Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the backend group with 8 updates #3532

Closed
wants to merge 1 commit into from
Closed

Bump the backend group with 8 updates #3532

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 4, 2023
edited
Loading

Bumps the backend group with 8 updates:

Package From To
github.com/go-git/go-git/v5 5.10.0 5.10.1
github.com/google/go-containerregistry 0.16.1 0.17.0
github.com/open-policy-agent/opa 0.58.0 0.59.0
github.com/operator-framework/api 0.19.0 0.20.0
github.com/sigstore/cosign 1.5.2 1.13.2
github.com/tektoncd/pipeline 0.53.2 0.54.0
golang.org/x/oauth2 0.14.0 0.15.0
google.golang.org/api 0.151.0 0.152.0

Updates github.com/go-git/go-git/v5 from 5.10.0 to 5.10.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.10.1

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.10.0...v5.10.1

Commits
  • 90348bd Merge pull request #936 from aymanbagabas/more-packp
  • f46d04a plumbing: transport: use git-proto-request and decode error-line errors
  • e2c6ae3 plumbing: handle pktline erro-line as errors
  • e187533 plumbing: add git-proto-request type
  • fecea41 Merge pull request #930 from steiler/fixSockets
  • 5349b8a utils: merkletrie, Skip loading sockets as filesystem nodes. Fixes #312
  • c114af0 Merge pull request #752 from pjbgf/rt1
  • 2e14e3a plumbing: transport/git, Improve tests error message
  • 6d62dd1 Merge pull request #932 from aymanbagabas/fix-empty
  • 05551b7 plumbing: fix empty uploadpack request error
  • Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.16.1 to 0.17.0

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.17.0

What's Changed

Full Changelog: google/go-containerregistry@v0.16.1...v0.17.0

Commits

Updates github.com/open-policy-agent/opa from 0.58.0 to 0.59.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.59.0

This release adds tooling to help prepare existing policies for the upcoming OPA 1.0 release. It also contains a mix of improvements, bugfixes and security fixes for third-party libraries.

NOTES:

  • All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

Rego v1

The upcoming release of OPA 1.0, which will be released at a future date, will introduce breaking changes to the Rego language. Most notably:

  • the keywords that currently must be imported through import future.keywords into a module before use will be part of the Rego language by default, without the need to first import them.
  • the if keyword will be required before the body of a rule.
  • the contains keyword will be required when declaring a multi-value rule (partial set rule).
  • deprecated built-in functions will be removed.

This current release (0.59.0) introduces a new --rego-v1 flag to the opa fmt and opa check commands to facilitate the transition of existing policies to be compatible with the 1.0 syntax.

When used with opa fmt, the --rego-v1 flag will format the module(s) according to the new Rego syntax in OPA 1.0. Formatted modules are compatible with both the current version of OPA and 1.0. Modules using deprecated built-ins will terminate formatting with an error. Future versions of OPA will support rewriting applicable function calls with equivalent Rego compatible with 1.0.

When used with opa check, the --rego-v1 flag will check that the modules are compatible with both the current version of OPA and 1.0.

Relevant Changes

Runtime, Tooling, SDK

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.59.0

This release adds tooling to help prepare existing policies for the upcoming OPA 1.0 release. It also contains a mix of improvements, bugfixes and security fixes for third-party libraries.

NOTES:

  • All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

Rego v1

The upcoming release of OPA 1.0, which will be released at a future date, will introduce breaking changes to the Rego language. Most notably:

  • the keywords that currently must be imported through import future.keywords into a module before use will be part of the Rego language by default, without the need to first import them.
  • the if keyword will be required before the body of a rule.
  • the contains keyword will be required when declaring a multi-value rule (partial set rule).
  • deprecated built-in functions will be removed.

This current release (0.59.0) introduces a new --rego-v1 flag to the opa fmt and opa check commands to facilitate the transition of existing policies to be compatible with the 1.0 syntax.

When used with opa fmt, the --rego-v1 flag will format the module(s) according to the new Rego syntax in OPA 1.0. Formatted modules are compatible with both the current version of OPA and 1.0. Modules using deprecated built-ins will terminate formatting with an error. Future versions of OPA will support rewriting applicable function calls with equivalent Rego compatible with 1.0.

When used with opa check, the --rego-v1 flag will check that the modules are compatible with both the current version of OPA and 1.0.

Relevant Changes

Runtime, Tooling, SDK

... (truncated)

Commits
  • c8e7863 Prepare v0.59.0 release (#6447)
  • 7927156 docs: Update generated CLI docs
  • 8497550 Adding --rego-v1 flag to check cmd (#6430)
  • 26a02e4 docs: Update generated CLI docs
  • 187d688 cmd & format: Adding rego-v1 mode to opa fmt (#6413)
  • 4f9058b update istio envoy tutorial to use AuthorizationPolicy
  • 7a32e8f topdown/crypto: Add URIStrings field to JSON certs
  • 8194a22 Fixed XACML Policy in documentation (Comparing to Other Systems) to be XACML ...
  • 0b9bbc5 plugins/rest: masks X-AMZ-SECURITY-TOKEN header in decision logs (#6423)
  • f66f7e0 build(deps): bump golang.org/x/net from 0.18.0 to 0.19.0 (#6441)
  • Additional commits viewable in compare view

Updates github.com/operator-framework/api from 0.19.0 to 0.20.0

Release notes

Sourced from github.com/operator-framework/api's releases.

v0.20.0

What's Changed

New Contributors

Full Changelog: operator-framework/api@v0.19.0...v0.20.0

Commits
  • 5efe1a2 Replace github.com/ghodss/yaml with sigs.k8s.io/yaml (#308)
  • 047dce1 Add additional deprecation types for each level (package, channel, bundle). (...
  • 6b3567d Adds 'OperatorDeprecated' status condition for Subscription. (#306)
  • 3417188 OWNERS: Remove timflannagan from reviewers (#305)
  • See full diff in compare view

Updates github.com/sigstore/cosign from 1.5.2 to 1.13.2

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.13.2

What's Changed

Full Changelog: sigstore/cosign@v1.13.1...v1.13.2

v1.13.1

What's Changed

New Contributors

Full Changelog: sigstore/cosign@v1.13.0...v1.13.1

v1.13.0

Highlights

  • For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."

What's Changed

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v2.2.1

Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

  • feat: Support basic auth and bearer auth login to registry (#3310)
  • add support for ignoring certificates with pkcs11 (#3334)
  • Support ReplaceOp in Signatures (#3315)
  • feat: added ability to get image digest back via triangulate (#3255)
  • feat: add --only flag in cosign copy to copy sign, att & sbom (#3247)
  • feat: add support attaching a Rekor bundle to a container (#3246)
  • feat: add support outputting rekor response on signing (#3248)
  • feat: improve dockerfile verify subcommand (#3264)
  • Add guard flag for experimental OCI 1.1 verify. (#3272)
  • Deprecate SBOM attachments (#3256)
  • feat: dedent line in cosign copy doc (#3244)
  • feat: add platform flag to cosign copy command (#3234)
  • Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
  • attest: pass OCI remote opts to att resolver. (#3225)

Bug Fixes

  • Merge pull request from GHSA-vfp6-jrw2-99g9
  • fix: allow cosign download sbom when image is absent (#3245)
  • ci: add a OCI registry test for referrers support (#3253)
  • Fix ReplaceSignatures (#3292)
  • Stop using deprecated in_toto.ProvenanceStatement (#3243)
  • Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
  • fix: update error in SignedEntity to be more descriptive (#3233)
  • Fail timestamp verification if no root is provided (#3224)

Documentation

  • Add some docs about verifying in an air-gapped environment (#3321)
  • Update CONTRIBUTING.md (#3268)
  • docs: improves the Contribution guidelines (#3257)
  • Remove security policy (#3230)

Others

  • Set go to min 1.21 and update dependencies (#3327)
  • Update contact for code of conduct (#3266)
  • Update .ko.yaml (#3240)

Contributors

  • AdamKorcz
  • Andres Galante
  • Appu
  • Billy Lynch
  • Bob Callaway
  • Caleb Woodbine

... (truncated)

Commits

Updates github.com/tektoncd/pipeline from 0.53.2 to 0.54.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v0.54.0 "Korat Bender"

🎉 Reusable Steps via StepActions, Param Enums, HTTP Resolver! 🎉

-Docs @ v0.54.0 -Examples @ v0.54.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.54.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a6a820444f8789f9b68835a66c6c0ad3cecabee051b9af0c824b04baf1b57433c

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a6a820444f8789f9b68835a66c6c0ad3cecabee051b9af0c824b04baf1b57433c
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.54.0/release.yaml
REKOR_UUID=24296fb24b8ad77a6a820444f8789f9b68835a66c6c0ad3cecabee051b9af0c824b04baf1b57433c
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.54.0@sha256:" + .digest.sha256')
Download the release file
curl "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ TEP-0142: Surface step results via sidecar logs (#7414)

    Surface step results via sidecar logs

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

  • Versions are numbered according to semantic versioning: vX.Y.Z
  • A new release is produced on a monthly basis
  • Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
    • LTS releases take place in January, April, July and October every year
    • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
    • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

  • The Tekton Pipeline [release process][tekton-releases-docs]
  • [Installing Tekton][tekton-installation]
  • Standard for [release notes][release-notes-standards]

Release

v0.54

  • Latest Release: [v0.54.0][v0.54-0] (2023-11-27) ([docs][v0.54-0-docs], [examples][v0.54-0-examples])
  • Initial Release: [v0.54.0][v0.54-0] (2023-11-27)
  • Estimated End of Life: 2023-12-27
  • Patch Releases: [v0.54.0][v0.54-0]

... (truncated)

Commits
  • 30540fc TEP-0142: Surface step results via sidecar logs
  • b395663 TEP-0142: Surface step results via termination message
  • 8a8c0c3 [TEP-0144] Validate PipelineRun for Param Enum
  • 140b633 TEP-0142: Introduce StepResults in Steps
  • 9f5449c fix: move getFeatureFlagsBaseOnAPIFlag from custom_task_test to another file
  • 5e7b5bb Bump k8s.io/client-go in /test/custom-task-ctrls/wait-task-beta
  • 4054026 Improve migration documentation
  • 4e4772e Cleanup v1beta1 reference in pipelinerun reconciler
  • 23581c5 fix: the pr may lose finallyStartTime when pipeline controller is not synchro...
  • a8bbefe Bump github.com/spiffe/spire-api-sdk from 1.8.1 to 1.8.4
  • Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.14.0 to 0.15.0

Commits

Updates google.golang.org/api from 0.151.0 to 0.152.0

Release notes

Sourced from google.golang.org/api's releases.

v0.152.0

0.152.0 (2023-11-27)

Features

Changelog

Sourced from google.golang.org/api's changelog.

0.152.0 (2023-11-27)

Features

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the backend group with 8 updates
8120b87 
Bumps the backend group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.10.0` | `5.10.1` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.16.1` | `0.17.0` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `0.58.0` | `0.59.0` |
| [github.com/operator-framework/api](https://github.com/operator-framework/api) | `0.19.0` | `0.20.0` |
| [github.com/sigstore/cosign](https://github.com/sigstore/cosign) | `1.5.2` | `1.13.2` |
| [github.com/tektoncd/pipeline](https://github.com/tektoncd/pipeline) | `0.53.2` | `0.54.0` |
| [golang.org/x/oauth2](https://github.com/golang/oauth2) | `0.14.0` | `0.15.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.151.0` | `0.152.0` |


Updates `github.com/go-git/go-git/v5` from 5.10.0 to 5.10.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.10.0...v5.10.1)

Updates `github.com/google/go-containerregistry` from 0.16.1 to 0.17.0
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.16.1...v0.17.0)

Updates `github.com/open-policy-agent/opa` from 0.58.0 to 0.59.0
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.58.0...v0.59.0)

Updates `github.com/operator-framework/api` from 0.19.0 to 0.20.0
- [Release notes](https://github.com/operator-framework/api/releases)
- [Changelog](https://github.com/operator-framework/api/blob/master/RELEASE.md)
- [Commits](operator-framework/api@v0.19.0...v0.20.0)

Updates `github.com/sigstore/cosign` from 1.5.2 to 1.13.2
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v1.5.2...v1.13.2)

Updates `github.com/tektoncd/pipeline` from 0.53.2 to 0.54.0
- [Release notes](https://github.com/tektoncd/pipeline/releases)
- [Changelog](https://github.com/tektoncd/pipeline/blob/main/releases.md)
- [Commits](tektoncd/pipeline@v0.53.2...v0.54.0)

Updates `golang.org/x/oauth2` from 0.14.0 to 0.15.0
- [Commits](golang/oauth2@v0.14.0...v0.15.0)

Updates `google.golang.org/api` from 0.151.0 to 0.152.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.151.0...v0.152.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: backend
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/operator-framework/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/sigstore/cosign
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/tektoncd/pipeline
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Dec 4, 2023
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 11, 2023

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Dec 11, 2023
@dependabot dependabot bot deleted the dependabot/go_modules/backend-f1cd648add branch December 11, 2023 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants