chore: bump cosign in gh workflows (#7715)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

.github/actions/publish-image/action.yaml

@@ -66,11 +66,10 @@ runs:
     - shell: bash
       if: ${{ inputs.sign-image == 'true' }}
       env:
-        COSIGN_EXPERIMENTAL: 'true'
         COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
       run: |
         set -e
-        cosign sign \
+        cosign sign --yes \
           -a "repo=${{ github.repository }}" \
           -a "workflow=${{ github.workflow }}" \
           -a "ref=${{ github.sha }}" \

.github/workflows/helm-release.yaml

@@ -59,8 +59,6 @@ jobs:
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
-        with:
-          cosign-release: 'v1.13.0'
 
       - name: Set version
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
@@ -93,8 +91,6 @@ jobs:
           helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
       
       - name: Publish OCI Charts
-        env:
-          COSIGN_EXPERIMENTAL: 1
         run: |
           for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do
             chart=${dir##*/}
@@ -102,5 +98,5 @@ jobs:
             helm package charts-tmp/${chart} --destination .dist
             helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts |& tee .digest
             cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
-            cosign sign ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
+            cosign sign --yes ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
           done

.github/workflows/images-publish.yaml

@@ -42,8 +42,6 @@ jobs:
           severity: 'CRITICAL,HIGH'
       - name: Install Cosign
         uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
-        with:
-          cosign-release: 'v1.13.0'
       - name: Publish kyverno
         id: publish-kyverno
         uses: ./.github/actions/publish-image

.github/workflows/release.yaml

@@ -37,8 +37,6 @@ jobs:
           severity: 'CRITICAL,HIGH'
       - name: Install Cosign
         uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
-        with:
-          cosign-release: 'v1.13.0'
       - name: Publish kyverno
         id: release-kyverno
         uses: ./.github/actions/publish-image
@@ -234,8 +232,6 @@ jobs:
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
       - name: Install Cosign
         uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
-        with:
-          cosign-release: 'v1.13.0'
       - name: Make Release
         env:
           VERSION: ${{ github.ref_name }}
@@ -270,8 +266,6 @@ jobs:
           version: 0.35.0
       - name: Install Cosign
         uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
-        with:
-          cosign-release: 'v1.13.0'
       - name: Build yaml manifest
         run: VERSION=${{ github.ref_name }} make codegen-manifest-release
       - name: Upload install manifest
@@ -307,10 +301,8 @@ jobs:
             --source="$(git config --get remote.origin.url)" \
             --revision="${{ github.ref_name }}/$(git rev-parse HEAD)"
       - name: Sign manifests in GHCR with Cosign
-        env:
-          COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }}
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }}
 
   release-cli-via-krew:
     runs-on: ubuntu-latest