From dfbe598bc3d382b4481b0fc3ac74de3c66b792a6 Mon Sep 17 00:00:00 2001
From: Khalaf <mkmkhalaf1971@gmail.com>
Date: Sun, 10 May 2026 01:34:45 +0400
Subject: [PATCH] Install cosign via sigstore binary, not apt

---
 .forgejo/workflows/build.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml
index 4ec1671..55aaf6b 100644
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@@ -87,9 +87,24 @@ jobs:
 
       - name: Install build tooling
         shell: bash
+        env:
+          COSIGN_VERSION: v2.4.1
         run: |
+          set -euxo pipefail
+          # podman, buildah, skopeo, jq come from Ubuntu repos.
           sudo apt-get update -y
-          sudo apt-get install -y podman buildah skopeo cosign jq
+          sudo apt-get install -y podman buildah skopeo jq curl ca-certificates
+          # cosign is NOT in apt - install the official binary from sigstore.
+          sudo curl -fsSL \
+            "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" \
+            -o /usr/local/bin/cosign
+          sudo chmod +x /usr/local/bin/cosign
+          # Verify everything is callable.
+          podman --version
+          buildah --version
+          skopeo --version
+          cosign version
+          jq --version
 
       - name: Build image
         id: build