Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump the gomod group with 4 updates #3589

Merged
merged 1 commit into from
Mar 11, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 11, 2024

Bumps the gomod group with 4 updates: github.com/google/certificate-transparency-go, github.com/open-policy-agent/opa, golang.org/x/crypto and golang.org/x/term.

Updates github.com/google/certificate-transparency-go from 1.1.7 to 1.1.8

Release notes

Sourced from github.com/google/certificate-transparency-go's releases.

v1.1.8

What's Changed

  • Recommended Go version for development: 1.21
    • Using a different version can lead to presubmits failing due to unexpected diffs.

Monitoring

Add support for AIX

Fixes

Misc

Dependency update

... (truncated)

Changelog

Sourced from github.com/google/certificate-transparency-go's changelog.

v1.1.8

  • Recommended Go version for development: 1.21
    • Using a different version can lead to presubmits failing due to unexpected diffs.

Add support for AIX

Monitoring

Fixes

Misc

Dependency update

... (truncated)

Commits

Updates github.com/open-policy-agent/opa from 0.62.0 to 0.62.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.62.1

This is a security fix release for the fixes published in Go 1.22.1.

OPA servers using --authentication=tls would be affected: crafted malicious client certificates could cause a panic in the server.

Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin, status and decision logs; and http.send calls that verify TLS.

This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).

Note that there are other security fixes in this Golang release, but whether or not OPA is affected is harder to assess. An update is advised.

Miscellaneous

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.62.1

This is a security fix release for the fixes published in Golang 1.22.1.

OPA servers using --authentication=tls would be affected: crafted malicious client certificates could cause a panic in the server.

Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin, status and decision logs; and http.send calls that verify TLS.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).

Note that there are other security fixes in this Golang release, but whether or not OPA is affected is harder to tell. An update is advised.

Miscellaneous

Commits

Updates golang.org/x/crypto from 0.20.0 to 0.21.0

Commits
  • 7067223 go.mod: update golang.org/x dependencies
  • 0d2316b ssh/test: work around for TestCiphers failures on macOS
  • See full diff in compare view

Updates golang.org/x/term from 0.17.0 to 0.18.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 11, 2024
Bumps the gomod group with 4 updates: [github.com/google/certificate-transparency-go](https://github.com/google/certificate-transparency-go), [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa), [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/term](https://github.com/golang/term).


Updates `github.com/google/certificate-transparency-go` from 1.1.7 to 1.1.8
- [Release notes](https://github.com/google/certificate-transparency-go/releases)
- [Changelog](https://github.com/google/certificate-transparency-go/blob/master/CHANGELOG.md)
- [Commits](google/certificate-transparency-go@v1.1.7...v1.1.8)

Updates `github.com/open-policy-agent/opa` from 0.62.0 to 0.62.1
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.62.0...v0.62.1)

Updates `golang.org/x/crypto` from 0.20.0 to 0.21.0
- [Commits](golang/crypto@v0.20.0...v0.21.0)

Updates `golang.org/x/term` from 0.17.0 to 0.18.0
- [Commits](golang/term@v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: github.com/google/certificate-transparency-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/go_modules/gomod-f02284f06a branch from 63c2358 to 43f074a Compare March 11, 2024 17:01
@cpanato cpanato merged commit 693db70 into main Mar 11, 2024
29 checks passed
@cpanato cpanato deleted the dependabot/go_modules/gomod-f02284f06a branch March 11, 2024 17:34
@github-actions github-actions bot added this to the v2.3.0 milestone Mar 11, 2024
tommyd450 pushed a commit to tommyd450/cosign that referenced this pull request Jun 7, 2024
lance added a commit to securesign/cosign that referenced this pull request Sep 5, 2024
* fix 'go vet -tags e2e ./...' (#3550)

* fix 'go vet -tags e2e ./...'

Signed-off-by: Dmitry S <[email protected]>

* fix typo in 'concatenating'

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>

* chore(deps): bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (#3556)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.97.0 to 0.98.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.97.0...v0.98.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.165.0 to 0.167.0 (#3557)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.165.0 to 0.167.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.165.0...v0.167.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* remove unused rootPool var (#3559)

Signed-off-by: Dmitry S <[email protected]>

* Bump sigstore/sigstore to v1.8.2 (#3561)

* Correct help text of triangulate cmd (#3551)

Signed-off-by: michaelvl <[email protected]>

* chore(deps): bump imranismail/setup-kustomize from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198 (#3554)

* chore(deps): bump imranismail/setup-kustomize

Bumps [imranismail/setup-kustomize](https://github.com/imranismail/setup-kustomize) from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198.
- [Release notes](https://github.com/imranismail/setup-kustomize/releases)
- [Commits](https://github.com/imranismail/setup-kustomize/compare/a76db1c6419124d51470b1e388c4b29476f495f1...f6959cf94216d4be0182d7c78b39f14d0c8bb198)

---
updated-dependencies:
- dependency-name: imranismail/setup-kustomize
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update kind-e2e-insecure-registry.yaml

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>

* chore(deps): bump the actions group with 3 updates (#3564)

Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `google-github-actions/auth` from 2.1.1 to 2.1.2
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google-github-actions/auth/compare/a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f...55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c)

Updates `mikefarah/yq` from 4.41.1 to 4.42.1
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/047694546cad8f9eaac1627bbc8bcc502fdd88bf...9adde1ac14bb283b8955d2b0d567bcaf3c69e639)

Updates `codecov/codecov-action` from 4.0.1 to 4.1.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/e0b68c6749509c5f83f984dd99a76a1c1a231044...54bcd8715eee62d40e33596ef5e8f0f48dbbccab)

---
updated-dependencies:
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update builder image, cosign image, golangci-lint (#3565)

* update cosign and builder image

Signed-off-by: cpanato <[email protected]>

* update golangci-lint to v1.56

Signed-off-by: cpanato <[email protected]>

* update go.mod in fakeoidc

Signed-off-by: cpanato <[email protected]>

* fix lints

Signed-off-by: cpanato <[email protected]>

---------

Signed-off-by: cpanato <[email protected]>

* chore(deps): bump the actions group with 1 update (#3576)

Bumps the actions group with 1 update: [actions/cache](https://github.com/actions/cache).


Updates `actions/cache` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/13aacd865c20de90d75de3b17ebe84f7a17d57d2...ab5e6d0c87105b4c9c2047343972218f562e4319)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#3575)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.61.0 to 0.62.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.61.0...v0.62.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the gomod group with 5 updates (#3574)

Bumps the gomod group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.27.1` | `0.27.2` |
| [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) | `0.22.0` | `0.22.2` |
| [github.com/go-openapi/swag](https://github.com/go-openapi/swag) | `0.22.9` | `0.22.10` |
| [github.com/sigstore/fulcio](https://github.com/sigstore/fulcio) | `1.4.3` | `1.4.4` |
| [github.com/stretchr/testify](https://github.com/stretchr/testify) | `1.8.4` | `1.9.0` |


Updates `github.com/go-openapi/runtime` from 0.27.1 to 0.27.2
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](https://github.com/go-openapi/runtime/compare/v0.27.1...v0.27.2)

Updates `github.com/go-openapi/strfmt` from 0.22.0 to 0.22.2
- [Commits](https://github.com/go-openapi/strfmt/compare/v0.22.0...v0.22.2)

Updates `github.com/go-openapi/swag` from 0.22.9 to 0.22.10
- [Commits](https://github.com/go-openapi/swag/compare/v0.22.9...v0.22.10)

Updates `github.com/sigstore/fulcio` from 1.4.3 to 1.4.4
- [Release notes](https://github.com/sigstore/fulcio/releases)
- [Changelog](https://github.com/sigstore/fulcio/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/fulcio/compare/v1.4.3...v1.4.4)

Updates `github.com/stretchr/testify` from 1.8.4 to 1.9.0
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/go-openapi/strfmt
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/go-openapi/swag
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/fulcio
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* free up disk space during e2e test runs (#3579)

Signed-off-by: Bob Callaway <[email protected]>

* Honor creation timestamp for signatures again (#3549)

* Honor creation timestamp for signatures again

Signed-off-by: ttrabelsi <[email protected]>

* setting creation timestamp behind a feature flag to preserve current behavior

Signed-off-by: Tobias Trabelsi <[email protected]>

* review feedback

Signed-off-by: Tobias Trabelsi <[email protected]>

* additional review feedback

Signed-off-by: Tobias Trabelsi <[email protected]>

---------

Signed-off-by: ttrabelsi <[email protected]>
Signed-off-by: Tobias Trabelsi <[email protected]>

* chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 (#3582)

Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.2...v3.0.3)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 (#3581)

Bumps gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3.

---
updated-dependencies:
- dependency-name: gopkg.in/go-jose/go-jose.v2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* bump release to use go 1.21.8 (#3583)

* Clean up READMEs (#3587)

Remove deprecated markdown files with only links to docs.sigstore.dev, clean up outdated data in README, remove FEATURES which is outdated

Signed-off-by: Hayden B <[email protected]>

* chore(deps): bump the actions group with 1 update (#3588)

* chore(deps): bump github.com/xanzy/go-gitlab from 0.98.0 to 0.100.0 (#3590)

* chore(deps): bump the gomod group with 4 updates (#3589)

* Update README for contributions (#3596)

Encourage development on sigstore-go, which is the focus currently.

Signed-off-by: Hayden B <[email protected]>

* chore(deps): bump github.com/go-openapi/runtime from 0.27.2 to 0.28.0 (#3595)

Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.27.2 to 0.28.0.
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](https://github.com/go-openapi/runtime/compare/v0.27.2...v0.28.0)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#3591)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.167.0 to 0.169.0 (#3594)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.167.0 to 0.169.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.167.0...v0.169.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)

* add fulcio oauth flow client credentials

Signed-off-by: Noah Kreiger <[email protected]>

* fix docgen

Signed-off-by: Noah Kreiger <[email protected]>

* add options

Signed-off-by: Noah Kreiger <[email protected]>

---------

Signed-off-by: Noah Kreiger <[email protected]>

* Update the script for working with blobs (#3610)

The demo script for working with blobs was inaccurate in its current
representation. I updated the commands such that they can be easily
copied and pasted to get the shown output.

Signed-off-by: arewm <[email protected]>

* chore(deps): bump the actions group with 1 update (#3607)

Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump cuelang.org/go from 0.7.1 to 0.8.0 (#3606)

Bumps cuelang.org/go from 0.7.1 to 0.8.0.

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.169.0 to 0.170.0 (#3605)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.169.0 to 0.170.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.169.0...v0.170.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the gomod group with 1 update (#3603)

Bumps the gomod group with 1 update: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry).


Updates `github.com/google/go-containerregistry` from 0.19.0 to 0.19.1
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.19.0...v0.19.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/docker/docker (#3612)

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.7+incompatible to 24.0.9+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v24.0.7...v24.0.9)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Put secrets on github organizations (#3567)

* support for github org secrets

Signed-off-by: Marlon Pina Tojal <[email protected]>

---------

Signed-off-by: Marlon Pina Tojal <[email protected]>
Co-authored-by: Marlon Pina Tojal <[email protected]>

* Update CHANGELOG for v1.13.6 (#3618)

* Update CHANGELOG for v1.13.5

Signed-off-by: Hayden B <[email protected]>

* Bump release

Signed-off-by: Hayden B <[email protected]>

---------

Signed-off-by: Hayden B <[email protected]>

* chore(deps): bump the actions group with 2 updates (#3623)

Bumps the actions group with 2 updates: [actions/cache](https://github.com/actions/cache) and [mikefarah/yq](https://github.com/mikefarah/yq).


Updates `actions/cache` from 4.0.1 to 4.0.2
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/ab5e6d0c87105b4c9c2047343972218f562e4319...0c45773b623bea8c8e75f6c82b208c3cf94ea4f9)

Updates `mikefarah/yq` from 4.42.1 to 4.43.1
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/9adde1ac14bb283b8955d2b0d567bcaf3c69e639...c35ec752e38ea0c096d3c44e13cfc0797ac394d8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/xanzy/go-gitlab from 0.100.0 to 0.101.0 (#3624)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.100.0 to 0.101.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.100.0...v0.101.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.170.0 to 0.171.0 (#3626)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.170.0 to 0.171.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.170.0...v0.171.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump go.step.sm/crypto from 0.43.1 to 0.44.1 (#3625)

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.43.1 to 0.44.1.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.43.1...v0.44.1)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Clean up and clarify e2e scripts (#3628)

* Add comment to test/piv_test.go

Since f6d84815 it's not clear what this file is for, as it's not run in
CI. Add a link to the docs that reference it to make it clear this is
still needed.

Signed-off-by: Colleen Murphy <[email protected]>

* Clean up unused test script

e2e_test_secrets.sh is no longer called from CI as of f6332211. It's
objective is largely redundant with tests already in e2e_test.go, so
just remove it.

Signed-off-by: Colleen Murphy <[email protected]>

---------

Signed-off-by: Colleen Murphy <[email protected]>

* Remove cross.yaml workflow (#3629)

The artifacts uploaded by cross.yaml are not used anywhere. Moreover,
the ability to build on all three platforms and use the resulting binary
is already tested in e2e-with-binary.yml. This change removes the
workflow for the sake of decluttering the workflows and reducing our use
of GitHub storage.

Signed-off-by: Colleen Murphy <[email protected]>

* chore(deps): bump the gomod group with 6 updates (#3633)

Bumps the gomod group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` |
| [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` |
| [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` |
| [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` |
| [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.2` | `1.8.3` |
| [go.step.sm/crypto](https://github.com/smallstep/crypto) | `0.44.1` | `0.44.2` |


Updates `github.com/sigstore/sigstore` from 1.8.2 to 1.8.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.2 to 1.8.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.2 to 1.8.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.2 to 1.8.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.2 to 1.8.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3)

Updates `go.step.sm/crypto` from 0.44.1 to 0.44.2
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.1...v0.44.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.171.0 to 0.172.0 (#3635)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.171.0 to 0.172.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.171.0...v0.172.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/open-policy-agent/opa from 0.62.1 to 0.63.0 (#3636)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.62.1 to 0.63.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.62.1...v0.63.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the actions group with 1 update (#3637)

Bumps the actions group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `codecov/codecov-action` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/54bcd8715eee62d40e33596ef5e8f0f48dbbccab...c16abc29c95fcf9174b58eb7e1abf4c866893bc8)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: add OVHcloud MPR registry tested with cosign (#3639)

Signed-off-by: Aurelie Vache <[email protected]>

* Fixing issue 3642 (#3643)

Signed-off-by: Mukuls77 <[email protected]>

* Fixing issue 3642 (#3644)

* add oci bundle spec (#3622)

* add oci bundle spec

Signed-off-by: Brian DeHamer <[email protected]>

* clarify annotation scheme

Signed-off-by: Brian DeHamer <[email protected]>

* add signer annotation

Signed-off-by: Brian DeHamer <[email protected]>

* update bundle media type

Signed-off-by: Brian DeHamer <[email protected]>

* remove reference to signer annotation

Signed-off-by: Brian DeHamer <[email protected]>

---------

Signed-off-by: Brian DeHamer <[email protected]>

* chore(deps): bump the actions group with 2 updates (#3647)

Bumps the actions group with 2 updates: [cpanato/vault-installer](https://github.com/cpanato/vault-installer) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `cpanato/vault-installer` from 1.0.1 to 1.0.2
- [Release notes](https://github.com/cpanato/vault-installer/releases)
- [Commits](https://github.com/cpanato/vault-installer/compare/478a771bf999907426686b67eb53a4ca5713f077...df0775e6f6ee38dee09eaf57ede66ac6a414b70e)

Updates `codecov/codecov-action` from 4.1.1 to 4.2.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/c16abc29c95fcf9174b58eb7e1abf4c866893bc8...7afa10ed9b269c561c2336fd862446844e0cbf71)

---
updated-dependencies:
- dependency-name: cpanato/vault-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the gomod group with 3 updates (#3648)

Bumps the gomod group with 3 updates: cuelang.org/go, [github.com/sigstore/fulcio](https://github.com/sigstore/fulcio) and [github.com/sigstore/rekor](https://github.com/sigstore/rekor).


Updates `cuelang.org/go` from 0.8.0 to 0.8.1

Updates `github.com/sigstore/fulcio` from 1.4.4 to 1.4.5
- [Release notes](https://github.com/sigstore/fulcio/releases)
- [Changelog](https://github.com/sigstore/fulcio/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/fulcio/compare/v1.4.4...v1.4.5)

Updates `github.com/sigstore/rekor` from 1.3.5 to 1.3.6
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.3.5...v1.3.6)

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/fulcio
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/rekor
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 (#3650)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/term from 0.18.0 to 0.19.0 (#3651)

Bumps [golang.org/x/term](https://github.com/golang/term) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/golang/term/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/xanzy/go-gitlab from 0.101.0 to 0.102.0 (#3652)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.101.0 to 0.102.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.101.0...v0.102.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 (#3655)

Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.6.0 to 0.7.0.
- [Commits](https://github.com/golang/sync/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 (#3653)

Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.1.7 to 2.2.0.
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.1.7...v2.2.0)

---
updated-dependencies:
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#3649)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.21.0 to 0.22.0.
- [Commits](https://github.com/golang/crypto/compare/v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Refactor e2e-tests.yml workflow (#3627)

* Move attach e2e tests into Go test suite

Run the e2e_test_attach.sh tests in Go, as a step toward making all the
e2e tests consistent with one another. This also has the added benefit
of no longer relying on ttl.sh since test images are hosted in the mock
registry server.

These tests were being run in CI under Linux and Mac, since they don't
rely on a Kind instance or any Sigstore services. This change updates
the GitHub workflow for the attach tests to simply run all e2e tests
that are compatible with the macos runner.

Signed-off-by: Colleen Murphy <[email protected]>

* Reorganize cross-platform attach tests

Move all the e2e tests for cosign attachments that can be run
independently without other Sigstore services into the new
e2e_attach_test.go file, to make the main e2e_test.go file a more
mantainable size and to get the benefit of running these tests in the
e2e-cross job which runs on macos and linux.

Signed-off-by: Colleen Murphy <[email protected]>

* Move TSA MTLS tests into Go test suite

Run the e2e_tsa_mtls.sh tests in Go. With this, a separate step to run
the script is unnecessary for the Github workflow, since it will be run
as part of the e2e-cross job.

Signed-off-by: Colleen Murphy <[email protected]>

* Move TSA blob tests into Go test suite

Run the e2e_signblob_tsa_mtls.sh tests in Go. The e2e-tsa-mtls job in
the e2e-tests workflow is fully removed since these are now all covered
in e2e-cross.

Signed-off-by: Colleen Murphy <[email protected]>

---------

Signed-off-by: Colleen Murphy <[email protected]>

* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)

* Merge pull request from GHSA-95pr-fxf5-86gv

An Image may come from an untrusted source and contain an unknown number
of signatures in the .sig manifest. A common pattern in cosign is to use
the number of signatures as the capacity for a new slice. But this means
the size of the slice is based on an unvalidated external input and
could result in cosign running out of memory.

This change adds validation for certain implementations of the
oci.Signatures Get() method to limit the number of image descriptors
returned. This way, callers can rely on the returned slice of signatures
being a reasonable size to process safely.

The limit is set to 1000, which is a generous size based on the
practical restrictions that container registries set for image manifest
size and approximations of memory allocations for signature layers.

Signed-off-by: Colleen Murphy <[email protected]>

* Merge pull request from GHSA-88jx-383q-w4qc

When downloading an attestation or SBOM from an external source, check
its size before reading it into memory. This protects the host from
potentially reading a maliciously large attachment into memory and
exhausting the system.

SBOMs can vary widely in size, and there could be legitimate SBOMs of up
to 700MB. However, reading a 700MB SBOM into memory would easily bring
down a small cloud VM. Moreover, most SBOMs are not going to be that
large. This change sets a reasonable default of 128MiB, and allows
overriding the default by setting the environment variable
`COSIGN_MAX_ATTACHMENT_SIZE`.

Signed-off-by: Colleen Murphy <[email protected]>

---------

Signed-off-by: Colleen Murphy <[email protected]>

* Add v2.2.4 changelog (#3662)

Signed-off-by: Hayden Blauzvern <[email protected]>

* bump scaffolding to latest release for testing (#3663)

Signed-off-by: Bob Callaway <[email protected]>

* fix latest tag not being created and add latest to the dev image as well and go updates (#3664)

* fix latest tag not being created and add latest to the dev image as well

Signed-off-by: cpanato <[email protected]>

* update cosign to 2.2.4

Signed-off-by: cpanato <[email protected]>

* update go for the builder image to use 1.21.9

Signed-off-by: cpanato <[email protected]>

---------

Signed-off-by: cpanato <[email protected]>

* chore(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 (#3656)

Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.7.7 to 0.8.1.
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.7.7...v0.8.1)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* switch to community repo of reusable-release (#3666)

Signed-off-by: Bob Callaway <[email protected]>

* chore(deps): bump the actions group with 3 updates (#3668)

* chore(deps): bump go.step.sm/crypto in the gomod group (#3667)

Bumps the gomod group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto).


Updates `go.step.sm/crypto` from 0.44.2 to 0.44.3
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.2...v0.44.3)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add registry options to cosign save (#3645)

Signed-off-by: JasonPowr <[email protected]>

* chore(deps): bump the actions group with 2 updates (#3676)

Bumps the actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/checkout` from 4.1.2 to 4.1.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...1d96c772d19495a3b5c517cd2bc0cb401ea0529f)

Updates `actions/upload-artifact` from 4.3.1 to 4.3.3
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...65462800fd760344b1a7b4382951275a0abb4808)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump go.step.sm/crypto in the gomod group (#3672)

Bumps the gomod group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto).


Updates `go.step.sm/crypto` from 0.44.3 to 0.44.6
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.3...v0.44.6)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.172.0 to 0.176.0 (#3673)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.172.0 to 0.176.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.172.0...v0.176.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/xanzy/go-gitlab from 0.102.0 to 0.103.0 (#3674)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.102.0 to 0.103.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.102.0...v0.103.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: close attestationFile (#3679)

Signed-off-by: guangwu <[email protected]>

* chore(deps): bump actions/checkout in the actions group (#3680)

Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/1d96c772d19495a3b5c517cd2bc0cb401ea0529f...0ad4b8fadaa221de15dcec353f45205ec38ea70b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.1.0 (#3681)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4.0.0 to 5.1.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/3cfe3a4abbb849e10058ce4af15d205b6da42804...9d1e0624a798bb64f6c3cea93db47765312263dc)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the gomod group with 3 updates (#3682)

Bumps the gomod group with 3 updates: cuelang.org/go, [go.step.sm/crypto](https://github.com/smallstep/crypto) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client).


Updates `cuelang.org/go` from 0.8.1 to 0.8.2

Updates `go.step.sm/crypto` from 0.44.6 to 0.44.8
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.6...v0.44.8)

Updates `google.golang.org/api` from 0.176.0 to 0.176.1
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.176.0...v0.176.1)

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.1 (#3683)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.63.0 to 0.64.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.63.0...v0.64.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Refactor KMS E2E tests (#3684)

* Move KMS tests from shell script to Go test suite

Signed-off-by: Colleen Murphy <[email protected]>

* Make KMS E2E tests hermetic

Use the scaffolding setup action to set up a local sigstore cluster and
run the KMS tests against the local rekor instance instead of the
public, production instance.

Signed-off-by: Colleen Murphy <[email protected]>

* Move KMS E2E workflow into main e2e-tests file

Condense the E2E tests into fewer workflow files. There are no unique
conditions that require them to be in separate files. Condensing them
makes them easier to discover, and makes the Actions tab in GitHub
cleaner because there are fewer workflows to sort through.

Signed-off-by: Colleen Murphy <[email protected]>

---------

Signed-off-by: Colleen Murphy <[email protected]>

* chore(deps): bump the actions group with 3 updates (#3686)

Bumps the actions group with 3 updates: [actions/setup-go](https://github.com/actions/setup-go), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `actions/setup-go` from 5.0.0 to 5.0.1
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/0c52d547c9bc32b1aa3301fd7a9cb496313a4491...cdcb36043654635271a94b9a6d1392de5bb323a7)

Updates `codecov/codecov-action` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/84508663e988701840491b86de86b666e8a86bed...5ecb98a3c6b747ed38dc09f787459979aebb39be)

Updates `golangci/golangci-lint-action` from 5.1.0 to 5.3.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/9d1e0624a798bb64f6c3cea93db47765312263dc...38e1018663fa5173f3968ea0777460d3de38f256)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.176.1 to 0.177.0 (#3687)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.176.1 to 0.177.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.176.1...v0.177.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/xanzy/go-gitlab from 0.103.0 to 0.104.0 (#3688)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.103.0 to 0.104.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.103.0...v0.104.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 (#3691)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.19.0 to 0.20.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.19.0...v0.20.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.177.0 to 0.180.0 (#3698)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.177.0 to 0.180.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.177.0...v0.180.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the actions group with 3 updates (#3694)

Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [mikefarah/yq](https://github.com/mikefarah/yq) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action).


Updates `actions/checkout` from 4.1.4 to 4.1.5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b)

Updates `mikefarah/yq` from 4.43.1 to 4.44.1
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/c35ec752e38ea0c096d3c44e13cfc0797ac394d8...557dcb87b8efe786f89a12c09e9046b4753ab72e)

Updates `ossf/scorecard-action` from 2.3.1 to 2.3.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/0864cf19026789058feabb7e87baa5f140aac736...dc50aa9510b46c811795eb24b2f1ba02a914e534)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)

* Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface

Signed-off-by: Cody Soyland <[email protected]>

* Add test for PayloadProvider interface

Signed-off-by: Cody Soyland <[email protected]>

---------

Signed-off-by: Cody Soyland <[email protected]>

* chore(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#3695)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5.3.0 to 6.0.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/38e1018663fa5173f3968ea0777460d3de38f256...a4f60bb28d35aeee14e6880718e0c85ff1882e64)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump sigs.k8s.io/release-utils in the gomod group (#3696)

Bumps the gomod group with 1 update: [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils).


Updates `sigs.k8s.io/release-utils` from 0.8.1 to 0.8.2
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.1...v0.8.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/xanzy/go-gitlab from 0.104.0 to 0.105.0 (#3697)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.104.0 to 0.105.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.104.0...v0.105.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Refactor insecure registry E2E tests (#3701)

* Fix e2e test copypaste error

Signed-off-by: Colleen Murphy <[email protected]>

* Clean up kind-e2e-insecure-registry workflow

- These tests don't use KinD, don't set it up
- Don't install yq, ko, or kustomize
- The scripts build cosign, no need to build it in its own step
- Don't use global environment variables when they're only needed for
  individual steps

Signed-off-by: Colleen Murphy <[email protected]>

* Move insecure OCI 1.0 registry tests to Go suite

Signed-off-by: Colleen Murphy <[email protected]>

* Move insecure OCI 1.1 registry tests to Go suite

Signed-off-by: Colleen Murphy <[email protected]>

* Make registry tests hermetic

Signed-off-by: Colleen Murphy <[email protected]>

* Move insecure registry workflow to e2e tests

Condense the kind-e2e-insecure-registry workflow into the rest of the
E2E tests workflow. The workflow name was misleading because these tests
don't relate to KinD except as an implementation detail of the
scaffolding action. Combining it makes it more discoverable and reduces
clutter inthe GitHub Actions UI.

Signed-off-by: Colleen Murphy <[email protected]>

---------

Signed-off-by: Colleen Murphy <[email protected]>

* Remove KMS E2E test script (#3702)

Should have been removed as part of fa17fab.

Signed-off-by: Colleen Murphy <[email protected]>

* Remove sign_blob_test.sh test (#3707)

The bug that this test was meant to address[1] applies to a feature that
was removed from cosign[2]. The updates made to the script to allow for
the breaking changes actually make the test invalid, because while it
was once verifying the original artifact signature, the final
verification step is now actually verifying against the uploaded rekor
entry, so the original signature is inconsequential.

[1] https://github.com/sigstore/cosign/pull/1673
[2] https://github.com/sigstore/cosign/pull/2425

Signed-off-by: Colleen Murphy <[email protected]>

* Add README.md for tests (#3708)

Signed-off-by: Colleen Murphy <[email protected]>

* chore(deps): bump the actions group with 3 updates (#3706)

Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [google-github-actions/auth](https://github.com/google-github-actions/auth) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `actions/checkout` from 4.1.5 to 4.1.6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29)

Updates `google-github-actions/auth` from 2.1.2 to 2.1.3
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google-github-actions/auth/compare/55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c...71fee32a0bb7e97b4d33d548e7d957010649d8fa)

Updates `codecov/codecov-action` from 4.3.1 to 4.4.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/5ecb98a3c6b747ed38dc09f787459979aebb39be...125fc84a9a348dbcf27191600683ec096ec9021c)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google.golang.org/api from 0.180.0 to 0.181.0 (#3703)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.180.0 to 0.181.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.180.0...v0.181.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump go.step.sm/crypto from 0.44.8 to 0.45.0 (#3704)

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.44.8 to 0.45.0.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.8...v0.45.0)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump go.step.sm/crypto in the gomod group (#3710)

Bumps the gomod group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto).


Updates `go.step.sm/crypto` from 0.45.0 to 0.45.1
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.45.0...v0.45.1)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.65.0 (#3714)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.64.1 to 0.65.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.64.1...v0.65.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the gomod group with 5 updates (#3713)

Bumps the gomod group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/sigstore/sigstor…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant