Skip to content

fix(deps): update go #4260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(deps): update go #4260

wants to merge 2 commits into from

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Jun 1, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/coreos/go-oidc/v3 v3.11.0 -> v3.14.1 age adoption passing confidence
github.com/go-openapi/swag v0.23.0 -> v0.23.1 age adoption passing confidence
github.com/google/go-cmp v0.6.0 -> v0.7.0 age adoption passing confidence
github.com/secure-systems-lab/go-securesystemslib v0.8.0 -> v0.9.0 age adoption passing confidence
github.com/sigstore/cosign/v2 v2.4.1 -> v2.5.2 age adoption passing confidence
github.com/sigstore/rekor v1.3.6 -> v1.3.10 age adoption passing confidence
github.com/sigstore/sigstore v1.8.10 -> v1.9.5 age adoption passing confidence
github.com/sigstore/sigstore-go v0.6.1 -> v0.7.3 age adoption passing confidence
github.com/spf13/cobra v1.8.1 -> v1.9.1 age adoption passing confidence
golang.org/x/oauth2 v0.23.0 -> v0.30.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

coreos/go-oidc (github.com/coreos/go-oidc/v3)

v3.14.1

Compare Source

What's Changed

Full Changelog: coreos/go-oidc@v3.14.0...v3.14.1

v3.14.0

Compare Source

What's Changed

Full Changelog: coreos/go-oidc@v3.13.0...v3.14.0

v3.13.0

Compare Source

What's Changed

Full Changelog: coreos/go-oidc@v3.12.0...v3.13.0

v3.12.0

Compare Source

What's Changed

Full Changelog: coreos/go-oidc@v3.11.0...v3.12.0

go-openapi/swag (github.com/go-openapi/swag)

v0.23.1

Compare Source

google/go-cmp (github.com/google/go-cmp)

v0.7.0

Compare Source

New API:

  • (#​367) Support compare functions with SortSlices and SortMaps

Panic messaging:

  • (#​370) Detect proto.Message types when failing to export a field
secure-systems-lab/go-securesystemslib (github.com/secure-systems-lab/go-securesystemslib)

v0.9.0

Compare Source

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.5.2

Compare Source

Bug Fixes

  • Do not load trusted root when CT env key is set

Documentation

  • docs: improve doc for --no-upload option (#​4206)

v2.5.1

Compare Source

Features

  • Add Rekor v2 support for trusted-root create (#​4242)
  • Add baseUrl and Uri to trusted-root create command
  • Upgrade to TUF v2 client with trusted root
  • Don't verify SCT for a private PKI cert (#​4225)
  • Bump TSA library to relax EKU chain validation rules (#​4219)

Bug Fixes

  • Bump sigstore-go to pick up log index=0 fix (#​4162)
  • remove unused recursive flag on attest command (#​4187)

Docs

  • Fix indentation in verify-blob cmd examples (#​4160)

Releases

  • ensure we copy the latest tags on each release (#​4157)

Contributors

  • arthurus-rex
  • Babak K. Shandiz
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Colleen Murphy
  • Dmitry Savintsev
  • Emmanuel Ferdman
  • Hayden B
  • Ville Skyttä

v2.5.0

Compare Source

v2.5.0 includes an implementation of the new bundle specification,
attesting and verifying OCI image attestations uploaded as OCI artifacts.
This feature is currently gated behind the --new-bundle-format flag
when running cosign attest.

Features

  • Add support for new bundle specification for attesting/verifying OCI image attestations (#​3889)
  • Feat/non filename completions (#​4115)
  • Add TSA certificate related flags and fields for cosign attest (#​4079)

Fixes

  • cmd/cosign/cli: fix typo in ignoreTLogMessage (#​4111)
  • Fix replace with compliant image mediatype (#​4077)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Dmitry Savintsev
  • Hayden B
  • Ramon Petgrave
  • Riccardo Schirone
  • Stef Graces
  • Ville Skyttä

v2.4.3

Compare Source

Features

  • Bump sigstore/sigstore to support KMS plugins (#​4073)
  • Enable fetching signatures without remote get. (#​4047)
  • Feat/file flag completion improvements (#​4028)
  • Update builder to use go1.23.6 (#​4052)

Bug Fixes

  • fix parsing error in --only for cosign copy (#​4049)

Cleanup

  • Refactor verifyNewBundle into library function (#​4013)
  • fix comment typo and imports order (#​4061)
  • sync comment with parameter name in function signature (#​4063)
  • sort properly Go imports (#​4071)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Dmitry Savintsev
  • Hayden B
  • Tomasz Janiszewski
  • Ville Skyttä

v2.4.2

Compare Source

Features

  • Updated open-policy-agent to 1.1.0 library (#​4036)
    • Note that only Rego v0 policies are supported at this time
  • Add UseSignedTimestamps to CheckOpts, refactor TSA options (#​4006)
  • Add support for verifying root checksum in cosign initialize (#​3953)
  • Detect if user supplied a valid protobuf bundle (#​3931)
  • Add a log message if user doesn't provide --trusted-root (#​3933)
  • Support mTLS towards container registry (#​3922)
  • Add bundle create helper command (#​3901)
  • Add trusted-root create helper command (#​3876)

Bug Fixes

  • fix: set tls config while retaining other fields from default http transport (#​4007)
  • policy fuzzer: ignore known panics (#​3993)
  • Fix for multiple WithRemote options (#​3982)
  • Add nightly conformance test workflow (#​3979)
  • Fix copy --only for signatures + update/align docs (#​3904)

Documentation

  • Remove usage.md from spec, point to client spec (#​3918)
  • move reference from gcr to ghcr (#​3897)

Contributors

  • AdamKorcz
  • Aditya Sirish
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Hayden B
  • Jussi Kukkonen
  • Marco Franssen
  • Nianyu Shen
  • Slavek Kabrda
  • Søren Juul
  • Warren Hodgkinson
  • Zach Steindler
sigstore/rekor (github.com/sigstore/rekor)

v1.3.10

Compare Source

Note that Rekor v1 is in maintenance mode as we are actively developing
its successor, Rekor v2, designed to be easy to maintain and cheaper to operate.. See the
README
for more information.

Features

  • Added --client-signing-algorithms flag (#​1974)

Fixes / Misc

  • emit unpopulated values when marshalling (#​2438)
  • pkg/api: better logs when algorithm registry rejects a key (#​2429)
  • chore: improve mysql readiness checks (#​2397)

Contributors

  • Bob Callaway
  • cangqiaoyuzhuo
  • Carlos Tadeu Panato Junior
  • cpanato
  • Hayden B
  • Praful Khanduri
  • Ramon Petgrave
  • Riccardo Schirone
  • rubyisrust
  • Sascha Grunert

v1.3.9

Compare Source

Features

  • Cache checkpoint for inactive shards (#​2332)
  • Support per-shard signing keys (#​2330)

Contributors

  • Hayden B

v1.3.8

Compare Source

Bug Fixes

Quality Enhancements

  • chore: relax go directive to permit 1.22.x
  • fetch minisign from homebrew instead of custom ppa (#​2329)
  • fix(ci): simplify GOVERSION extraction
  • chore(deps): bump actions pins to latest
  • Updates go and golangci-lint (#​2302)
  • update builder to use go1.23.4 (#​2301)
  • clean up spaces
  • log request body on 500 error to aid debugging (#​2283)

Contributors

  • Appu Goundan
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Dominic Evans
  • sgpinkus

v1.3.7

Compare Source

New Features

  • log request body on 500 error to aid debugging (#​2283)
  • Add support for signing with Tink keyset (#​2228)
  • Add public key hash check in Signed Note verification (#​2214)
  • update Trillian TLS configuration (#​2202)
  • Add TLS support for Trillian server (#​2164)
  • Replace docker-compose with plugin if available (#​2153)
  • Add flags to backfill script (#​2146)
  • Unset DisableKeepalive for backfill HTTP client (#​2137)
  • Add script to delete indexes from Redis (#​2120)
  • Run CREATE statement in backfill script (#​2109)
  • Add MySQL support to backfill script (#​2081)
  • Run e2e tests on mysql and redis index backends (#​2079)

Bug Fixes

  • remove unneeded value in log message (#​2282)
  • Add error message when computing consistency proof (#​2278)
  • fix validation error handling on API (#​2217)
  • fix error in pretty-printed inclusion proof from verify subcommand (#​2210)
  • Fix index scripts (#​2203)
  • fix failing sharding test
  • Better error handling in backfill script (#​2148)
  • Batch entries in cleanup script (#​2158)
  • Add missing workflow for index cleanup test (#​2121)
  • hashedrekord: fix schema $id (#​2092)

Contributors

  • Aditya Sirish
  • Bob Callaway
  • Colleen Murphy
  • cpanato
  • Firas Ghanmi
  • Hayden B
  • Hojoung (Brian) Jang
  • William Woodruff
sigstore/sigstore (github.com/sigstore/sigstore)

v1.9.5

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.9.4...v1.9.5

v1.9.4

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.9.3...v1.9.4

v1.9.3

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore@v1.9.2...v1.9.3

v1.9.2

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore@v1.9.1...v1.9.2

v1.9.1

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.9.0...v1.9.1

v1.9.0

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.8.15...v1.9.0

v1.8.15

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.8.14...v1.8.15

v1.8.14

Compare Source

What's Changed

This is the same content as v1.8.13, with a CI/CD fix.

v1.8.13

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.8.12...v1.8.13

v1.8.12

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.8.11...v1.8.12

v1.8.11

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore@v1.8.10...v1.8.11

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v0.7.3

Compare Source

Note: v0.7.3 will likely be the last release before v1.0.

What's Changed

Full Changelog: sigstore/sigstore-go@v0.7.2...v0.7.3

v0.7.2

Compare Source

What's Changed

Full Changelog: sigstore/sigstore-go@v0.7.1...v0.7.2

v0.7.1

Compare Source

What's Changed

Full Changelog: sigstore/sigstore-go@v0.7.0...v0.7.1

v0.7.0

Compare Source

Breaking Changes

What's Changed

New Contributors

Full Changelog: sigstore/sigstore-go@v0.6.2...v0.7.0

v0.6.2

Compare Source

This is a minor release to enable better error handling in the gh CLI.

What's Changed

Full Changelog: sigstore/sigstore-go@v0.6.1...v0.6.2

spf13/cobra (github.com/spf13/cobra)

v1.9.1

Compare Source

🐛 Fixes

Full Changelog: spf13/cobra@v1.9.0...v1.9.1

v1.9.0

Compare Source

✨ Features

🐛 Fixes

🤖 Completions

🧪 Testing

✍🏼 Documentation

🔧 Dependency upgrades

Thank you to all of our amazing

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@forking-renovate
Copy link

forking-renovate bot commented Jun 1, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: module github.com/sigstore/cosign/[email protected] requires go >= 1.24.0; switching to go1.24.4
go: downloading go1.24.4 (linux/amd64)
go: download go1.24.4: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off

@renovate-bot renovate-bot requested review from a team as code owners June 1, 2025 01:26
@renovate-bot
fix(deps): update go
38c712c 
Signed-off-by: Mend Renovate <[email protected]>
@forking-renovate
Copy link

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renovate-bot @ramonpetgrave64