cosign: convert to go-mod-vcs hybrid fetch

Convert from go-mod + go-mod-update-modules to go-mod-vcs hybrid
fetch mode, consistent with other Go recipes in the layer (k3s,
nerdctl, docker-compose, etc.).

- Replace cosign-go-mods.inc (gomod:// only) with generated
  go-mod-hybrid-{gomod,git,cache}.inc and go-mod-{git,cache}.inc
- Keep cosign-licenses.inc for dependency license tracking (our
  go-mod-vcs tooling does not yet generate license metadata)
- Add GO_MOD_VCS_EXCLUDE for buf.build (no git repo) and
  software.sslmate.com/src/go-pkcs12 (unreachable commit)
- Set GO_MOD_DISCOVERY_SRCDIR to match go.bbclass source layout

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

1 files changed, 39 insertions, 7 deletions

diff --git a/recipes-containers/cosign/cosign_git.bb b/recipes-containers/cosign/cosign_git.bb
index 09c28317..8bb8dc8b 100644
--- a/recipes-containers/cosign/cosign_git.bb
+++ b/recipes-containers/cosign/cosign_git.bb
@@ -1,19 +1,51 @@
 SUMMARY = "Container signing, verification and storage in an OCI registry"
 HOMEPAGE = "https://github.com/sigstore/cosign"
 LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/COPYRIGHT.txt;md5=3830a9ca4f9dc30be01bfa2e4042dd46 \
-                    file://src/${GO_IMPORT}/LICENSE;md5=86d3f3a95c324c9479bd8986968f4327 \
+LIC_FILES_CHKSUM = "file://${S}/src/${GO_IMPORT}/COPYRIGHT.txt;md5=3830a9ca4f9dc30be01bfa2e4042dd46 \
+                    file://${S}/src/${GO_IMPORT}/LICENSE;md5=86d3f3a95c324c9479bd8986968f4327 \
                     "
 
 GO_IMPORT = "github.com/sigstore/cosign"
-GO_INSTALL = "${GO_IMPORT}/v3/cmd/cosign"
-SRC_URI = "git://${GO_IMPORT};protocol=https;nobranch=1;destsuffix=${GO_SRCURI_DESTSUFFIX}"
+
+SRC_URI = "git://github.com/sigstore/cosign.git;branch=main;name=cosign;protocol=https;destsuffix=${GO_SRCURI_DESTSUFFIX}"
 PV = "3.0.6+git"
-SRCREV = "f1ad3ee952313be5d74a49d67ba0aa8d0d5e351f"
+SRCREV_cosign = "f1ad3ee952313be5d74a49d67ba0aa8d0d5e351f"
+
+SRCREV_FORMAT = "cosign"
+
+# go-mod-discovery configuration
+GO_MOD_DISCOVERY_SRCDIR = "${S}/src/${GO_IMPORT}"
+GO_MOD_DISCOVERY_BUILD_TARGET = "./cmd/cosign"
+GO_MOD_DISCOVERY_GIT_REPO = "https://github.com/sigstore/cosign.git"
+GO_MOD_DISCOVERY_GIT_REF = "${SRCREV_cosign}"
+
+# Modules that can't be fetched via git (no repo metadata or unreachable commits)
+# - buf.build/gen/go: generated protobuf module, no git repository
+# - software.sslmate.com/src/go-pkcs12: commit not reachable via shallow fetch
+SRC_URI += "gomod://buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go;version=v1.36.11-20260209202127-80ab13bee0bf.1;sha256sum=${COSIGN_BUF_BUILD_SHA}"
+SRC_URI += "gomod://software.sslmate.com/src/go-pkcs12;version=v0.4.0;sha256sum=${COSIGN_PKCS12_SHA}"
+GO_MOD_VCS_EXCLUDE = "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go software.sslmate.com/src/go-pkcs12"
+
+# Checksums — run bitbake cosign -c fetch to get correct values on first use
+COSIGN_BUF_BUILD_SHA ?= "907cb90a97d72b869a0f2f08e71ebdaaa5a0efa57ca72ebd7d14ed5a9922b541"
+COSIGN_PKCS12_SHA ?= "55019a391e5302a51ba62e98909e006224b81207866da90beaf582ec0dee036f"
+
+# GO_MOD_FETCH_MODE: "vcs" (all git://) or "hybrid" (gomod:// + git://)
+GO_MOD_FETCH_MODE ?= "hybrid"
+
+# VCS mode: all modules via git://
+include ${@ "go-mod-git.inc" if d.getVar("GO_MOD_FETCH_MODE") == "vcs" else ""}
+include ${@ "go-mod-cache.inc" if d.getVar("GO_MOD_FETCH_MODE") == "vcs" else ""}
+
+# Hybrid mode: gomod:// for most, git:// for selected
+include ${@ "go-mod-hybrid-gomod.inc" if d.getVar("GO_MOD_FETCH_MODE") == "hybrid" else ""}
+include ${@ "go-mod-hybrid-git.inc" if d.getVar("GO_MOD_FETCH_MODE") == "hybrid" else ""}
+include ${@ "go-mod-hybrid-cache.inc" if d.getVar("GO_MOD_FETCH_MODE") == "hybrid" else ""}
 
+# Dependency license tracking (generated by go-mod-update-modules)
 require ${BPN}-licenses.inc
-require ${BPN}-go-mods.inc
 
-inherit go-mod go-mod-update-modules
+inherit go goarch
+inherit go-mod-discovery
 
 BBCLASSEXTEND = "native nativesdk"