[pull] main from sigstore:main#44
Open
pull[bot] wants to merge 342 commits into
Open
Conversation
…#4448) * choose different signature filename for keyless release signatures Signed-off-by: Bob Callaway <bcallaway@google.com> * switch, rename the kms-signed objects Signed-off-by: Bob Callaway <bcallaway@google.com> * update README Signed-off-by: Bob Callaway <bcallaway@google.com> * update README Signed-off-by: Bob Callaway <bcallaway@google.com> --------- Signed-off-by: Bob Callaway <bcallaway@google.com>
Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.107.2 to 3.108.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.107.2...v3.108.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.108.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the actions group with 3 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [cpanato/vault-installer](https://github.com/cpanato/vault-installer) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `chainguard-dev/actions` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@8e97c1f...6f4f4de) Updates `cpanato/vault-installer` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/cpanato/vault-installer/releases) - [Commits](cpanato/vault-installer@e7c1d66...f7e2ad9) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: cpanato/vault-installer dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.148.1 to 0.151.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.148.1...v0.151.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.151.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.250.0 to 0.251.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.250.0...v0.251.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.251.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* Update changelog for v3.0.2 Signed-off-by: Hayden <haydentherapper@users.noreply.github.com> * Update CHANGELOG.md Signed-off-by: Hayden <haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
When calling cosign initialize, the client will cache the trusted root file if available. This PR adds support for caching the signing config as well. The public-good instance's TUF repo includes this file. Private deployments likely don't use this file, so like with the trusted root, Cosign will print a warning rather than fail initialization. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* Deduplicate key/token handling in sign commands Move the nearly identical code for parsing key options and creating a key pair and token out of attest, attest-blob, sign, and sign-blob, and into a common helper package. Move functions that had been shared out of sign.go into the helper package too so that other commands do not have to import the sign command package. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate signer-verifier creation Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate timestamp retrieval Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate rekor upload Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate bundle compilation Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move OCI parsing function to signcommon Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Make flag compatibility checking consistent Move flag checks when --new-bundle-format is used to a common helper module and have all four verify commands use it. Remove redundant flag checker code. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Remove duplicate certs setting RootCerts and IntermediateCerts are already set on CheckOpts during loadCertsKeylessVerification. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move loading key to common Move the setting of SigVerifier based on the key ref, key slot, or cert and cert chain, to the common file. For verifying blobs and blob attestations with a certificate instead of a key, we return the cert which is used directly in the options list for verification. For images, the cert and cert chain must be validated and then unpacked into the SigVerifier, where the cosign Verify* functions check its validity by extracting it from the verifier. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate TUF v1 fetch and rekor client setup Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate trusted material setting Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move common functions to common.go Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
The offline flag is misleading and is a no-op with the new Cosign v3 defaults. The flag's purpose was to prevent a client from falling back to verifying an artifact's inclusion in Rekor when a proof failed to verify. Most users thought offline verification forced the client to not make any network requests - a very reasonable assumption, but with TUF, network requests are a part of verification if the local TUF metadata has expired. I've updated the README as well, though we need to make a far more comprehensive pass over the documentation since it's out of date given our new trusted-root/bundle flags. Fixes #4454 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `chainguard-dev/actions` from 1.5.3 to 1.5.4 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@6f4f4de...7b18ea9) Updates `mikefarah/yq` from 4.47.2 to 4.48.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@6251e95...0ecdce2) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.48.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Remove any mention of the `--out` flag from the `cosign initialize` command, since it's no longer used. Signed-off-by: Alex Pyrgiotis <apyrgio@gmail.com>
Ensure COSIGN_REPOSITORY environment variable is respected both for the legacy attachment format and the new bundle format. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
* Ensure attestations are set --------- Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
--- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.42.0 to 0.43.0. - [Commits](golang/crypto@v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.0.0-rc2 to 2.0.0. - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](sigstore/rekor-tiles@v2.0.0-rc2...v2.0.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.5.4 to 1.5.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@7b18ea9...1b32103) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
With this change, cosign sign can be run only once when an image has multiple pull references. Closes #4330 Signed-off-by: Emily Zheng <yuzheng@redhat.com>
Signed-off-by: Joonas Bergius <joonas@defenseunicorns.com>
* Add protobuf bundle support for tree subcommand --------- Signed-off-by: Zach Steindler <steiza@github.com>
….1 (#4483) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.108.0 to 3.109.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.108.0...v3.109.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.109.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Also updates the registry tests to use TUF so that they can be re-used for both the legacy format and protobuf bundle format. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Without this change, --upload=false was not respected with the new bundle format. It also would not have made sense because there was no way to output the bundle locally. This change adds a flag --bundle so that the bundle can be created on disk without attaching it to the image, and also passes through the Upload parameter to bypass uploading it if desired. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Use a common options struct for WriteBundle and WriteNewBundleWithSigningConfig to reduce the number of arguments in each function. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
* cmd/cosign: add --signing-algorithm flag Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * fix getHashFunction to use signingAlgorithm Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * cmd/cosign: set default ko.SigningAlgorithm Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * cmd/cosign: set default ko.SigningAlgorithm 2 Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Validate signing-algorithm immediately Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Use GetDefaultLoadOptions function Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Update documentation Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * use v3 Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Disable ed25519ph Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Fix doc Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Fix getHashAlgorithm to have a default value for SigningAlgorithm Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * fix unused argument Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> --------- Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](spiffe/go-spiffe@v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the gomod group with 1 update: [github.com/go-openapi/swag/conv](https://github.com/go-openapi/swag). Updates `github.com/go-openapi/swag/conv` from 0.26.0 to 0.26.1 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.26.0...v0.26.1) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.26.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the all group with 1 update in the / directory: golang. Updates `golang` from 1.26.3 to 1.26.4 --- updated-dependencies: - dependency-name: golang dependency-version: 1.26.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.4.2-0.20260407074541-7e8f69f906ef to 2.4.2. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Commits](https://github.com/theupdateframework/go-tuf/commits/v2.4.2) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.280.0 to 0.283.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.280.0...v0.283.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.283.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.52.0 to 0.53.0. - [Commits](golang/crypto@v0.52.0...v0.53.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.53.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Needed to update the identity string as well. Also downgrade the Dockerfile version to match the release version, will bump all at once when there's a new golang-cross builder. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
This change adds a bundle inspect command which provides a diagnostic display of a bundle's contents. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Capitalize Short descriptions and remove command-name self-references
("list-tokens lists..." -> "List all..."). Add Example: fields to
both subcommands. Regenerate doc/ via cmd/help/main.go.
Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
* docs: add Example fields to env and bundle create commands Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com> * docs: regenerate doc/ after adding Example fields Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com> --------- Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
* Remove unused signcommon code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused Rekor code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused Fulcio code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused tlog code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused attestation code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused bundle code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused TSA code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Replace legacy signers with static.NewSignature in verify test Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Replace tsa.GetTimestampedSignature with new helpers in verify tests Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused signer wrapper implementations Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Replace tsa.SplitPEMCertificateChain with existing helper in verify test Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused exported SplitPEMCertificateChain TSA util Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Replace bundle.MakeProtobufBundle with proto in verify_blob_* tests Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Move BundleV03MediaType constant to new constants file Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused protobundle code Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Update go.mod and go.sum Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> --------- Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
The Short command descriptions were inconsistent: most followed the cobra convention of a short phrase with no trailing period, but sixteen ended in a period. Standardize the outliers to match the period-free majority and regenerate the Markdown docs. piv-tool and pkcs11-tool Short fields are addressed in separate changes. Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
…ith new helper (#4946) Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
…4942) Capitalize Short descriptions and remove command-name self-references ("generate-key generates...", "reset resets..."). Add Example: fields to all seven piv-tool subcommands. Regenerate doc/ via cmd/help/main.go. Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
This change deprecates the --output-attestation flag for attest-blob in favor of --bundle. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
AnnotationsMap parsed --annotations with strings.Split(a, "="), so any value containing '=' (base64 padding, URLs with query strings, chained key=value) yielded len>2 and was rejected with "unable to parse annotation". Use strings.SplitN(a, "=", 2), matching the repo's canonical parser in pkg/signature/annotations.go. The no-'=' case is still rejected. Signed-off-by: Seonghyun Hong <s3onghyun.hong@gmail.com>
`cosign dockerfile verify` extracted the target of a `FROM` instruction even when it referenced a previously declared build stage (e.g. `FROM base_image`), then tried to pull that stage name as an image and failed with an authentication/not-found error. Skip `FROM` references that resolve to a known stage name, mirroring the existing handling for `COPY --from=<stage>`. Fixes #3880 Signed-off-by: bejaratommy <tommy@bejara.net> Co-authored-by: bejaratommy <tommy@bejara.net>
* feat: shell complete bundles with .sigstore.json too Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> * feat: verify shell completion improvements Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> --------- Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
…orkflow (#4970) Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: JasonPowr <japower@redhat.com>
…m base config (#4977) * feat(signing-config): add --base-config flag to override services from base config Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update doc Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
The Payload table-of-contents link pointed to #payload, but the section heading is 'Payloads' (anchor #payloads), so the link did not resolve. Signed-off-by: Nikhil Jathar <22786232+mailnike@users.noreply.github.com>
Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.2.2-0.20260601073857-5d098a2b6443 to 2.3.0. - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/RELEASE.md) - [Commits](https://github.com/sigstore/rekor-tiles/commits/v2.3.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ors (#4978) Signed-off-by: Stefan Kuhn <stefan.kuhn.zurich@gmail.com>
Signed-off-by: Kevin Demy <kevin.demy@ovhcloud.com>
…4983) Bumps the gomod group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.32.3` | `0.32.4` | | [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) | `0.26.3` | `0.26.4` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.6` | `0.21.7` | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.5.2` | `1.5.3` | | [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) | `1.2.0` | `1.2.1` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.36.1` | `0.36.2` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.36.1` | `0.36.2` | Updates `github.com/go-openapi/runtime` from 0.32.3 to 0.32.4 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.32.3...v0.32.4) Updates `github.com/go-openapi/strfmt` from 0.26.3 to 0.26.4 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.26.3...v0.26.4) Updates `github.com/google/go-containerregistry` from 0.21.6 to 0.21.7 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.6...v0.21.7) Updates `github.com/sigstore/rekor` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.5.2...v1.5.3) Updates `github.com/sigstore/sigstore-go` from 1.2.0 to 1.2.1 - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](sigstore/sigstore-go@v1.2.0...v1.2.1) Updates `k8s.io/api` from 0.36.1 to 0.36.2 - [Commits](kubernetes/api@v0.36.1...v0.36.2) Updates `k8s.io/apimachinery` from 0.36.1 to 0.36.2 - [Commits](kubernetes/apimachinery@v0.36.1...v0.36.2) Updates `k8s.io/client-go` from 0.36.1 to 0.36.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.36.1...v0.36.2) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.32.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )