From fa8d0b9176c09ac5a413b88cb64c629b53a13256 Mon Sep 17 00:00:00 2001
From: Markus Pesch <markus.pesch@cryptic.systems>
Date: Tue, 3 Feb 2026 21:00:58 +0100
Subject: [PATCH] chore(deps): use sigstore/cosign v2.6.2

---
 .gitea/workflows/artifacthub-metadata.yaml | 3 ++-
 .gitea/workflows/release.yaml              | 4 ++--
 .goreleaser.yaml                           | 3 +--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/artifacthub-metadata.yaml b/.gitea/workflows/artifacthub-metadata.yaml
index 3861964..37477ab 100644
--- a/.gitea/workflows/artifacthub-metadata.yaml
+++ b/.gitea/workflows/artifacthub-metadata.yaml
@@ -38,6 +38,7 @@ jobs:
         echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
         oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
           --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          --annotation org.opencontainers.image.title=cosign.pub \
           cosign.pub:application/vnd.dev.cosign.public-key.v1
 
     - name: Push artifacthub-repo.yml to docker.io
@@ -52,4 +53,4 @@ jobs:
         echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
         oras push docker.io/volkerraschek/dcmerge:cosign.pub \
           --artifact-type application/vnd.dev.cosign.public-key.v1 \
-          cosign.pub:application/vnd.dev.cosign.public-key.v1
\ No newline at end of file
+          cosign.pub:application/vnd.dev.cosign.public-key.v1
diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index 3df0210..e04b8be 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -33,7 +33,7 @@ jobs:
         rm syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
     - uses: sigstore/cosign-installer@v4.0.0
       with:
-        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
+        cosign-release: "v2.6.2" # renovate: datasource=github-tags depName=sigstore/cosign
     - uses: docker/setup-qemu-action@v3.7.0
     - uses: docker/setup-buildx-action@v3.12.0
     - uses: actions/setup-go@v6.2.0
@@ -72,6 +72,6 @@ jobs:
           --dest-password ${{ secrets.DOCKER_IO_PASSWORD }} \
           --dest-username ${{ secrets.DOCKER_IO_USERNAME }} \
           --src-password ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }} \
-          --src-username volker.raschek \
+          --src-username ${{ github.repository_owner }} \
             docker://git.cryptic.systems/volker.raschek/dcmerge:${TAG} \
             docker://docker.io/volkerraschek/dcmerge:${TAG}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index fcbdce2..d734d73 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -334,7 +334,6 @@ docker_signs:
   - "sign"
   - "--key=env://COSIGN_PRIVATE_KEY"
   - "--yes"
-  - "--registry-referrers-mode=legacy"
   - "${artifact}@${digest}"
 
   # Which artifacts to sign.
@@ -346,7 +345,7 @@ docker_signs:
   #   '':        images built by dockers_v2
   #
   # Default: ''.
-  artifacts: all
+  artifacts: manifests
 
   # IDs of the artifacts to sign.
   ids: