build(deps): bump the all group across 1 directory with 17 updates

[dependabot]

Bumps the all group with 11 updates in the / directory:

Package	From	To
cuelang.org/go	0.8.0	0.8.2
github.com/enterprise-contract/enterprise-contract-controller/api	0.1.39	0.1.47
github.com/gkampitakis/go-snaps	0.5.2	0.5.4
github.com/go-logr/logr	1.4.1	1.4.2
github.com/hashicorp/go-getter	1.7.3	1.7.4
github.com/leanovate/gopter	0.2.9	0.2.11
github.com/open-policy-agent/conftest	0.50.0	0.52.0
github.com/package-url/packageurl-go	0.1.2	0.1.3
github.com/sigstore/cosign/v2	2.2.3	2.2.4
github.com/tektoncd/pipeline	0.54.0	0.60.0
k8s.io/apiextensions-apiserver	0.29.3	0.30.1

Updates cuelang.org/go from 0.8.0 to 0.8.2

Updates github.com/enterprise-contract/enterprise-contract-controller/api from 0.1.39 to 0.1.47

Release notes

Sourced from github.com/enterprise-contract/enterprise-contract-controller/api's releases.

API Release api/v0.1.47

What's Changed

• Bump sigs.k8s.io/controller-runtime from 0.17.4 to 0.17.5 in /api by @​dependabot in enterprise-contract/enterprise-contract-controller#329
• Bump sigs.k8s.io/controller-runtime from 0.17.4 to 0.17.5 by @​dependabot in enterprise-contract/enterprise-contract-controller#328
• Bump codecov/codecov-action from 4.3.1 to 4.4.1 by @​dependabot in enterprise-contract/enterprise-contract-controller#339
• Bump github/codeql-action from 3.25.5 to 3.25.6 by @​dependabot in enterprise-contract/enterprise-contract-controller#340
• Bump actions/checkout from 4.1.5 to 4.1.6 by @​dependabot in enterprise-contract/enterprise-contract-controller#341

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.46...api/v0.1.47

API Release api/v0.1.46

What's Changed

• Bump github/codeql-action from 3.25.3 to 3.25.5 by @​dependabot in enterprise-contract/enterprise-contract-controller#330

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.45...api/v0.1.46

API Release api/v0.1.45

What's Changed

• Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.17.4 in /api by @​dependabot in enterprise-contract/enterprise-contract-controller#327
• Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @​dependabot in enterprise-contract/enterprise-contract-controller#331
• Bump softprops/action-gh-release from 2.0.4 to 2.0.5 by @​dependabot in enterprise-contract/enterprise-contract-controller#333
• Bump actions/checkout from 4.1.4 to 4.1.5 by @​dependabot in enterprise-contract/enterprise-contract-controller#332

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.44...api/v0.1.45

API Release api/v0.1.44

What's Changed

• Bump codecov/codecov-action from 4.3.0 to 4.3.1 by @​dependabot in enterprise-contract/enterprise-contract-controller#326
• Bump github.com/onsi/gomega from 1.33.0 to 1.33.1 by @​dependabot in enterprise-contract/enterprise-contract-controller#324
• Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.17.4 by @​dependabot in enterprise-contract/enterprise-contract-controller#323
• Bump step-security/harden-runner from 2.7.0 to 2.7.1 by @​dependabot in enterprise-contract/enterprise-contract-controller#325

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.43...api/v0.1.44

API Release api/v0.1.43

What's Changed

• Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @​dependabot in enterprise-contract/enterprise-contract-controller#319
• Bump github/codeql-action from 3.25.1 to 3.25.3 by @​dependabot in enterprise-contract/enterprise-contract-controller#320
• Bump actions/download-artifact from 4.1.5 to 4.1.7 by @​dependabot in enterprise-contract/enterprise-contract-controller#321
• Bump actions/checkout from 4.1.3 to 4.1.4 by @​dependabot in enterprise-contract/enterprise-contract-controller#322

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.42...api/v0.1.43

API Release api/v0.1.42

What's Changed

... (truncated)

Commits

• 8b8d7be Merge pull request #341 from enterprise-contract/dependabot/github_actions/ac...
• d1db73a Merge pull request #340 from enterprise-contract/dependabot/github_actions/gi...
• d3db660 Merge pull request #339 from enterprise-contract/dependabot/github_actions/co...
• 7fe254a Bump actions/checkout from 4.1.5 to 4.1.6
• 1d8f08a Bump github/codeql-action from 3.25.5 to 3.25.6
• 36061d8 Bump codecov/codecov-action from 4.3.1 to 4.4.1
• 5c0827c Merge pull request #328 from enterprise-contract/dependabot/go_modules/sigs.k...
• 710d23f Run go mod tidy
• 95e86b1 Bump sigs.k8s.io/controller-runtime from 0.17.4 to 0.17.5 in /api
• 6f09ed5 Bump github/codeql-action from 3.25.3 to 3.25.5
• Additional commits viewable in compare view

Updates github.com/gkampitakis/go-snaps from 0.5.2 to 0.5.4

Release notes

Sourced from github.com/gkampitakis/go-snaps's releases.

v0.5.4

What's Changed

• fix: slice bounds out of range [:5] by @​zregvart in gkampitakis/go-snaps#98

New Contributors

• @​zregvart made their first contribution in gkampitakis/go-snaps#98

Full Changelog: gkampitakis/go-snaps@v0.5.3...v0.5.4

v0.5.3

What's Changed

• fix: race condition when updating snapshots in parallel by @​gkampitakis in gkampitakis/go-snaps#97

Full Changelog: gkampitakis/go-snaps@v0.5.2...v0.5.3

Commits

• f98a2f9 fix: slice bounds out of range [:5] (#98)
• e31ee30 fix: race condition when updating snapshots in parallel (#97)
• See full diff in compare view

Updates github.com/go-logr/logr from 1.4.1 to 1.4.2

Release notes

Sourced from github.com/go-logr/logr's releases.

v1.4.2

What's Changed

• Fix lint: named but unused params by @​thockin in go-logr/logr#268
• Add a Go report card, fix lint by @​thockin in go-logr/logr#271
• funcr: Handle nested empty groups properly by @​thockin in go-logr/logr#274

Dependencies:

• build(deps): bump github/codeql-action from 3.22.11 to 3.22.12 by @​dependabot in go-logr/logr#254
• build(deps): bump github/codeql-action from 3.22.12 to 3.23.0 by @​dependabot in go-logr/logr#256
• build(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 by @​dependabot in go-logr/logr#257
• build(deps): bump github/codeql-action from 3.23.0 to 3.23.1 by @​dependabot in go-logr/logr#259
• build(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0 by @​dependabot in go-logr/logr#260
• build(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0 by @​dependabot in go-logr/logr#263
• build(deps): bump github/codeql-action from 3.23.1 to 3.23.2 by @​dependabot in go-logr/logr#262
• build(deps): bump github/codeql-action from 3.23.2 to 3.24.0 by @​dependabot in go-logr/logr#264
• build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @​dependabot in go-logr/logr#266
• build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @​dependabot in go-logr/logr#267
• build(deps): bump github/codeql-action from 3.24.0 to 3.24.3 by @​dependabot in go-logr/logr#270
• build(deps): bump github/codeql-action from 3.24.3 to 3.24.5 by @​dependabot in go-logr/logr#272
• build(deps): bump github/codeql-action from 3.24.5 to 3.24.6 by @​dependabot in go-logr/logr#275
• build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @​dependabot in go-logr/logr#276
• build(deps): bump github/codeql-action from 3.24.6 to 3.24.7 by @​dependabot in go-logr/logr#277
• build(deps): bump github/codeql-action from 3.24.7 to 3.24.9 by @​dependabot in go-logr/logr#278
• build(deps): bump github/codeql-action from 3.24.9 to 3.24.10 by @​dependabot in go-logr/logr#279
• build(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 by @​dependabot in go-logr/logr#280
• build(deps): bump actions/checkout from 4.1.2 to 4.1.3 by @​dependabot in go-logr/logr#281
• build(deps): bump github/codeql-action from 3.24.10 to 3.25.1 by @​dependabot in go-logr/logr#282
• build(deps): bump github/codeql-action from 3.25.1 to 3.25.3 by @​dependabot in go-logr/logr#283
• build(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @​dependabot in go-logr/logr#284
• build(deps): bump actions/checkout from 4.1.3 to 4.1.4 by @​dependabot in go-logr/logr#285
• build(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3 by @​dependabot in go-logr/logr#286
• build(deps): bump actions/setup-go from 5.0.0 to 5.0.1 by @​dependabot in go-logr/logr#288
• build(deps): bump golangci/golangci-lint-action from 5.0.0 to 5.3.0 by @​dependabot in go-logr/logr#289
• build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 by @​dependabot in go-logr/logr#293
• build(deps): bump github/codeql-action from 3.25.3 to 3.25.4 by @​dependabot in go-logr/logr#292
• build(deps): bump actions/checkout from 4.1.4 to 4.1.5 by @​dependabot in go-logr/logr#291
• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @​dependabot in go-logr/logr#290
• build(deps): bump github/codeql-action from 3.25.4 to 3.25.5 by @​dependabot in go-logr/logr#294
• build(deps): bump actions/checkout from 4.1.5 to 4.1.6 by @​dependabot in go-logr/logr#295

Full Changelog: go-logr/logr@v1.4.1...v1.4.2

Commits

• 1205f42 Merge pull request #295 from go-logr/dependabot/github_actions/actions/checko...
• ccedcbd Merge pull request #294 from go-logr/dependabot/github_actions/github/codeql-...
• bead577 build(deps): bump actions/checkout from 4.1.5 to 4.1.6
• a492d95 build(deps): bump github/codeql-action from 3.25.4 to 3.25.5
• 19ad07c build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3
• 1c97a21 build(deps): bump actions/checkout from 4.1.4 to 4.1.5
• f70c5b5 build(deps): bump github/codeql-action from 3.25.3 to 3.25.4
• 4ade8d3 build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1
• 88d98bd Merge pull request #289 from go-logr/dependabot/github_actions/golangci/golan...
• 432cd86 Merge pull request #288 from go-logr/dependabot/github_actions/actions/setup-...
• Additional commits viewable in compare view

Updates github.com/hashicorp/go-getter from 1.7.3 to 1.7.4

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.4

What's Changed

• Escape user-provided strings in git commands hashicorp/go-getter#483
• Fixed a bug in .netrc handling if the file does not exist hashicorp/go-getter#433

Full Changelog: hashicorp/go-getter@v1.7.3...v1.7.4

Commits

• 268c11c escape user provide string to git (#483)
• 975961f Merge pull request #433 from adrian-bl/netrc-fix
• 5ccb39a Make addAuthFromNetrc ignore ENOTDIR errors
• See full diff in compare view

Updates github.com/leanovate/gopter from 0.2.9 to 0.2.11

Commits

• b641a79 Remove invalid type panic for now (addresses #86)
• 4dccbc2 Remove invalid type panic for now (addresses #86)
• 2607924 Panic on unsupported type
• 4f507f6 Update build runner
• 69954c9 Support array generators (addresses #86)
• f9f2f29 Merge pull request #85 from zhongdai/fix-dead-links
• e59552d Fixed the dead links.
• 90cc76d Merge pull request #82 from kkweon/master
• 62760ed fix(gen/struct): typo in the comment
• f350002 Keep track of command sieve (issue #81)
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/conftest from 0.50.0 to 0.52.0

Release notes

Sourced from github.com/open-policy-agent/conftest's releases.

v0.52.0

Changelog

OPA Changes

• c8ca3585dfe99647c0ca039b03522bd83e0ca357: build(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.0 (#943) (@​dependabot[bot])
• 9b082a11765d408ffdddbf365bd0fdd990d87461: build(deps): bump github.com/open-policy-agent/opa from 0.64.0 to 0.64.1 (#947) (@​dependabot[bot])

Other Changes

• 8f13bf6a82dbb7db38e1ca1a3cddba4f608dbee2: build(deps): bump cuelang.org/go from 0.8.0 to 0.8.1 (#937) (@​dependabot[bot])
• 37b04d6036f6a146cc2c38e29769ad245c4607e6: build(deps): bump github.com/docker/docker from v25.0.3+incompatible to v25.0.5+incompatible (#932) (@​robmonct)
• 1b3cc13b4d5e8d99a7a124672046605d1c33d0bc: build(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#948) (@​dependabot[bot])
• 28d92a408f9d39d01dd85e0055f05f36e09bbf7f: build(deps): bump github.com/moby/buildkit from 0.13.1 to 0.13.2 (#944) (@​dependabot[bot])
• 4ab6feaed04fa44e1de39e9c823728bfdf906867: build(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#941) (@​dependabot[bot])
• c6bd5a541a1526f9ade5e02b41dc11725c97c47c: build(deps): bump golang from 1.22.1-alpine to 1.22.2-alpine (#938) (@​dependabot[bot])
• 298d74aeade4b4462961fa3c7f1d44a90d7a49d8: ci: Allow Dependabot to update github.com/hashicorp/go-getter (#946) (@​jalseth)

v0.51.0

Changelog

Bug Fixes

• 1989c6c7a2ddbecf15f6b736978a468777694562: fix: Only raise problematic if error when rule has no name set (#935) (@​jalseth)

OPA Changes

• 6609893ae256424714b43f3a54feb9da97804ffb: build(deps): bump github.com/open-policy-agent/opa from 0.62.1 to 0.63.0 (#933) (@​dependabot[bot])

Other Changes

• 06e3f8d1e4de112effa58924c61e72d493794ffc: build(deps): bump cuelang.org/go from 0.7.1 to 0.8.0 (#930) (@​dependabot[bot])
• bece944a615fffdf96d971e7fb05e98600bffe20: build(deps): bump github.com/moby/buildkit from 0.13.0 to 0.13.1 (#931) (@​dependabot[bot])
• 515feda4311e2ac62b062d1002a9a70a8cd9177d: build(deps): bump golang from 1.22.0-alpine to 1.22.1-alpine (#929) (@​dependabot[bot])
• 86afe2f34ba2d567ed99c85e363c3b6457e82ef9: ci: Pin bats version to work around broken CI (#936) (@​jalseth)

Commits

• 9b082a1 build(deps): bump github.com/open-policy-agent/opa from 0.64.0 to 0.64.1 (#947)
• 1b3cc13 build(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#948)
• 298d74a ci: Allow Dependabot to update github.com/hashicorp/go-getter (#946)
• 28d92a4 build(deps): bump github.com/moby/buildkit from 0.13.1 to 0.13.2 (#944)
• c8ca358 build(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.0 (#943)
• 4ab6fea build(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#941)
• 37b04d6 build(deps): bump github.com/docker/docker from v25.0.3+incompatible to v25.0...
• c6bd5a5 build(deps): bump golang from 1.22.1-alpine to 1.22.2-alpine (#938)
• 8f13bf6 build(deps): bump cuelang.org/go from 0.8.0 to 0.8.1 (#937)
• 1989c6c fix: Only raise problematic if error when rule has no name set (#935)
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 0.62.1 to 0.64.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.64.1

This is a bug fix release addressing the following issues:

• ci: Pin GitHub Actions macos runner version. The architecture of the GitHub Actions Runner macos-latest was changed from amd64 to arm64 and as a result darwin/amd64 binary wasn't released (#6720) authored by @​suzuki-shunsuke
• plugins/discovery: Update comparison logic used in the discovery plugin for handling overrides. This fixes a panic that resulted from the comparison of uncomparable types (#6723) authored by @​ashutosh-narkar

v0.64.0

NOTES:

• The minimum version of Go required to build the OPA module is 1.21

This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.

Breaking Change

Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the labels section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision, nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @​ashutosh-narkar

Add rego_version attribute to the bundle manifest

A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual files to override the global Rego version specified by rego_version.

When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the --v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.

A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @​johanfylling

Runtime, Tooling, SDK

• compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @​philipaconrad
• cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @​johanfylling
• server: Keep default decision path in-sync with manager's config (#6697) authored by @​ashutosh-narkar
• server: Remove unnecessary AST-to-JSON conversions (#6665) and (#6669) authored by @​koponen-styra
• sdk: Allow customizations of the plugin manager via SDK (#6662) authored by @​xico42
• sdk: Fix issue where active parser options aren't propagated to module reload during bundle activation resulting in errors while activating bundles with v1 syntax (#6689) authored by @​xico42

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.64.1

This is a bug fix release addressing the following issues:

• ci: Pin GitHub Actions macos runner version. The architecture of the GitHub Actions Runner macos-latest was changed from amd64 to arm64 and as a result darwin/amd64 binary wasn't released (#6720) authored by @​suzuki-shunsuke
• plugins/discovery: Update comparison logic used in the discovery plugin for handling overrides. This fixes a panic that resulted from the comparison of uncomparable types (#6723) authored by @​ashutosh-narkar

0.64.0

NOTES:

• The minimum version of Go required to build the OPA module is 1.21

This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.

Breaking Change

Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the labels section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision, nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @​ashutosh-narkar

Add rego_version attribute to the bundle manifest

A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual files to override the global Rego version specified by rego_version.

When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the --v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.

A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @​johanfylling

Runtime, Tooling, SDK

• compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @​philipaconrad
• cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @​johanfylling
• server: Keep default decision path in-sync with manager's config (#6697) authored by @​ashutosh-narkar
• server: Remove unnecessary AST-to-JSON conversions (#6665) and (#6669) authored by @​koponen-styra
• sdk: Allow customizations of the plugin manager via SDK (#6662) authored by @​xico42

... (truncated)

Commits

• 298f97d Prepare v0.64.1 release
• faf6382 ci: pin GitHub Actions macos runner version and build for darwin/amd64
• e72e6f6 plugins/discovery: Update comparison logic for overrides
• 75cc90a Prepare v0.64.0 release
• a400281 server: Keep default decision path in-sync with manager's config
• f2011b1 Adding Raygun to the policy-testing ecosystem (#6712)
• b58e87f ast: Importing rego.v1 in v0 support modules when applicable (#6698)
• 44fa8ad Relax configuration check when Discovery is enabled
• ef8532f auth: requestToken close response body
• 8260697 build: Update WASM Rego test generation setup (#6707)
• Additional commits viewable in compare view

Updates github.com/package-url/packageurl-go from 0.1.2 to 0.1.3

Release notes

Sourced from github.com/package-url/packageurl-go's releases.

v0.1.3

What's Changed

• go.mod: Bump required Go version to 1.18 by @​magnusbaeck in package-url/packageurl-go#66
• Fix Github Actions by @​shibumi in package-url/packageurl-go#69
• Adds ./ and ../ as valid subpath prefix by @​ridhoq in package-url/packageurl-go#68

New Contributors

• @​magnusbaeck made their first contribution in package-url/packageurl-go#66
• @​ridhoq made their first contribution in package-url/packageurl-go#68

Full Changelog: package-url/packageurl-go@v0.1.2...v0.1.3

Commits

• 7cb81af Merge pull request #68 from ridhoq/dot-slash-valid-subpath-prefix
• 6f82665 enable valid prefix
• 322020f add ../ as a valid prefix test
• 62a8a4b add ./ as a valid test case
• a8ae119 Merge pull request #69 from shibumi/fix-ci
• 11504a3 Fix Github Actions
• fe183c1 Merge pull request #66 from magnusbaeck/go-mod-version
• e033e37 go.mod: Bump required Go version to 1.18
• See full diff in compare view

Updates github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.2.4

Bug Fixes

• Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
• ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
• fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
• Honor creation timestamp for signatures again (#3549)

Features

• Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)

Documentation

• add oci bundle spec (#3622)
• Correct help text of triangulate cmd (#3551)
• Correct help text of verify-attestation policy argument (#3527)
• feat: add OVHcloud MPR registry tested with cosign (#3639)

Testing

• Refactor e2e-tests.yml workflow (#3627)
• Clean up and clarify e2e scripts (#3628)
• Don't ignore transparency log in tests if possible (#3528)
• Make E2E tests hermetic (#3499)
• add e2e test for pkcs11 token signing (#3495)

Full Changelog: sigstore/cosign@v2.2.3...v2.2.4

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.2.4

Bug Fixes

• Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
• ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
• fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
• Honor creation timestamp for signatures again (#3549)

Features

• Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)

Documentation

• add oci bundle spec (#3622)
• Correct help text of triangulate cmd (#3551)
• Correct help text of verify-attestation policy argument (#3527)
• feat: add OVHcloud MPR registry tested with cosign (#3639)

Testing

• Refactor e2e-tests.yml workflow (#3627)
• Clean up and clarify e2e scripts (#3628)
• Don't ignore transparency log in tests if possible (#3528)
• Make E2E tests hermetic (#3499)
• add e2e test for pkcs11 token signing (#3495)

Commits

• fb651b4 Add v2.2.4 changelog (#3662)
• 629f5f8 Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
• 302aee6 Refactor e2e-tests.yml workflow (#3627)
• d0b9861 chore(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#3649)
• c95439b chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 (#3653)
• 430c985 chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 (#3655)
• 48858a2 chore(deps): bump github.com/xanzy/go-gitlab from 0.101.0 to 0.102.0 (#3652)
• eba7c59 chore(deps): bump golang.org/x/term from 0.18.0 to 0.19.0 (#3651)
• 2d13b65 chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 (#3650)
• d56c9e8 chore(deps): bump the gomod group with 3 updates (#3648)
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore from 1.8.2 to 1.8.3

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.8.3

What's Changed

• Update embedded TUF root.json to version 9 from root-signing repo by @​lkatalin in sigstore/sigstore#1649
• add support for verifying IEEE P1363 encoded ECDSA sigs by @​bobcallaway in sigstore/sigstore#1686

Full Changelog: sigstore/sigstore@v1.8.2...v1.8.3

Commits

• 1b41d79 add support for verifying IEEE P1363 encoded ECDSA sigs (#1686)
• 65a36c4 Update tuf root.json to version 9 from root-signing repo (#1649)
• 656a152 build(deps): Bump the all group in /pkg/signature/kms/gcp with 1 update
• 06016c2 build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates
• 4440161 build(deps): Bump the all group with 2 updates
• 97c04d0 build(deps): Bump the all group in /test/e2e with 1 update
• 25dd9f3 build(deps): Bump the all group with 1 update
• d78dca2 build(deps): Bump the all group in /pkg/signature/kms/aws with 1 update
• 405c5c4 build(deps): Bump the all group
• b7f6993 build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates
• Additional commits viewable in compare view

Updates github.com/tektoncd/pipeline from 0.54.0 to 0.60.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v0.60.0 "Chinchilla Tobor"

🎉 Artifacts through Sidecar Logs and Concise Resolver Syntax(Stage I)🎉

-Docs @ v0.60.0 -Examples @ v0.60.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.60.0/r...
Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.