disable cosign verification of libgit2-only in CI

Signed-off-by: Sunny <darkowlzz@protonmail.com>

.github/workflows/build.yaml

@@ -28,6 +28,8 @@ jobs:
             **/go.sum
             **/go.mod
       - name: Run tests
+        env:
+          SKIP_COSIGN_VERIFICATION: true
         run: make all
       - name: Check if working tree is dirty
         run: |

git/libgit2/Makefile

@@ -8,6 +8,9 @@ export
 GO_TAGS ?=
 GO_TEST_ARGS ?= -race
 
+# Defines whether cosign verification should be skipped.
+SKIP_COSIGN_VERIFICATION ?= false
+
 # Use $GOBIN from the environment if set, otherwise use ./bin
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(PROJECT_DIR)/bin

git/libgit2/hack/install-libraries.sh

@@ -6,6 +6,7 @@ IMG="${IMG:-}"
 TAG="${TAG:-}"
 IMG_TAG="${IMG}:${TAG}"
 DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}"
+SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}"
 
 TMP_DIR=$(mktemp -d)
 
@@ -48,9 +49,13 @@ cosign_verify(){
 assure_provenance() {
     [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments'
 
-    cosign_verify "${TMP_DIR}/checksums.txt.pem" \
-                  "${TMP_DIR}/checksums.txt.sig" \
-                  "${TMP_DIR}/checksums.txt"
+    if "${SKIP_COSIGN_VERIFICATION}"; then
+        echo 'Skipping cosign verification...'
+    else
+        cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+                    "${TMP_DIR}/checksums.txt.sig" \
+                    "${TMP_DIR}/checksums.txt"
+    fi
 
     pushd "${TMP_DIR}" || exit
     if command -v sha256sum; then

git/libgit2/libgit2-vars.env

@@ -2,7 +2,7 @@
 # It's purpose is to reduce boilerplate, and provide a single source
 # of info for all other build scripts.
 LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2
-LIBGIT2_TAG=v0.2.0
+LIBGIT2_TAG=v0.3.0
 LIBGIT2_PATH=${LIBGIT2_BUILD_DIR}/libgit2/${LIBGIT2_TAG}
 LIBGIT2_LIB_PATH=${LIBGIT2_PATH}/lib
 LIBGIT2=${LIBGIT2_LIB_PATH}/libgit2.a