Fulcio bump #309
Merged
Fulcio bump #309
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.235.0 to 0.236.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.235.0...v0.236.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.236.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Update the URL for downloading Sigstore root key from the old path to the new path in the root-signing repository. This ensures users can obtain the correct root key for verification. Signed-off-by: qingliu <[email protected]>
Signed-off-by: Emmanuel Ferdman <[email protected]>
Signed-off-by: Carlos Panato <[email protected]>
* Bump the all group with 3 updates Bumps the all group with 3 updates: [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf), [ossf/scorecard-action](https://github.com/ossf/scorecard-action) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `protocolbuffers/protobuf` from 31.0 to 31.1 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl) - [Commits](protocolbuffers/protobuf@v31.0...v31.1) Updates `ossf/scorecard-action` from 2.4.1 to 2.4.2 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@f49aabe...05b42c6) Updates `chainguard-dev/actions` from 1.1.1 to 1.1.2 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@ce51233...5363dd9) --- updated-dependencies: - dependency-name: protocolbuffers/protobuf dependency-version: '31.1' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: ossf/scorecard-action dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: chainguard-dev/actions dependency-version: 1.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> * Update main.yml Signed-off-by: Carlos Tadeu Panato Junior <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Carlos Tadeu Panato Junior <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.236.0 to 0.237.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.236.0...v0.237.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.237.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps golang from `db5d0af` to `10c1318`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the all group with 9 updates: | Package | From | To | | --- | --- | --- | | [chainguard.dev/go-grpc-kit](https://github.com/chainguard-dev/go-grpc-kit) | `0.17.10` | `0.17.11` | | [github.com/google/certificate-transparency-go](https://github.com/google/certificate-transparency-go) | `1.3.1` | `1.3.2` | | [github.com/sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs) | `0.4.2` | `0.4.3` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.9.4` | `1.9.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.9.4` | `1.9.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.9.4` | `1.9.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.9.4` | `1.9.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.9.4` | `1.9.5` | | [google.golang.org/genproto/googleapis/api](https://github.com/googleapis/go-genproto) | `0.0.0-20250505200425-f936aa4a68b2` | `0.0.0-20250519155744-55703ea1f237` | Updates `chainguard.dev/go-grpc-kit` from 0.17.10 to 0.17.11 - [Release notes](https://github.com/chainguard-dev/go-grpc-kit/releases) - [Commits](chainguard-dev/go-grpc-kit@v0.17.10...v0.17.11) Updates `github.com/google/certificate-transparency-go` from 1.3.1 to 1.3.2 - [Release notes](https://github.com/google/certificate-transparency-go/releases) - [Changelog](https://github.com/google/certificate-transparency-go/blob/master/CHANGELOG.md) - [Commits](google/certificate-transparency-go@v1.3.1...v1.3.2) Updates `github.com/sigstore/protobuf-specs` from 0.4.2 to 0.4.3 - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](sigstore/protobuf-specs@v0.4.2...v0.4.3) Updates `github.com/sigstore/sigstore` from 1.9.4 to 1.9.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.9.4...v1.9.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.9.4 to 1.9.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.9.4...v1.9.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.9.4 to 1.9.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.9.4...v1.9.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.9.4 to 1.9.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.9.4...v1.9.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.9.4 to 1.9.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.9.4...v1.9.5) Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20250505200425-f936aa4a68b2 to 0.0.0-20250519155744-55703ea1f237 - [Commits](https://github.com/googleapis/go-genproto/commits) --- updated-dependencies: - dependency-name: chainguard.dev/go-grpc-kit dependency-version: 0.17.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/google/certificate-transparency-go dependency-version: 1.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/protobuf-specs dependency-version: 0.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore dependency-version: 1.9.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-version: 1.9.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-version: 1.9.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-version: 1.9.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-version: 1.9.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/genproto/googleapis/api dependency-version: 0.0.0-20250519155744-55703ea1f237 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Priya Wadhwa <[email protected]>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.237.0 to 0.238.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.237.0...v0.238.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.238.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.66.0 to 0.67.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.66.0...v0.67.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-version: 0.67.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.64.0 to 0.65.0. - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md) - [Commits](prometheus/common@v0.64.0...v0.65.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-version: 0.65.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <[email protected]>
…store#2085) Bumps the go_modules group with 1 update: [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure). Updates `github.com/go-viper/mapstructure/v2` from 2.2.1 to 2.3.0 - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.2.1...v2.3.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.3.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…sigstore#2091) Bumps sigstore/scaffolding/trillian_log_server from v0.7.23 to v0.7.24. --- updated-dependencies: - dependency-name: sigstore/scaffolding/trillian_log_server dependency-version: v1.7.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.238.0 to 0.239.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.238.0...v0.239.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.239.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the all group with 2 updates: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) and [github.com/grpc-ecosystem/grpc-gateway/v2](https://github.com/grpc-ecosystem/grpc-gateway). Updates `github.com/go-jose/go-jose/v4` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md) - [Commits](go-jose/go-jose@v4.1.0...v4.1.1) Updates `github.com/grpc-ecosystem/grpc-gateway/v2` from 2.27.0 to 2.27.1 - [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases) - [Changelog](https://github.com/grpc-ecosystem/grpc-gateway/blob/main/.goreleaser.yml) - [Commits](grpc-ecosystem/grpc-gateway@v2.27.0...v2.27.1) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2 dependency-version: 2.27.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…sigstore#2090) Bumps sigstore/scaffolding/trillian_log_signer from v0.7.23 to v0.7.24. --- updated-dependencies: - dependency-name: sigstore/scaffolding/trillian_log_signer dependency-version: v1.7.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps the all group with 2 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/cosign-installer` from 3.9.0 to 3.9.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@fb28c2b...398d4b0) Updates `chainguard-dev/actions` from 1.4.2 to 1.4.3 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@4f7ad4f...16e2fd6) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 3.9.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: chainguard-dev/actions dependency-version: 1.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the all group with 2 updates: golang and sigstore/scaffolding/ct_server. Updates `golang` from 1.24.3 to 1.24.4 Updates `sigstore/scaffolding/ct_server` from v0.7.23 to v0.7.24 --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: sigstore/scaffolding/ct_server dependency-version: v0.7.24 dependency-type: direct:production dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…store#2092) Bumps the all group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.3 to 1.4.4 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@16e2fd6...a643ade) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Carlos Panato <[email protected]>
* add required information for onboarding circleci into fulcio sigstore#591 Signed-off-by: meeech <[email protected]> * add SAN that copies what gha is doing Signed-off-by: meeech <[email protected]> * add some logic to runner_environment Signed-off-by: meeech <[email protected]> * adjust how we handle template fragments to account for keys with special characters Signed-off-by: meeech <[email protected]> * add a test for claim key with . and / in it Signed-off-by: meeech <[email protected]> * remove unneeded default claim value Signed-off-by: meeech <[email protected]> --------- Signed-off-by: meeech <[email protected]>
Signed-off-by: meeech <[email protected]>
…#2216) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.44.0 to 0.45.0. - [Commits](golang/crypto@v0.44.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Add a simple workflow that stands up the docker compose services and uses cosign to sign and verify using the local services. Signed-off-by: Colleen Murphy <[email protected]>
…ssuer (sigstore#2220) Fixes sigstore#2219 Some enterprise identity providers like Microsoft Entra (Azure AD) and ADFS don't include the email_verified claim in their OIDC tokens because email verification happens through their centralized identity management processes rather than during OIDC token issuance. This caused Fulcio to reject valid tokens from these providers, impacting some enterprise deployments. Added a new optional SkipEmailVerification boolean field to the OIDCIssuer configuration struct. When set to true for a specific issuer, Fulcio will skip the email_verified claim check during principal creation while still validating email format and embedding it in the certificate. This approach maintains security by default (the field defaults to false) while allowing operators to explicitly opt-in for trusted internal identity providers. The implementation moves the issuer configuration lookup earlier in PrincipalFromIDToken so we can access the SkipEmailVerification flag before checking email_verified. For meta-issuers with wildcard patterns, the flag is propagated when constructing concrete issuer configurations. Added tests coverage for scenarios for tokens with missing email_verified claims, explicit false values, and true values when skip is enabled. Updated config parsing tests to verify the new field can be read from both YAML and JSON configurations. Signed-off-by: Morgan Jones <[email protected]>
Signed-off-by: Colleen Murphy <[email protected]>
Bumps golang from `e68f6a0` to `6981837`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@08c6903...1af3b93) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the all group with 4 updates: [actions/setup-go](https://github.com/actions/setup-go), [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf), [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action). Updates `actions/setup-go` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4469467...4dc6199) Updates `protocolbuffers/protobuf` from 33.0 to 33.1 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl) - [Commits](protocolbuffers/protobuf@v33.0...v33.1) Updates `chainguard-dev/actions` from 1.5.8 to 1.5.10 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@abcc11e...3e8a2a2) Updates `golangci/golangci-lint-action` from 9.0.0 to 9.1.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@0a35821...e7fa5ac) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: protocolbuffers/protobuf dependency-version: '33.1' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: chainguard-dev/actions dependency-version: 1.5.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: golangci/golangci-lint-action dependency-version: 9.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…gstore#2232) Bumps the all group with 4 updates in the / directory: [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk), [github.com/prometheus/common](https://github.com/prometheus/common), [github.com/spf13/cobra](https://github.com/spf13/cobra) and [go.uber.org/zap](https://github.com/uber-go/zap). Updates `chainguard.dev/sdk` from 0.1.43 to 0.1.44 - [Release notes](https://github.com/chainguard-dev/sdk/releases) - [Commits](chainguard-dev/sdk@v0.1.43...v0.1.44) Updates `github.com/prometheus/common` from 0.67.2 to 0.67.4 - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/CHANGELOG.md) - [Commits](prometheus/common@v0.67.2...v0.67.4) Updates `github.com/spf13/cobra` from 1.10.1 to 1.10.2 - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.10.1...v1.10.2) Updates `go.uber.org/zap` from 1.27.0 to 1.27.1 - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.27.0...v1.27.1) Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20250929231259-57b25ae835d4 to 0.0.0-20251022142026-3a174f9686a8 - [Commits](https://github.com/googleapis/go-genproto/commits) Updates `google.golang.org/grpc` from 1.76.0 to 1.77.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.76.0...v1.77.0) --- updated-dependencies: - dependency-name: chainguard.dev/sdk dependency-version: 0.1.44 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/prometheus/common dependency-version: 0.67.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/spf13/cobra dependency-version: 1.10.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: go.uber.org/zap dependency-version: 1.27.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/genproto/googleapis/api dependency-version: 0.0.0-20251022142026-3a174f9686a8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/grpc dependency-version: 1.77.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…igstore#2225) Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.16.0 to 3.17.0. - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](coreos/go-oidc@v3.16.0...v3.17.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-oidc/v3 dependency-version: 3.17.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Fixes: GHSA-f83f-xpx7-ffpw Signed-off-by: Bob Callaway <[email protected]>
Signed-off-by: Bob Callaway <[email protected]>
Signed-off-by: Carlos Panato <[email protected]>
Signed-off-by: mitchell <[email protected]>
Bumps golang from `20b91ed` to `a22b2e6`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the all group with 8 updates: | Package | From | To | | --- | --- | --- | | [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk) | `0.1.44` | `0.1.45` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.10.0` | `1.10.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.10.0` | `1.10.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.10.0` | `1.10.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.10.0` | `1.10.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.10.0` | `1.10.3` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.256.0` | `0.257.0` | | google.golang.org/protobuf | `1.36.10` | `1.36.11` | Updates `chainguard.dev/sdk` from 0.1.44 to 0.1.45 - [Release notes](https://github.com/chainguard-dev/sdk/releases) - [Commits](chainguard-dev/sdk@v0.1.44...v0.1.45) Updates `github.com/sigstore/sigstore` from 1.10.0 to 1.10.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.0...v1.10.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.10.0 to 1.10.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.0...v1.10.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.10.0 to 1.10.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.0...v1.10.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.10.0 to 1.10.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.0...v1.10.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.10.0 to 1.10.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.0...v1.10.3) Updates `google.golang.org/api` from 0.256.0 to 0.257.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.256.0...v0.257.0) Updates `google.golang.org/protobuf` from 1.36.10 to 1.36.11 --- updated-dependencies: - dependency-name: chainguard.dev/sdk dependency-version: 0.1.45 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore dependency-version: 1.10.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-version: 1.10.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-version: 1.10.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-version: 1.10.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-version: 1.10.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/api dependency-version: 0.257.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: google.golang.org/protobuf dependency-version: 1.36.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…gstore#2247) Bumps the all group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [codecov/codecov-action](https://github.com/codecov/codecov-action), [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action). Updates `actions/checkout` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1af3b93...8e8c483) Updates `codecov/codecov-action` from 5.5.1 to 5.5.2 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@5a10915...671740a) Updates `protocolbuffers/protobuf` from 33.1 to 33.2 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](protocolbuffers/protobuf@v33.1...v33.2) Updates `golangci/golangci-lint-action` from 9.1.0 to 9.2.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@e7fa5ac...1e7e51e) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: codecov/codecov-action dependency-version: 5.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: protocolbuffers/protobuf dependency-version: '33.2' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: golangci/golangci-lint-action dependency-version: 9.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.74.0 to 0.75.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.74.0...v0.75.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-version: 0.75.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps goa.design/goa/v3 from 3.22.6 to 3.23.4. --- updated-dependencies: - dependency-name: goa.design/goa/v3 dependency-version: 3.23.4 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (sigstore#2246) Bumps [github.com/tink-crypto/tink-go/v2](https://github.com/tink-crypto/tink-go) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/tink-crypto/tink-go/releases) - [Commits](tink-crypto/tink-go@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/tink-crypto/tink-go/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Member
Author
|
/retest |
1 similar comment
Member
Author
|
/retest |
Signed-off-by: SequeI <[email protected]>
JasonPowr
approved these changes
Jan 8, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bump to 1.8.4 upstream, due to certain fixes and bugs. SECURESIGN-3443