-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump to Cosign v2.0.0 rc.3 #602
Conversation
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.0.0-rc.2 to 2.0.0-rc.3. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v2.0.0-rc.2...v2.0.0-rc.3) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #602 +/- ##
==========================================
+ Coverage 54.94% 55.05% +0.11%
==========================================
Files 45 45
Lines 4752 4757 +5
==========================================
+ Hits 2611 2619 +8
+ Misses 1936 1934 -2
+ Partials 205 204 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Hector Fernandez <[email protected]>
8454cc3
to
cce9cbf
Compare
@vaikas @hectorj2f WDYT about deprecating and starting to warn when folks use the short-name version of the predicate type? I'd love it if we could get folks using explicit predicate types, since the short names have been so fraught. Thanks for bumping this @hectorj2f 👍 |
Signed-off-by: Hector Fernandez <[email protected]>
Warning always looks like a good approach announcing for a future deprecation. Yes, it makes sense to slowly transition to strict predicate types. I'm wondering if we could start adding a warning in cosign (too) for these short names. |
I think this has a few breaking changes that we should make sure make it into the release notes. |
@vaikas I added the predicate type breaking change to the notes. |
There's also this: Which means that all the policies written against spdx/cyclonedx will not work as far as I can tell? I'd go through the PRs from the last and make sure there weren't others. |
@vaikas Thanks for pointing that out. In my opinion, the other PRs are not affecting our verifications if I am not mistaken. |
@hectorj2f thanks for checking. I would word it that you have to rewrite your policy, not only that you must specify the predicatetype, but the extra 'indentation' of And since previous versions of cosign had that extra |
@vaikas I feel we should highlight these changes when documenting (docs/README) the new version. |
@hectorj2f we can certainly create a 'changelog.MD' or something like that in addition to clear commit messages that impact users, but for folks that are looking to upgrade to a new version are accustomed to seeing the breaking changes when they look at the releases. |
Thanks for the reviews! |
Summary
Adapt code to changes in cosign v2.0.0-rc.3 where several things changed, especially the predicate type verifications.
Release Note
predicate: Data: spdxVersion: ...
should be replaced bypredicate: spdxVersion: ...
, e.g.predicate: Data: specVersion: ...
-->predicate: specVersion: ...
.Documentation