[pull] main from sigstore:main #44
Open
+6,314
−3,292
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, when --check-claims was set to false and a bundle in the new format was provided, we'd still try to check the in-toto subject digest and algorithm. These values weren't being set since they were conditioned on checking claims. Now, we skip digest verification if check-claims is false with a new bundle. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
Also needed to bump grpc-gcp-go to fix an incompatibility with the latest googleapis library Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.243.0 to 0.244.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.243.0...v0.244.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.244.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…r v2 (#4319) * Refactor fetching an ID token into its own package This will allow these functions to be reused by other parts of the codebase, and eventually we can move these into an external package for use by other libraries. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Add support for SigningConfig for sign-blob/attest-blob Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Refactor identity token retrieval into its own method Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Disallow self-managed keys with a signing config temporarily Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
--------- Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08c6903) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 3 updates: [actions/cache](https://github.com/actions/cache), [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/cache` from 4.2.3 to 4.2.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@5a3ec84...0400d5f) Updates `sigstore/sigstore-conformance` from 0.0.18 to 0.0.19 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@fd90e6b...a7ac671) Updates `chainguard-dev/actions` from 1.4.8 to 1.4.9 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@df684a7...b1933e3) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) from 1.1.1-0.20250801180901-37e45ae9c250 to 1.1.1. - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](https://github.com/sigstore/sigstore-go/commits/v1.1.1) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 4 updates: cuelang.org/go, [github.com/buildkite/agent/v3](https://github.com/buildkite/agent), google.golang.org/protobuf and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `cuelang.org/go` from 0.14.0 to 0.14.1 Updates `github.com/buildkite/agent/v3` from 3.103.0 to 3.103.1 - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.103.0...v3.103.1) Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7 Updates `sigs.k8s.io/release-utils` from 0.12.0 to 0.12.1 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.40.0 to 0.41.0. - [Commits](golang/crypto@v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4341) Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.5 to 4.1.2. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.0.5...v4.1.2) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fixes to cosign sign / verify for the new bundle format Signed-off-by: Zach Steindler <steiza@github.com> * Update function signature to pass crypto.PublicKey directly Signed-off-by: Zach Steindler <steiza@github.com> --------- Signed-off-by: Zach Steindler <steiza@github.com>
This supports signing and verification with Rekor v2 with a user-provided signing key. Timestamps will only be required for verifying Fulcio certificates. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
That way cosign verify-attestation can work in offline environments. Signed-off-by: Zach Steindler <steiza@github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.246.0 to 0.247.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.246.0...v0.247.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.247.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.137.0 to 0.140.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.137.0...v0.140.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.140.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
One of the dependencies has hardcoded a specific version of go, which forces all clients to use that version of Go in their own modules. This is unnecessarily restrictive, rather libraries should specify the minimum Go version necessary to build, and consumers should use the latest patch release when building to pick up bug fixes. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.9 to 1.4.10 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@b1933e3...1df2b55) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 4 updates: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles), [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) and [k8s.io/client-go](https://github.com/kubernetes/client-go). Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.9 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.9) Updates `k8s.io/api` from 0.33.3 to 0.33.4 - [Commits](kubernetes/api@v0.33.3...v0.33.4) Updates `k8s.io/apimachinery` from 0.33.3 to 0.33.4 - [Commits](kubernetes/apimachinery@v0.33.3...v0.33.4) Updates `k8s.io/client-go` from 0.33.3 to 0.33.4 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.33.3...v0.33.4) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4365) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.98.2 to 3.103.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.98.2...v3.103.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* update goreleaser config for v3.0.0 release Signed-off-by: Bob Callaway <bcallaway@google.com> * specify signature Signed-off-by: Bob Callaway <bcallaway@google.com> --------- Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
The rekor-tiles package is starting at version 2.0. There are no interface changes with this version change. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Bumps the gomod group with 1 update in the / directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose). Updates `github.com/go-jose/go-jose/v4` from 4.1.2 to 4.1.3 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.2...v4.1.3) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4448) * choose different signature filename for keyless release signatures Signed-off-by: Bob Callaway <bcallaway@google.com> * switch, rename the kms-signed objects Signed-off-by: Bob Callaway <bcallaway@google.com> * update README Signed-off-by: Bob Callaway <bcallaway@google.com> * update README Signed-off-by: Bob Callaway <bcallaway@google.com> --------- Signed-off-by: Bob Callaway <bcallaway@google.com>
Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.107.2 to 3.108.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.107.2...v3.108.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.108.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the actions group with 3 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [cpanato/vault-installer](https://github.com/cpanato/vault-installer) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `chainguard-dev/actions` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@8e97c1f...6f4f4de) Updates `cpanato/vault-installer` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/cpanato/vault-installer/releases) - [Commits](cpanato/vault-installer@e7c1d66...f7e2ad9) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: cpanato/vault-installer dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.148.1 to 0.151.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.148.1...v0.151.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.151.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.250.0 to 0.251.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.250.0...v0.251.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.251.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* Update changelog for v3.0.2 Signed-off-by: Hayden <haydentherapper@users.noreply.github.com> * Update CHANGELOG.md Signed-off-by: Hayden <haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
When calling cosign initialize, the client will cache the trusted root file if available. This PR adds support for caching the signing config as well. The public-good instance's TUF repo includes this file. Private deployments likely don't use this file, so like with the trusted root, Cosign will print a warning rather than fail initialization. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* Deduplicate key/token handling in sign commands Move the nearly identical code for parsing key options and creating a key pair and token out of attest, attest-blob, sign, and sign-blob, and into a common helper package. Move functions that had been shared out of sign.go into the helper package too so that other commands do not have to import the sign command package. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate signer-verifier creation Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate timestamp retrieval Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate rekor upload Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate bundle compilation Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move OCI parsing function to signcommon Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Make flag compatibility checking consistent Move flag checks when --new-bundle-format is used to a common helper module and have all four verify commands use it. Remove redundant flag checker code. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Remove duplicate certs setting RootCerts and IntermediateCerts are already set on CheckOpts during loadCertsKeylessVerification. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move loading key to common Move the setting of SigVerifier based on the key ref, key slot, or cert and cert chain, to the common file. For verifying blobs and blob attestations with a certificate instead of a key, we return the cert which is used directly in the options list for verification. For images, the cert and cert chain must be validated and then unpacked into the SigVerifier, where the cosign Verify* functions check its validity by extracting it from the verifier. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate TUF v1 fetch and rekor client setup Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate trusted material setting Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move common functions to common.go Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
The offline flag is misleading and is a no-op with the new Cosign v3 defaults. The flag's purpose was to prevent a client from falling back to verifying an artifact's inclusion in Rekor when a proof failed to verify. Most users thought offline verification forced the client to not make any network requests - a very reasonable assumption, but with TUF, network requests are a part of verification if the local TUF metadata has expired. I've updated the README as well, though we need to make a far more comprehensive pass over the documentation since it's out of date given our new trusted-root/bundle flags. Fixes #4454 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `chainguard-dev/actions` from 1.5.3 to 1.5.4 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@6f4f4de...7b18ea9) Updates `mikefarah/yq` from 4.47.2 to 4.48.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@6251e95...0ecdce2) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.48.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Remove any mention of the `--out` flag from the `cosign initialize` command, since it's no longer used. Signed-off-by: Alex Pyrgiotis <apyrgio@gmail.com>
Ensure COSIGN_REPOSITORY environment variable is respected both for the legacy attachment format and the new bundle format. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
* Ensure attestations are set --------- Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
--- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.42.0 to 0.43.0. - [Commits](golang/crypto@v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.0.0-rc2 to 2.0.0. - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](sigstore/rekor-tiles@v2.0.0-rc2...v2.0.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.5.4 to 1.5.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@7b18ea9...1b32103) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
With this change, cosign sign can be run only once when an image has multiple pull references. Closes #4330 Signed-off-by: Emily Zheng <yuzheng@redhat.com>
Signed-off-by: Joonas Bergius <joonas@defenseunicorns.com>
* Add protobuf bundle support for tree subcommand --------- Signed-off-by: Zach Steindler <steiza@github.com>
….1 (#4483) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.108.0 to 3.109.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.108.0...v3.109.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.109.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
12 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )