add oci bundle spec #3622
Merged
add oci bundle spec #3622
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3622 +/- ##
==========================================
+ Coverage 40.10% 40.41% +0.31%
==========================================
Files 155 155
Lines 10044 10087 +43
==========================================
+ Hits 4028 4077 +49
+ Misses 5530 5517 -13
- Partials 486 493 +7 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Brian DeHamer <bdehamer@github.com>
bdehamer
force-pushed
the
bdehamer/bundle-spec
branch
from
c5737f4
to
5f5cd94
Compare
Co-authored-by: Hayden B <hblauzvern@google.com> Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: Hayden B <hblauzvern@google.com> Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: Hayden B <hblauzvern@google.com> Signed-off-by: Brian DeHamer <bdehamer@github.com>
vaikas
reviewed
Mar 26, 2024
| DSSE-wrapped in-toto statement, the statement's predicate can be reflected | ||
| here. | ||
|
|
||
| ```json |
There was a problem hiding this comment.
Just jotting this down here. Wondering if it would be useful to have a an example out there demonstrating a fully compliant spec?
There was a problem hiding this comment.
I don't know that I want to reference this in the spec, but I do have an example at index.docker.io/bdehamer/hello:latest.
You can poke at this with the oras CLI. Look-up an referring artifacts:
oras discover index.docker.io/bdehamer/hello:latest
Discovered 1 artifact referencing latest
Digest: sha256:01b2325c7cae9939e4484061c37d36e0b95fb3f5e66f80ff924582ba5939e831
Artifact Type Digest
application/vnd.dev.sigstore.bundle.v3.0+json sha256:30bb112189b0070d8c440fb0c9ef13d4ff25014ccc64d90e5839f90b99c81779
Fetch the bundle manifest:
oras manifest fetch index.docker.io/bdehamer/hello@sha256:30bb112189b0070d8c440fb0c9ef13d4ff25014ccc64d90e5839f90b99c81779
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"artifactType": "application/vnd.dev.sigstore.bundle.v3.0+json",
"config": {
"mediaType": "application/vnd.oci.empty.v1+json",
"digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"size": 2,
"data": "e30="
},
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar",
"digest": "sha256:0e6245a3f020384b3b10aa2f4fe838ce5e87a71038e710938875cc22d6adb917",
"size": 10097,
"annotations": {
"org.opencontainers.image.title": "bundle.json"
}
}
],
"subject": {
"mediaType": "application/vnd.oci.image.index.v1+json",
"digest": "sha256:01b2325c7cae9939e4484061c37d36e0b95fb3f5e66f80ff924582ba5939e831",
"size": 855
},
"annotations": {
"dev.sigstore.bundle.predicateType": "https://slsa.dev/provenance/v1",
"dev.sigstore.cosign.bundle.content": "dsse-envelope",
"org.opencontainers.image.created": "2024-03-28T19:44:17Z"
}
}Fetch the bundle:
oras blob fetch index.docker.io/bdehamer/hello@sha256:0e6245a3f020384b3b10aa2f4fe838ce5e87a71038e710938875cc22d6adb917 --output -
{"mediaType":"application/vnd.dev.sigstore.bundle.v3.0+json"...}
sudo-bmitch
reviewed
Mar 26, 2024
specs/BUNDLE_SPEC.md
Outdated
Comment on lines
237
to
238
| To help disambiguate attestations, clients may add annotations to the items | ||
| in the `manifests` list which indicate what is contained within each bundle: |
There was a problem hiding this comment.
Other fields I'd recommend including are the creation/signing date, and the identity of the signer. This is useful for quickly finding the most recently signed content from a trusted identity. OCI already has an annotation for the creation date that I'd recommend reusing: org.opencontainers.image.created.
There was a problem hiding this comment.
@sudo-bmitch I like the idea of an annotation to identify the signer. Is there an pre-defined annotation key you'd recommend for this or should we define our own?
There was a problem hiding this comment.
I'm not aware of anything predefined, so making your own under the sigstore namespace makes sense to me.
There was a problem hiding this comment.
Update the list of recommended annotations to include:
org.opencontainers.image.created
There was a problem hiding this comment.
Ideally, would stick to OCI annotations - just makes it more portable. If you expect images and their signatures to move around, then a arbitrary registry implementation doesn't need to know about dev.sigstore.* namespace.
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
sudo-bmitch
reviewed
Mar 28, 2024
specs/BUNDLE_SPEC.md
Outdated
| "annotations": { | ||
| "dev.sigstore.bundle.content": "dsse-envelope", | ||
| "dev.sigstore.bundle.predicateType": "https://slsa.dev/provenance/v1", | ||
| "dev.sigstore.bundle.signer": "cosign/v2.2.3 (darwin; arm64)", |
There was a problem hiding this comment.
For the signer details, the concept I was thinking of would include details used by certificate-identity, certificate-oidc-issuer, etc, so that a cosign verify command could quickly find the matching signature. That could end up being more than one annotation.
There was a problem hiding this comment.
I'd worry that would get used to build a verification policy rather than that policy be provided from the caller. I also don't want the annotations to become a duplicate of what's in the envelope/certificate.
There was a problem hiding this comment.
There may be multiple signatures uploaded for a given digest (hundreds if someone has reproducible builds or runs something daily). Ideally, each of those wouldn't need to be pulled separately to find the one matching the verification policy the user is asking for. This would be an API efficiency, and security would still be provided by validating the envelope/certificate itself.
There was a problem hiding this comment.
If we have multiple attestations for the same digest (some recurring, reproducible build) it's likely that the predicate, cert identity, OIDC issuer will be the same for all of them -- surfacing that info as an annotation probably isn't gonna be that useful.
I was chatting w/ @codysoyland who is working on bundle support in the policy-controller and his primary requirement was that the predicate-type be available (as this is a required part of the policy definition).
At this point, I'm inclined to trim the specified annotation list to just the content, predicateType and the created values. Leaving open the option to add more annotations in the future as specific use cases arise.
specs/BUNDLE_SPEC.md
Outdated
| "annotations": { | ||
| "dev.sigstore.bundle.content": "dsse-envelope", | ||
| "dev.sigstore.bundle.predicateType": "https://slsa.dev/provenance/v1", | ||
| "dev.sigstore.bundle.signer": "cosign/v2.2.3 (darwin; arm64)", |
There was a problem hiding this comment.
I'd worry that would get used to build a verification policy rather than that policy be provided from the caller. I also don't want the annotations to become a duplicate of what's in the envelope/certificate.
Signed-off-by: Brian DeHamer <bdehamer@github.com>
|
@bdehamer, great work on this, LGTM! I'll leave it open til mid next week in case there's any other comments. |
codysoyland
approved these changes
Apr 5, 2024
|
Merging now, thanks all for the discussion, and thanks @bdehamer for authoring the spec! |
haydentherapper
approved these changes
Apr 5, 2024
tommyd450
pushed a commit
to tommyd450/cosign
that referenced
this pull request
Jun 7, 2024
* add oci bundle spec Signed-off-by: Brian DeHamer <bdehamer@github.com> * clarify annotation scheme Signed-off-by: Brian DeHamer <bdehamer@github.com> * add signer annotation Signed-off-by: Brian DeHamer <bdehamer@github.com> * update bundle media type Signed-off-by: Brian DeHamer <bdehamer@github.com> * remove reference to signer annotation Signed-off-by: Brian DeHamer <bdehamer@github.com> --------- Signed-off-by: Brian DeHamer <bdehamer@github.com>
lance
added a commit
to securesign/cosign
that referenced
this pull request
Sep 5, 2024
* fix 'go vet -tags e2e ./...' (#3550) * fix 'go vet -tags e2e ./...' Signed-off-by: Dmitry S <dsavints@gmail.com> * fix typo in 'concatenating' Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com> * chore(deps): bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (#3556) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.97.0 to 0.98.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.97.0...v0.98.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.165.0 to 0.167.0 (#3557) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.165.0 to 0.167.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.165.0...v0.167.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * remove unused rootPool var (#3559) Signed-off-by: Dmitry S <dsavints@gmail.com> * Bump sigstore/sigstore to v1.8.2 (#3561) * Correct help text of triangulate cmd (#3551) Signed-off-by: michaelvl <mvl.gh@network42.dk> * chore(deps): bump imranismail/setup-kustomize from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198 (#3554) * chore(deps): bump imranismail/setup-kustomize Bumps [imranismail/setup-kustomize](https://github.com/imranismail/setup-kustomize) from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198. - [Release notes](https://github.com/imranismail/setup-kustomize/releases) - [Commits](https://github.com/imranismail/setup-kustomize/compare/a76db1c6419124d51470b1e388c4b29476f495f1...f6959cf94216d4be0182d7c78b39f14d0c8bb198) --- updated-dependencies: - dependency-name: imranismail/setup-kustomize dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update kind-e2e-insecure-registry.yaml Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> * chore(deps): bump the actions group with 3 updates (#3564) Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `google-github-actions/auth` from 2.1.1 to 2.1.2 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f...55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c) Updates `mikefarah/yq` from 4.41.1 to 4.42.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/047694546cad8f9eaac1627bbc8bcc502fdd88bf...9adde1ac14bb283b8955d2b0d567bcaf3c69e639) Updates `codecov/codecov-action` from 4.0.1 to 4.1.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/e0b68c6749509c5f83f984dd99a76a1c1a231044...54bcd8715eee62d40e33596ef5e8f0f48dbbccab) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update builder image, cosign image, golangci-lint (#3565) * update cosign and builder image Signed-off-by: cpanato <ctadeu@gmail.com> * update golangci-lint to v1.56 Signed-off-by: cpanato <ctadeu@gmail.com> * update go.mod in fakeoidc Signed-off-by: cpanato <ctadeu@gmail.com> * fix lints Signed-off-by: cpanato <ctadeu@gmail.com> --------- Signed-off-by: cpanato <ctadeu@gmail.com> * chore(deps): bump the actions group with 1 update (#3576) Bumps the actions group with 1 update: [actions/cache](https://github.com/actions/cache). Updates `actions/cache` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/13aacd865c20de90d75de3b17ebe84f7a17d57d2...ab5e6d0c87105b4c9c2047343972218f562e4319) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#3575) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.61.0 to 0.62.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.61.0...v0.62.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the gomod group with 5 updates (#3574) Bumps the gomod group with 5 updates: | Package | From | To | | --- | --- | --- | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.27.1` | `0.27.2` | | [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) | `0.22.0` | `0.22.2` | | [github.com/go-openapi/swag](https://github.com/go-openapi/swag) | `0.22.9` | `0.22.10` | | [github.com/sigstore/fulcio](https://github.com/sigstore/fulcio) | `1.4.3` | `1.4.4` | | [github.com/stretchr/testify](https://github.com/stretchr/testify) | `1.8.4` | `1.9.0` | Updates `github.com/go-openapi/runtime` from 0.27.1 to 0.27.2 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.27.1...v0.27.2) Updates `github.com/go-openapi/strfmt` from 0.22.0 to 0.22.2 - [Commits](https://github.com/go-openapi/strfmt/compare/v0.22.0...v0.22.2) Updates `github.com/go-openapi/swag` from 0.22.9 to 0.22.10 - [Commits](https://github.com/go-openapi/swag/compare/v0.22.9...v0.22.10) Updates `github.com/sigstore/fulcio` from 1.4.3 to 1.4.4 - [Release notes](https://github.com/sigstore/fulcio/releases) - [Changelog](https://github.com/sigstore/fulcio/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/fulcio/compare/v1.4.3...v1.4.4) Updates `github.com/stretchr/testify` from 1.8.4 to 1.9.0 - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/swag dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/fulcio dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * free up disk space during e2e test runs (#3579) Signed-off-by: Bob Callaway <bcallaway@google.com> * Honor creation timestamp for signatures again (#3549) * Honor creation timestamp for signatures again Signed-off-by: ttrabelsi <Lerentis@users.noreply.github.com> * setting creation timestamp behind a feature flag to preserve current behavior Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu> * review feedback Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu> * additional review feedback Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu> --------- Signed-off-by: ttrabelsi <Lerentis@users.noreply.github.com> Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu> * chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 (#3582) Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.2 to 3.0.3. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md) - [Commits](https://github.com/go-jose/go-jose/compare/v3.0.2...v3.0.3) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 (#3581) Bumps gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3. --- updated-dependencies: - dependency-name: gopkg.in/go-jose/go-jose.v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * bump release to use go 1.21.8 (#3583) * Clean up READMEs (#3587) Remove deprecated markdown files with only links to docs.sigstore.dev, clean up outdated data in README, remove FEATURES which is outdated Signed-off-by: Hayden B <hblauzvern@google.com> * chore(deps): bump the actions group with 1 update (#3588) * chore(deps): bump github.com/xanzy/go-gitlab from 0.98.0 to 0.100.0 (#3590) * chore(deps): bump the gomod group with 4 updates (#3589) * Update README for contributions (#3596) Encourage development on sigstore-go, which is the focus currently. Signed-off-by: Hayden B <hblauzvern@google.com> * chore(deps): bump github.com/go-openapi/runtime from 0.27.2 to 0.28.0 (#3595) Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.27.2 to 0.28.0. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.27.2...v0.28.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#3591) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.17.0 to 0.18.0. - [Commits](https://github.com/golang/oauth2/compare/v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.167.0 to 0.169.0 (#3594) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.167.0 to 0.169.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.167.0...v0.169.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578) * add fulcio oauth flow client credentials Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> * fix docgen Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> * add options Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> --------- Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> * Update the script for working with blobs (#3610) The demo script for working with blobs was inaccurate in its current representation. I updated the commands such that they can be easily copied and pasted to get the shown output. Signed-off-by: arewm <arewm@users.noreply.github.com> * chore(deps): bump the actions group with 1 update (#3607) Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump cuelang.org/go from 0.7.1 to 0.8.0 (#3606) Bumps cuelang.org/go from 0.7.1 to 0.8.0. --- updated-dependencies: - dependency-name: cuelang.org/go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.169.0 to 0.170.0 (#3605) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.169.0 to 0.170.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.169.0...v0.170.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the gomod group with 1 update (#3603) Bumps the gomod group with 1 update: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry). Updates `github.com/google/go-containerregistry` from 0.19.0 to 0.19.1 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.19.0...v0.19.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/docker/docker (#3612) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.7+incompatible to 24.0.9+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v24.0.7...v24.0.9) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Put secrets on github organizations (#3567) * support for github org secrets Signed-off-by: Marlon Pina Tojal <marlont@backbase.com> --------- Signed-off-by: Marlon Pina Tojal <marlont@backbase.com> Co-authored-by: Marlon Pina Tojal <marlont@backbase.com> * Update CHANGELOG for v1.13.6 (#3618) * Update CHANGELOG for v1.13.5 Signed-off-by: Hayden B <hblauzvern@google.com> * Bump release Signed-off-by: Hayden B <hblauzvern@google.com> --------- Signed-off-by: Hayden B <hblauzvern@google.com> * chore(deps): bump the actions group with 2 updates (#3623) Bumps the actions group with 2 updates: [actions/cache](https://github.com/actions/cache) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `actions/cache` from 4.0.1 to 4.0.2 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/ab5e6d0c87105b4c9c2047343972218f562e4319...0c45773b623bea8c8e75f6c82b208c3cf94ea4f9) Updates `mikefarah/yq` from 4.42.1 to 4.43.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/9adde1ac14bb283b8955d2b0d567bcaf3c69e639...c35ec752e38ea0c096d3c44e13cfc0797ac394d8) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/xanzy/go-gitlab from 0.100.0 to 0.101.0 (#3624) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.100.0 to 0.101.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.100.0...v0.101.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.170.0 to 0.171.0 (#3626) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.170.0 to 0.171.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.170.0...v0.171.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump go.step.sm/crypto from 0.43.1 to 0.44.1 (#3625) Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.43.1 to 0.44.1. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.43.1...v0.44.1) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Clean up and clarify e2e scripts (#3628) * Add comment to test/piv_test.go Since f6d84815 it's not clear what this file is for, as it's not run in CI. Add a link to the docs that reference it to make it clear this is still needed. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Clean up unused test script e2e_test_secrets.sh is no longer called from CI as of f6332211. It's objective is largely redundant with tests already in e2e_test.go, so just remove it. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Remove cross.yaml workflow (#3629) The artifacts uploaded by cross.yaml are not used anywhere. Moreover, the ability to build on all three platforms and use the resulting binary is already tested in e2e-with-binary.yml. This change removes the workflow for the sake of decluttering the workflows and reducing our use of GitHub storage. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * chore(deps): bump the gomod group with 6 updates (#3633) Bumps the gomod group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` | | [go.step.sm/crypto](https://github.com/smallstep/crypto) | `0.44.1` | `0.44.2` | Updates `github.com/sigstore/sigstore` from 1.8.2 to 1.8.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.2 to 1.8.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.2 to 1.8.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.2 to 1.8.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.2 to 1.8.3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) Updates `go.step.sm/crypto` from 0.44.1 to 0.44.2 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.44.1...v0.44.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.171.0 to 0.172.0 (#3635) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.171.0 to 0.172.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.171.0...v0.172.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/open-policy-agent/opa from 0.62.1 to 0.63.0 (#3636) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.62.1 to 0.63.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.62.1...v0.63.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the actions group with 1 update (#3637) Bumps the actions group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `codecov/codecov-action` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/54bcd8715eee62d40e33596ef5e8f0f48dbbccab...c16abc29c95fcf9174b58eb7e1abf4c866893bc8) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add OVHcloud MPR registry tested with cosign (#3639) Signed-off-by: Aurelie Vache <scraly@gmail.com> * Fixing issue 3642 (#3643) Signed-off-by: Mukuls77 <mukul.sharma77@gmail.com> * Fixing issue 3642 (#3644) * add oci bundle spec (#3622) * add oci bundle spec Signed-off-by: Brian DeHamer <bdehamer@github.com> * clarify annotation scheme Signed-off-by: Brian DeHamer <bdehamer@github.com> * add signer annotation Signed-off-by: Brian DeHamer <bdehamer@github.com> * update bundle media type Signed-off-by: Brian DeHamer <bdehamer@github.com> * remove reference to signer annotation Signed-off-by: Brian DeHamer <bdehamer@github.com> --------- Signed-off-by: Brian DeHamer <bdehamer@github.com> * chore(deps): bump the actions group with 2 updates (#3647) Bumps the actions group with 2 updates: [cpanato/vault-installer](https://github.com/cpanato/vault-installer) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `cpanato/vault-installer` from 1.0.1 to 1.0.2 - [Release notes](https://github.com/cpanato/vault-installer/releases) - [Commits](https://github.com/cpanato/vault-installer/compare/478a771bf999907426686b67eb53a4ca5713f077...df0775e6f6ee38dee09eaf57ede66ac6a414b70e) Updates `codecov/codecov-action` from 4.1.1 to 4.2.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/c16abc29c95fcf9174b58eb7e1abf4c866893bc8...7afa10ed9b269c561c2336fd862446844e0cbf71) --- updated-dependencies: - dependency-name: cpanato/vault-installer dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the gomod group with 3 updates (#3648) Bumps the gomod group with 3 updates: cuelang.org/go, [github.com/sigstore/fulcio](https://github.com/sigstore/fulcio) and [github.com/sigstore/rekor](https://github.com/sigstore/rekor). Updates `cuelang.org/go` from 0.8.0 to 0.8.1 Updates `github.com/sigstore/fulcio` from 1.4.4 to 1.4.5 - [Release notes](https://github.com/sigstore/fulcio/releases) - [Changelog](https://github.com/sigstore/fulcio/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/fulcio/compare/v1.4.4...v1.4.5) Updates `github.com/sigstore/rekor` from 1.3.5 to 1.3.6 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.3.5...v1.3.6) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/fulcio dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 (#3650) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.18.0 to 0.19.0. - [Commits](https://github.com/golang/oauth2/compare/v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/term from 0.18.0 to 0.19.0 (#3651) Bumps [golang.org/x/term](https://github.com/golang/term) from 0.18.0 to 0.19.0. - [Commits](https://github.com/golang/term/compare/v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/xanzy/go-gitlab from 0.101.0 to 0.102.0 (#3652) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.101.0 to 0.102.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.101.0...v0.102.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 (#3655) Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.6.0 to 0.7.0. - [Commits](https://github.com/golang/sync/compare/v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 (#3653) Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.1.7 to 2.2.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](https://github.com/spiffe/go-spiffe/compare/v2.1.7...v2.2.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#3649) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.21.0 to 0.22.0. - [Commits](https://github.com/golang/crypto/compare/v0.21.0...v0.22.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Refactor e2e-tests.yml workflow (#3627) * Move attach e2e tests into Go test suite Run the e2e_test_attach.sh tests in Go, as a step toward making all the e2e tests consistent with one another. This also has the added benefit of no longer relying on ttl.sh since test images are hosted in the mock registry server. These tests were being run in CI under Linux and Mac, since they don't rely on a Kind instance or any Sigstore services. This change updates the GitHub workflow for the attach tests to simply run all e2e tests that are compatible with the macos runner. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Reorganize cross-platform attach tests Move all the e2e tests for cosign attachments that can be run independently without other Sigstore services into the new e2e_attach_test.go file, to make the main e2e_test.go file a more mantainable size and to get the benefit of running these tests in the e2e-cross job which runs on macos and linux. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move TSA MTLS tests into Go test suite Run the e2e_tsa_mtls.sh tests in Go. With this, a separate step to run the script is unnecessary for the Github workflow, since it will be run as part of the e2e-cross job. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move TSA blob tests into Go test suite Run the e2e_signblob_tsa_mtls.sh tests in Go. The e2e-tsa-mtls job in the e2e-tests workflow is fully removed since these are now all covered in e2e-cross. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661) * Merge pull request from GHSA-95pr-fxf5-86gv An Image may come from an untrusted source and contain an unknown number of signatures in the .sig manifest. A common pattern in cosign is to use the number of signatures as the capacity for a new slice. But this means the size of the slice is based on an unvalidated external input and could result in cosign running out of memory. This change adds validation for certain implementations of the oci.Signatures Get() method to limit the number of image descriptors returned. This way, callers can rely on the returned slice of signatures being a reasonable size to process safely. The limit is set to 1000, which is a generous size based on the practical restrictions that container registries set for image manifest size and approximations of memory allocations for signature layers. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Merge pull request from GHSA-88jx-383q-w4qc When downloading an attestation or SBOM from an external source, check its size before reading it into memory. This protects the host from potentially reading a maliciously large attachment into memory and exhausting the system. SBOMs can vary widely in size, and there could be legitimate SBOMs of up to 700MB. However, reading a 700MB SBOM into memory would easily bring down a small cloud VM. Moreover, most SBOMs are not going to be that large. This change sets a reasonable default of 128MiB, and allows overriding the default by setting the environment variable `COSIGN_MAX_ATTACHMENT_SIZE`. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Add v2.2.4 changelog (#3662) Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * bump scaffolding to latest release for testing (#3663) Signed-off-by: Bob Callaway <bcallaway@google.com> * fix latest tag not being created and add latest to the dev image as well and go updates (#3664) * fix latest tag not being created and add latest to the dev image as well Signed-off-by: cpanato <ctadeu@gmail.com> * update cosign to 2.2.4 Signed-off-by: cpanato <ctadeu@gmail.com> * update go for the builder image to use 1.21.9 Signed-off-by: cpanato <ctadeu@gmail.com> --------- Signed-off-by: cpanato <ctadeu@gmail.com> * chore(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 (#3656) Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.7.7 to 0.8.1. - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.7.7...v0.8.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/release-utils dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * switch to community repo of reusable-release (#3666) Signed-off-by: Bob Callaway <bcallaway@google.com> * chore(deps): bump the actions group with 3 updates (#3668) * chore(deps): bump go.step.sm/crypto in the gomod group (#3667) Bumps the gomod group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto). Updates `go.step.sm/crypto` from 0.44.2 to 0.44.3 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.44.2...v0.44.3) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add registry options to cosign save (#3645) Signed-off-by: JasonPowr <japower@redhat.com> * chore(deps): bump the actions group with 2 updates (#3676) Bumps the actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/checkout` from 4.1.2 to 4.1.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...1d96c772d19495a3b5c517cd2bc0cb401ea0529f) Updates `actions/upload-artifact` from 4.3.1 to 4.3.3 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...65462800fd760344b1a7b4382951275a0abb4808) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump go.step.sm/crypto in the gomod group (#3672) Bumps the gomod group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto). Updates `go.step.sm/crypto` from 0.44.3 to 0.44.6 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.44.3...v0.44.6) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.172.0 to 0.176.0 (#3673) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.172.0 to 0.176.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.172.0...v0.176.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/xanzy/go-gitlab from 0.102.0 to 0.103.0 (#3674) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.102.0 to 0.103.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.102.0...v0.103.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: close attestationFile (#3679) Signed-off-by: guangwu <guoguangwug@gmail.com> * chore(deps): bump actions/checkout in the actions group (#3680) Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.3 to 4.1.4 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/1d96c772d19495a3b5c517cd2bc0cb401ea0529f...0ad4b8fadaa221de15dcec353f45205ec38ea70b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.1.0 (#3681) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4.0.0 to 5.1.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/3cfe3a4abbb849e10058ce4af15d205b6da42804...9d1e0624a798bb64f6c3cea93db47765312263dc) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the gomod group with 3 updates (#3682) Bumps the gomod group with 3 updates: cuelang.org/go, [go.step.sm/crypto](https://github.com/smallstep/crypto) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client). Updates `cuelang.org/go` from 0.8.1 to 0.8.2 Updates `go.step.sm/crypto` from 0.44.6 to 0.44.8 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.44.6...v0.44.8) Updates `google.golang.org/api` from 0.176.0 to 0.176.1 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.176.0...v0.176.1) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.1 (#3683) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.63.0 to 0.64.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.63.0...v0.64.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Refactor KMS E2E tests (#3684) * Move KMS tests from shell script to Go test suite Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Make KMS E2E tests hermetic Use the scaffolding setup action to set up a local sigstore cluster and run the KMS tests against the local rekor instance instead of the public, production instance. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move KMS E2E workflow into main e2e-tests file Condense the E2E tests into fewer workflow files. There are no unique conditions that require them to be in separate files. Condensing them makes them easier to discover, and makes the Actions tab in GitHub cleaner because there are fewer workflows to sort through. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * chore(deps): bump the actions group with 3 updates (#3686) Bumps the actions group with 3 updates: [actions/setup-go](https://github.com/actions/setup-go), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action). Updates `actions/setup-go` from 5.0.0 to 5.0.1 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/0c52d547c9bc32b1aa3301fd7a9cb496313a4491...cdcb36043654635271a94b9a6d1392de5bb323a7) Updates `codecov/codecov-action` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/84508663e988701840491b86de86b666e8a86bed...5ecb98a3c6b747ed38dc09f787459979aebb39be) Updates `golangci/golangci-lint-action` from 5.1.0 to 5.3.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/9d1e0624a798bb64f6c3cea93db47765312263dc...38e1018663fa5173f3968ea0777460d3de38f256) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.176.1 to 0.177.0 (#3687) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.176.1 to 0.177.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.176.1...v0.177.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/xanzy/go-gitlab from 0.103.0 to 0.104.0 (#3688) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.103.0 to 0.104.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.103.0...v0.104.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 (#3691) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.19.0 to 0.20.0. - [Commits](https://github.com/golang/oauth2/compare/v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.177.0 to 0.180.0 (#3698) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.177.0 to 0.180.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.177.0...v0.180.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the actions group with 3 updates (#3694) Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [mikefarah/yq](https://github.com/mikefarah/yq) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `actions/checkout` from 4.1.4 to 4.1.5 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b) Updates `mikefarah/yq` from 4.43.1 to 4.44.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/c35ec752e38ea0c096d3c44e13cfc0797ac394d8...557dcb87b8efe786f89a12c09e9046b4753ab72e) Updates `ossf/scorecard-action` from 2.3.1 to 2.3.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/0864cf19026789058feabb7e87baa5f140aac736...dc50aa9510b46c811795eb24b2f1ba02a914e534) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693) * Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface Signed-off-by: Cody Soyland <codysoyland@github.com> * Add test for PayloadProvider interface Signed-off-by: Cody Soyland <codysoyland@github.com> --------- Signed-off-by: Cody Soyland <codysoyland@github.com> * chore(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#3695) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5.3.0 to 6.0.1. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/38e1018663fa5173f3968ea0777460d3de38f256...a4f60bb28d35aeee14e6880718e0c85ff1882e64) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump sigs.k8s.io/release-utils in the gomod group (#3696) Bumps the gomod group with 1 update: [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `sigs.k8s.io/release-utils` from 0.8.1 to 0.8.2 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.1...v0.8.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/release-utils dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/xanzy/go-gitlab from 0.104.0 to 0.105.0 (#3697) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.104.0 to 0.105.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.104.0...v0.105.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Refactor insecure registry E2E tests (#3701) * Fix e2e test copypaste error Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Clean up kind-e2e-insecure-registry workflow - These tests don't use KinD, don't set it up - Don't install yq, ko, or kustomize - The scripts build cosign, no need to build it in its own step - Don't use global environment variables when they're only needed for individual steps Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move insecure OCI 1.0 registry tests to Go suite Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move insecure OCI 1.1 registry tests to Go suite Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Make registry tests hermetic Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move insecure registry workflow to e2e tests Condense the kind-e2e-insecure-registry workflow into the rest of the E2E tests workflow. The workflow name was misleading because these tests don't relate to KinD except as an implementation detail of the scaffolding action. Combining it makes it more discoverable and reduces clutter inthe GitHub Actions UI. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Remove KMS E2E test script (#3702) Should have been removed as part of fa17fab. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Remove sign_blob_test.sh test (#3707) The bug that this test was meant to address[1] applies to a feature that was removed from cosign[2]. The updates made to the script to allow for the breaking changes actually make the test invalid, because while it was once verifying the original artifact signature, the final verification step is now actually verifying against the uploaded rekor entry, so the original signature is inconsequential. [1] https://github.com/sigstore/cosign/pull/1673 [2] https://github.com/sigstore/cosign/pull/2425 Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Add README.md for tests (#3708) Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * chore(deps): bump the actions group with 3 updates (#3706) Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [google-github-actions/auth](https://github.com/google-github-actions/auth) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `actions/checkout` from 4.1.5 to 4.1.6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29) Updates `google-github-actions/auth` from 2.1.2 to 2.1.3 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c...71fee32a0bb7e97b4d33d548e7d957010649d8fa) Updates `codecov/codecov-action` from 4.3.1 to 4.4.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/5ecb98a3c6b747ed38dc09f787459979aebb39be...125fc84a9a348dbcf27191600683ec096ec9021c) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump google.golang.org/api from 0.180.0 to 0.181.0 (#3703) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.180.0 to 0.181.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.180.0...v0.181.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump go.step.sm/crypto from 0.44.8 to 0.45.0 (#3704) Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.44.8 to 0.45.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.44.8...v0.45.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump go.step.sm/crypto in the gomod group (#3710) Bumps the gomod group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto). Updates `go.step.sm/crypto` from 0.45.0 to 0.45.1 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.45.0...v0.45.1) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.65.0 (#3714) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.64.1 to 0.65.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.64.1...v0.65.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the gomod group with 5 updates (#3713) Bumps the gomod group with 5 updates: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/sigstor…
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #3577
Summary
Adds a new spec doc which describes the scheme for publishing/retrieving Sigstore bundles to/from an OCI registry.
Rendered version