistant

Problem: every OCIRepository cosign trust rule matches the signing workflow's ref with @.+ (e.g. ^https://github\.com/devantler-tech/actions/\.github/workflows/publish-app\.yaml@.+$). This accepts an artifact signed via any ref of the workflow repo — including a floating branch like @main or an old vulnerable SHA — when consumers only ever invoke it from SHA-pinned or version-tagged refs. Flagged by CodeRabbit on #2399 (transitional dual-subject PR, which deliberately kept the existing house shape).

Proposed direction: tighten the ref part consistently across all verify rules (github-config, wedding-app, ascoachingogvaner, and any future consumers) to something like @([0-9a-f]{40}|refs/tags/v.+)$ so only SHA-pinned or release-tag invocations verify. Do it in one focused PR after the #2399 transition completes (post-cleanup, when each file is back to a single subject), so the pattern only has to change in one place per file.

Rough size: S — 3 files, regex-only, validated by the next tag's deploy.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions