[pull] main from sigstore:main#44
Open
pull[bot] wants to merge 299 commits into
Open
Conversation
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4469467) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.16.0 to 0.17.0. - [Commits](golang/sync@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.17.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4390) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.103.1 to 3.104.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.103.1...v3.104.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.104.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 8.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@60a0d83...ed59741) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 4 updates: [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance), [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `sigstore/sigstore-conformance` from 0.0.19 to 0.0.20 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@a7ac671...1d8b0cd) Updates `chainguard-dev/actions` from 1.4.13 to 1.4.14 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@3caedd3...f632aec) Updates `mikefarah/yq` from 4.47.1 to 4.47.2 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@f03c9dc...6251e95) Updates `codecov/codecov-action` from 5.5.0 to 5.5.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@fdcc847...5a10915) --- updated-dependencies: - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.14 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.47.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.34.0 to 0.35.0. - [Commits](golang/term@v0.34.0...v0.35.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.142.6 to 0.143.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.6...v0.143.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.143.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.30.0 to 0.31.0. - [Commits](golang/oauth2@v0.30.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.31.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.41.0 to 0.42.0. - [Commits](golang/crypto@v0.41.0...v0.42.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump sigstore-go, support alternative hash algorithms with keys sigstore-go now handles non-ECDSA-P-256 signatures with Rekor v2. To support verification, we also need a way to provide alternative hash algorithms to the default SHA-256. cosign verify already had a flag for this, so I added the flag to all verify commands. In the future, when we are only processing bundles, we can lookup the default hash algorithm given the key. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * lint fmt Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Drop support for Fulcio with ed25519ph key We've chosen to not support this in sigstore-go, so we'll also remove this from Cosign. This is a niche edge case where a user provides an ed25519 key or algorithm and requests a cert and logs it to Rekor. We'll revisit this if there's demand or when we support the prehash variant in Fulcio. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
…4401) Bumps the gomod group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles) | `0.1.10` | `0.1.11` | | [github.com/sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority) | `1.2.8` | `1.2.9` | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `0.143.1` | `0.143.3` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.34.0` | `0.34.1` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.34.0` | `0.34.1` | Updates `github.com/sigstore/rekor-tiles` from 0.1.10 to 0.1.11 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](sigstore/rekor-tiles@v0.1.10...v0.1.11) Updates `github.com/sigstore/timestamp-authority` from 1.2.8 to 1.2.9 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v1.2.8...v1.2.9) Updates `github.com/spf13/pflag` from 1.0.9 to 1.0.10 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](spf13/pflag@v1.0.9...v1.0.10) Updates `gitlab.com/gitlab-org/api/client-go` from 0.143.1 to 0.143.3 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.143.1...v0.143.3) Updates `google.golang.org/protobuf` from 1.36.8 to 1.36.9 Updates `k8s.io/api` from 0.34.0 to 0.34.1 - [Commits](kubernetes/api@v0.34.0...v0.34.1) Updates `k8s.io/apimachinery` from 0.34.0 to 0.34.1 - [Commits](kubernetes/apimachinery@v0.34.0...v0.34.1) Updates `k8s.io/client-go` from 0.34.0 to 0.34.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.34.0...v0.34.1) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/timestamp-authority dependency-version: 1.2.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/spf13/pflag dependency-version: 1.0.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.143.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Recording signatures to Rekor v2 can take up to 10 seconds. We want to avoid someone killing the process while waiting for a response from Rekor, otherwise the user will have to re-sign the artifact. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
A signing config is a source of truth for the service URLs. We will disallow specifying multiple sources of truth for service URLs if the default values are overridden. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* Default to using the new protobuf format --------- Signed-off-by: Zach Steindler <steiza@github.com>
….0 (#4411) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.104.0 to 3.105.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.104.0...v3.105.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.105.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.143.3 to 0.144.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.143.3...v0.144.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.144.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 2 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/cosign-installer` from 3.9.2 to 3.10.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@d58896d...d7543c9) Updates `chainguard-dev/actions` from 1.4.14 to 1.4.15 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@f632aec...cd899cc) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 3.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.20.1 to 1.21.0. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](spf13/viper@v1.20.1...v1.21.0) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-version: 1.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump sigstore-go for more precise user agents Ref #4406 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * go mod tidy Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.15 to 1.5.1 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@cd899cc...de56c27) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4420) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.105.0 to 3.107.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.105.0...v3.107.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.107.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](theupdateframework/go-tuf@v2.1.1...v2.2.0) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.144.1 to 0.147.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.144.1...v0.147.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.147.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…bundles (#4416) * Implement container image context in verify command * Use conformance on main for now (waiting for new release) --------- Signed-off-by: Zach Steindler <steiza@github.com>
Picks up a change to user agents when signing with sigstore-go Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
0.0.21 updates the signing config, making the tests work against staging again. Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
…4854) Signed-off-by: Eric Pickard <piceri@github.com>
…#4869) In WriteSignedImageIndexImages, os.Open is called inside a loop to parse each blob manifest, but the returned file descriptor is never closed. This leaks one fd per iteration—on every continue (parse error or nil Subject) and on the normal path alike. Close fd immediately after v1.ParseManifest since the parsed manifest is the only value needed from the file. A plain Close() rather than defer is used because defer inside a loop would accumulate closers until the function returns, defeating the purpose. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
The GitHub Actions OIDC token provider uses Header.Add inside a retry loop. On each retry iteration, an additional Authorization header is appended to the request. By the third attempt, three identical headers are sent. Some servers and proxies reject requests with duplicate Authorization headers, causing retries to fail when they should succeed. Replace Header.Add with Header.Set so only one Authorization header is ever present, regardless of how many retries occur. Add a test that forces two retries via connection hijack and asserts exactly one Authorization header is received on every attempt. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Allows populating the signing configuration using default values from the Sigstore TUF root, specifically fetching from the target `signing_config_rekor_v2.v0.2.json` to support Rekor v2 services. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
…#4864) Bumps the actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.1` | `4.1.2` | | [docker/login-action](https://github.com/docker/login-action) | `4.0.0` | `4.1.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.4` | `5.0.5` | | [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.6.11` | `1.6.19` | | [mikefarah/yq](https://github.com/mikefarah/yq) | `4.52.5` | `4.53.2` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@cad07c2...6f9f177) Updates `docker/login-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@b45d80f...4907a6d) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) Updates `chainguard-dev/actions` from 1.6.11 to 1.6.19 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@8bb24c2...c69a264) Updates `mikefarah/yq` from 4.52.5 to 4.53.2 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@0f4fb8d...751d8ad) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.53.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/in-toto/in-toto-golang/releases) - [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md) - [Commits](in-toto/in-toto-golang@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: github.com/in-toto/in-toto-golang dependency-version: 0.11.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@671740a...57e3a13) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump golang from 1.25.6 to 1.25.7 in the all group Bumps the all group with 1 update: golang. Updates `golang` from 1.25.6 to 1.25.7 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> * Fix linter failures for golang update Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Colleen Murphy <colleenmurphy@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Colleen Murphy <colleenmurphy@google.com>
…4798) Bumps [github.com/in-toto/attestation](https://github.com/in-toto/attestation) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/in-toto/attestation/releases) - [Commits](in-toto/attestation@v1.1.2...v1.2.0) --- updated-dependencies: - dependency-name: github.com/in-toto/attestation dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [github.com/go-piv/piv-go/v2](https://github.com/go-piv/piv-go) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/go-piv/piv-go/releases) - [Commits](go-piv/piv-go@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/go-piv/piv-go/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…6.2 (#4862) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.14.1 to 1.16.2. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.14.1...v1.16.2) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.16.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The HTTP status code checks in PutSecret use && instead of ||:
if statusCode < 200 && statusCode >= 300 {
This condition is always false (no integer is simultaneously less
than 200 and greater than or equal to 300), so non-2xx HTTP errors
are silently ignored. Fix all four checks to use || so that error
responses from the GitHub API are properly detected and reported.
The GitLab provider (pkg/cosign/git/gitlab/gitlab.go) already uses
the correct || operator for the same check.
Introduced in PR #848 (5302c87, 2021-10-12).
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
If no TSA chain in the trust root can verify a signed timestamp, then a crash would occur when Cosign tries to read one of the verified timestamps. We now throw an error if no timestamp was verified. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
--------- Signed-off-by: Andrew Womeldorf <andrew.womeldorf@gmail.com> Signed-off-by: Andrew Womeldorf <git@andrew.wom.icu>
LoadFileOrURL silently returns the response body for non-2xx HTTP responses. When a URL returns 404 or 500, the HTML error page is passed to callers as valid key/signature/certificate data, producing confusing parse errors downstream. Add a status code check that returns a clear error for non-2xx responses. The body is closed before returning to avoid leaking the HTTP connection. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
evaluateRegoEvalMapResult asserts each element in the Rego response
array as map[string]interface{} without an ok check. If a policy
returns a non-map value in the array, cosign panics instead of
returning a policy evaluation error.
Add an ok check and return a descriptive error on type mismatch.
The bug was introduced in b2cea0c (2022-12-28).
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
….0 (#4861) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.118.0 to 3.127.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Commits](buildkite/agent@v3.118.0...v3.127.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.126.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.35.3 to 0.36.1. - [Commits](kubernetes/apimachinery@v0.35.3...v0.36.1) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 8.0.0 to 9.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@ed59741...3a2844b) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 4 updates: [docker/login-action](https://github.com/docker/login-action), [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance), [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `docker/login-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@4907a6d...650006c) Updates `sigstore/sigstore-conformance` from 0.0.27 to 0.0.28 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@4d66ba3...e2cc8e5) Updates `golangci/golangci-lint-action` from 9.2.0 to 9.2.1 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@1e7e51e...82606bf) Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.28 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: golangci/golangci-lint-action dependency-version: 9.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.8.0 to 5.9.2. - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.8.0...v5.9.2) --- updated-dependencies: - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.9.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4880) * Fix Ed25519ph check to respect custom signing configs in sign-blob Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Add Ed25519 signing test cases for sign-blob Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Add unit tests for KMSKeypair Ed25519 methods Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Fix panic on Ed25519 signing without pre-hashing Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Add test case for HashReader with unspecified hash algorithm Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> --------- Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )