chore(deps): update dependency anchore/syft to v1.41.2

.gitea/workflows/artifacthub-metadata.yaml

@@ -38,6 +38,7 @@ jobs:
         echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
         oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
           --artifact-type application/vnd.dev.cosign.public-key.v1 \
+          --annotation org.opencontainers.image.title=cosign.pub \
           cosign.pub:application/vnd.dev.cosign.public-key.v1
 
     - name: Push artifacthub-repo.yml to docker.io

.gitea/workflows/release.yaml

@@ -19,7 +19,7 @@ jobs:
       run: apt-get update && apt-get install --yes curl
     - name: Install syft
       env:
-        SYFT_VERSION: "1.41.1" # renovate: datasource=github-releases depName=anchore/syft
+        SYFT_VERSION: "1.41.2" # renovate: datasource=github-releases depName=anchore/syft
       run: |
         OS="$(uname | tr '[:upper:]' '[:lower:]')"
         ARCH="$(dpkg --print-architecture)"
@@ -33,7 +33,7 @@ jobs:
         rm syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
     - uses: sigstore/cosign-installer@v4.0.0
       with:
-        cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
+        cosign-release: "v2.6.2" # renovate: datasource=github-tags depName=sigstore/cosign
     - uses: docker/setup-qemu-action@v3.7.0
     - uses: docker/setup-buildx-action@v3.12.0
     - uses: actions/setup-go@v6.2.0
@@ -72,6 +72,6 @@ jobs:
           --dest-password ${{ secrets.DOCKER_IO_PASSWORD }} \
           --dest-username ${{ secrets.DOCKER_IO_USERNAME }} \
           --src-password ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }} \
-          --src-username volker.raschek \
+          --src-username ${{ github.repository_owner }} \
             docker://git.cryptic.systems/volker.raschek/dcmerge:${TAG} \
             docker://docker.io/volkerraschek/dcmerge:${TAG}

.goreleaser.yaml

@@ -104,6 +104,7 @@ dockers_v2:
 
     io.artifacthub.package.alternative-locations: "docker.io/volkerraschek/{{ .ProjectName }}:{{ .Version }}"
     io.artifacthub.package.keywords: "docker,docker-compose,merge,ci"
+    io.artifacthub.package.logo-url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}/raw/tag/v{{ .Version }}/icons/icon.png"
     io.artifacthub.package.license: "MIT"
     io.artifacthub.package.readme-url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}/raw/tag/v{{ .Version }}/README.md"
 
@@ -327,11 +328,13 @@ docker_signs:
   #
   # Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"].
   # Templates: allowed.
+  # Note: Using --registry-referrers-mode=legacy ensures signature is stored as sha256-<digest>.sig tag
+  # which is required by ArtifactHub to display the "Signed" badge
   args:
   - "sign"
   - "--key=env://COSIGN_PRIVATE_KEY"
-  - "${artifact}@${digest}"
   - "--yes"
+  - "${artifact}@${digest}"
 
   # Which artifacts to sign.
   #
@@ -342,7 +345,7 @@ docker_signs:
   #   '':        images built by dockers_v2
   #
   # Default: ''.
-  artifacts: all
+  artifacts: manifests
 
   # IDs of the artifacts to sign.
   ids:
@@ -356,6 +359,8 @@ docker_signs:
   # StdinFile file to be given to the signature command as stdin.
   # stdin_file: ./passphrase.key
 
+  output: true
+
 gitea_urls:
   api: https://git.cryptic.systems/api/v1
   download: https://git.cryptic.systems