Update dependency aquaproj/aqua to v2.22.0

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v2.21.3 -> v2.22.0

---

Release Notes

aquaproj/aqua (aquaproj/aqua)

v2.22.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.3...v2.22.0

Features

#​2631 #​2633 #​2634 Support disabling the verification with Cosign and SLSA Provenance

You can disable the verification with Cosign and SLSA Provenance if you can't use them.

Why is the feature needed?

[!CAUTION]
This feature is for users who can't use Cosign and slsa-verifier.
Most users can use them, so most users don't need this feature.
aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself.
If you can use Cosign and slsa-verifier, you should not disable them because they are important for security.

Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.

But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.

To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.

How to use

You can use command line options -disable-cosign and -disable-slsa or environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.

e.g.

aqua [-disable-cosign] [-disable-slsa] i

env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.