sigstore/cosign
Maintainers
Cosign is maintained as part of the Sigstore project under the OpenSSF.
Code ownership
From the CODEOWNERS file at the repo root:
| Path | Owners |
|---|---|
* (everything else) |
@sigstore/cosign-codeowners |
/.github/ |
@sigstore/dep-maintainers |
/release/ |
@sigstore/dep-maintainers |
go.mod, go.sum |
@sigstore/dep-maintainers |
@sigstore/cosign-codeowners and @sigstore/dep-maintainers are GitHub teams under the sigstore organization. Membership is documented in the sigstore/community repository (see MAINTAINERS.md and ALUMNI.md there).
Past maintainers
The repo carries an ALUMNI.md file at the root with the contributors who previously held maintainer status — useful when reviewing older PRs or trying to track institutional knowledge.
Contact channels
- Slack: sigstore.slack.com, invite link in
README.md. - Mailing list / community calls: see sigstore/community.
- Security: do not file public issues — follow sigstore/community SECURITY.md.
How decisions get made
README.md is explicit about the bar:
PRs which significantly modify or break the API will not be accepted. PRs which are significant in size but do not introduce breaking changes may be accepted, but will be considered lower priority than PRs in sigstore-go.
In practice that means most contentious design changes happen in sigstore-go, and cosign incorporates them once they're stable. Bug fixes and small enhancements proceed normally through the standard PR review by the codeowner team.
Bot accounts (excluded from the “people” lists above)
The following authors show up in git log but are automation:
dependabot[bot]— Go module / Action / Docker base updates.github-actions[bot]— workflow-driven commits (release tagging, doc regeneration on certain workflows).
Per the wiki conventions, bots are filtered out of contributor bylines elsewhere in this wiki.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.