Bump the minor-patch group across 2 directories with 4 updates #397

dependabot · 2025-01-27T20:31:36Z

Bumps the minor-patch group with 3 updates in the / directory: github.com/in-toto/attestation, github.com/sigstore/rekor and github.com/google/go-containerregistry.
Bumps the minor-patch group with 3 updates in the /examples/oci-image-verification directory: github.com/in-toto/attestation, github.com/sigstore/rekor and github.com/google/go-containerregistry.

Updates github.com/in-toto/attestation from 1.1.0 to 1.1.1

Release notes

Sourced from github.com/in-toto/attestation's releases.

v1.1.1

What's Changed

Fix broken links to ResourceDescriptor by @alanssitis in in-toto/attestation#367

Update link to SLSA framework proto file by @phantomwhale in in-toto/attestation#382

Simplify SCAI predicate TypeURI by @marcelamelara in in-toto/attestation#380

Add the reference predicate by @mdeicas in in-toto/attestation#375

Add proto definition for vuln predicate type by @hectorj2f in in-toto/attestation#345

vsa: Make verifiedLevels field repeated to match spec by @adityasaky in in-toto/attestation#429

fix discrepencies in v0.2 example by @lumjjb in in-toto/attestation#408

VulnsV2: Add missing invocation to protos and spec by @puerco in in-toto/attestation#434

Expose known algorithms by @puerco in in-toto/attestation#427

add slsa provenance predicate v0.2 protobuf by @kpauljoseph in in-toto/attestation#417

New Contributors

@tannerjones4075 made their first contribution in in-toto/attestation#366

@alanssitis made their first contribution in in-toto/attestation#367

@phantomwhale made their first contribution in in-toto/attestation#382

@mdeicas made their first contribution in in-toto/attestation#375

@Dman0808 made their first contribution in in-toto/attestation#394

@lumjjb made their first contribution in in-toto/attestation#408

@puerco made their first contribution in in-toto/attestation#434

@kpauljoseph made their first contribution in in-toto/attestation#417

Full Changelog: in-toto/attestation@v1.1.0...v1.1.1

Commits

7017ad8 Regenerate attestation libraries (#435)
808ca43 Merge pull request #417 from kpauljoseph/in-toto-v0.2-provenance
2358a9c Merge pull request #427 from puerco/expose-algos
6e0b70a Merge pull request #434 from puerco/vulnsv02-proto
4d9125d Merge pull request #408 from lumjjb/update-vuln-02
e474a1f Fix typo in vulns02 example
72054e5 Fix inconsistencies in vulnsv2 proto vs spec
4a4ddf5 add slsa provenance predicate v0.2
a50a5a1 Expose known algorithms
11ca4fc Regenerate attestation libraries (#430)
Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.3.8 to 1.3.9

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.3.9

Changelog

f3db95b2bb18be7e1904fa25d1bcdb7d55caa73a Cache checkpoint for inactive shards (#2332)

f875aa2d39b2bcef0e84e43a6153447bed0077f6 Support per-shard signing keys (#2330)

Thanks for all contributors!

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.3.9

Features

Cache checkpoint for inactive shards (#2332)

Support per-shard signing keys (#2330)

Contributors

Hayden B

Commits

b67ee82 build(deps): Bump google.golang.org/grpc from 1.69.4 to 1.70.0
40f29ba build(deps): Bump golang from 51a6466 to 8c10f21
2497b42 build(deps): Bump google/cloud-sdk from 506.0.0 to 507.0.0
ac42c19 build(deps): Bump google.golang.org/api from 0.217.0 to 0.218.0
10e8115 build(deps): Bump the all group with 3 updates
2f182a1 build(deps): Bump google.golang.org/protobuf in the all group
f3db95b Cache checkpoint for inactive shards (#2332)
1cb78ca build(deps): Bump google/cloud-sdk from 505.0.0 to 506.0.0
b68f6bb build(deps): Bump google.golang.org/api from 0.216.0 to 0.217.0
15c696c build(deps): Bump github.com/tink-crypto/tink-go/v2 from 2.2.0 to 2.3.0
Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.3 to 1.36.4

Updates github.com/google/go-containerregistry from 0.20.2 to 0.20.3

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.3

What's Changed

remote/transport: Make bearer transport go-routine-safe by @2opremio in google/go-containerregistry#1806

Expose compare package by @jonjohnsonjr in google/go-containerregistry#2001

fix: redact.URL uses (*URL).Redacted to omit basic-auth password by @bmoylan in google/go-containerregistry#1947

bump actions to latest by @ajayk in google/go-containerregistry#2011

don't pin chainguard-dev/actions by @imjasonh in google/go-containerregistry#2025

Check for 406 status code when handling referrers API endpoint response by @malancas in google/go-containerregistry#2026

mutate: Create a defensive annotations copy by @jonjohnsonjr in google/go-containerregistry#2030

Detect zstd in crane append by @jonjohnsonjr in google/go-containerregistry#2023

bump deps using hack/bump-deps.sh by @imjasonh in google/go-containerregistry#2042

New Contributors

@bmoylan made their first contribution in google/go-containerregistry#1947

@ajayk made their first contribution in google/go-containerregistry#2011

@malancas made their first contribution in google/go-containerregistry#2026

Full Changelog: google/go-containerregistry@v0.20.2...v0.20.3

Commits

c4dd792 bump deps using hack/bump-deps.sh (#2042)
6bce25e Detect zstd in crane append (#2023)
06dcd85 mutate: Create a defensive annotations copy (#2030)
a9a53a8 check for 406 status code when handling referrers endpoint response (#2026)
4630c40 don't pin chainguard-dev/actions (#2025)
808e354 bump actions to latest (#2011)
a07d1ca fix: redact.URL uses (*URL).Redacted to omit basic-auth password (#1947)
00f182b Expose compare package (#2001)
b8e87ed remote/transport: Make bearer transport go-routine-safe (#1806)
See full diff in compare view

Updates github.com/in-toto/attestation from 1.1.0 to 1.1.1

Release notes

Sourced from github.com/in-toto/attestation's releases.

v1.1.1

What's Changed

Fix broken links to ResourceDescriptor by @alanssitis in in-toto/attestation#367

Update link to SLSA framework proto file by @phantomwhale in in-toto/attestation#382

Simplify SCAI predicate TypeURI by @marcelamelara in in-toto/attestation#380

Add the reference predicate by @mdeicas in in-toto/attestation#375

Add proto definition for vuln predicate type by @hectorj2f in in-toto/attestation#345

vsa: Make verifiedLevels field repeated to match spec by @adityasaky in in-toto/attestation#429

fix discrepencies in v0.2 example by @lumjjb in in-toto/attestation#408

VulnsV2: Add missing invocation to protos and spec by @puerco in in-toto/attestation#434

Expose known algorithms by @puerco in in-toto/attestation#427

add slsa provenance predicate v0.2 protobuf by @kpauljoseph in in-toto/attestation#417

New Contributors

@tannerjones4075 made their first contribution in in-toto/attestation#366

@alanssitis made their first contribution in in-toto/attestation#367

@phantomwhale made their first contribution in in-toto/attestation#382

@mdeicas made their first contribution in in-toto/attestation#375

@Dman0808 made their first contribution in in-toto/attestation#394

@lumjjb made their first contribution in in-toto/attestation#408

@puerco made their first contribution in in-toto/attestation#434

@kpauljoseph made their first contribution in in-toto/attestation#417

Full Changelog: in-toto/attestation@v1.1.0...v1.1.1

Commits

7017ad8 Regenerate attestation libraries (#435)
808ca43 Merge pull request #417 from kpauljoseph/in-toto-v0.2-provenance
2358a9c Merge pull request #427 from puerco/expose-algos
6e0b70a Merge pull request #434 from puerco/vulnsv02-proto
4d9125d Merge pull request #408 from lumjjb/update-vuln-02
e474a1f Fix typo in vulns02 example
72054e5 Fix inconsistencies in vulnsv2 proto vs spec
4a4ddf5 add slsa provenance predicate v0.2
a50a5a1 Expose known algorithms
11ca4fc Regenerate attestation libraries (#430)
Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.3.8 to 1.3.9

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.3.9

Changelog

f3db95b2bb18be7e1904fa25d1bcdb7d55caa73a Cache checkpoint for inactive shards (#2332)

f875aa2d39b2bcef0e84e43a6153447bed0077f6 Support per-shard signing keys (#2330)

Thanks for all contributors!

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.3.9

Features

Cache checkpoint for inactive shards (#2332)

Support per-shard signing keys (#2330)

Contributors

Hayden B

Commits

b67ee82 build(deps): Bump google.golang.org/grpc from 1.69.4 to 1.70.0
40f29ba build(deps): Bump golang from 51a6466 to 8c10f21
2497b42 build(deps): Bump google/cloud-sdk from 506.0.0 to 507.0.0
ac42c19 build(deps): Bump google.golang.org/api from 0.217.0 to 0.218.0
10e8115 build(deps): Bump the all group with 3 updates
2f182a1 build(deps): Bump google.golang.org/protobuf in the all group
f3db95b Cache checkpoint for inactive shards (#2332)
1cb78ca build(deps): Bump google/cloud-sdk from 505.0.0 to 506.0.0
b68f6bb build(deps): Bump google.golang.org/api from 0.216.0 to 0.217.0
15c696c build(deps): Bump github.com/tink-crypto/tink-go/v2 from 2.2.0 to 2.3.0
Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.3 to 1.36.4

Updates github.com/google/go-containerregistry from 0.20.2 to 0.20.3

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.3

What's Changed

remote/transport: Make bearer transport go-routine-safe by @2opremio in google/go-containerregistry#1806

Expose compare package by @jonjohnsonjr in google/go-containerregistry#2001

fix: redact.URL uses (*URL).Redacted to omit basic-auth password by @bmoylan in google/go-containerregistry#1947

bump actions to latest by @ajayk in google/go-containerregistry#2011

don't pin chainguard-dev/actions by @imjasonh in google/go-containerregistry#2025

Check for 406 status code when handling referrers API endpoint response by @malancas in google/go-containerregistry#2026

mutate: Create a defensive annotations copy by @jonjohnsonjr in google/go-containerregistry#2030

Detect zstd in crane append by @jonjohnsonjr in google/go-containerregistry#2023

bump deps using hack/bump-deps.sh by @imjasonh in google/go-containerregistry#2042

New Contributors

@bmoylan made their first contribution in google/go-containerregistry#1947

@ajayk made their first contribution in google/go-containerregistry#2011

@malancas made their first contribution in google/go-containerregistry#2026

Full Changelog: google/go-containerregistry@v0.20.2...v0.20.3

Commits

c4dd792 bump deps using hack/bump-deps.sh (#2042)
6bce25e Detect zstd in crane append (#2023)
06dcd85 mutate: Create a defensive annotations copy (#2030)
a9a53a8 check for 406 status code when handling referrers endpoint response (#2026)
4630c40 don't pin chainguard-dev/actions (#2025)
808e354 bump actions to latest (#2011)
a07d1ca fix: redact.URL uses (*URL).Redacted to omit basic-auth password (#1947)
00f182b Expose compare package (#2001)
b8e87ed remote/transport: Make bearer transport go-routine-safe (#1806)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the minor-patch group with 3 updates in the / directory: [github.com/in-toto/attestation](https://github.com/in-toto/attestation), [github.com/sigstore/rekor](https://github.com/sigstore/rekor) and [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry). Bumps the minor-patch group with 3 updates in the /examples/oci-image-verification directory: [github.com/in-toto/attestation](https://github.com/in-toto/attestation), [github.com/sigstore/rekor](https://github.com/sigstore/rekor) and [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry). Updates `github.com/in-toto/attestation` from 1.1.0 to 1.1.1 - [Release notes](https://github.com/in-toto/attestation/releases) - [Commits](in-toto/attestation@v1.1.0...v1.1.1) Updates `github.com/sigstore/rekor` from 1.3.8 to 1.3.9 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.3.8...v1.3.9) Updates `google.golang.org/protobuf` from 1.36.3 to 1.36.4 Updates `github.com/google/go-containerregistry` from 0.20.2 to 0.20.3 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.20.2...v0.20.3) Updates `github.com/in-toto/attestation` from 1.1.0 to 1.1.1 - [Release notes](https://github.com/in-toto/attestation/releases) - [Commits](in-toto/attestation@v1.1.0...v1.1.1) Updates `github.com/sigstore/rekor` from 1.3.8 to 1.3.9 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.3.8...v1.3.9) Updates `google.golang.org/protobuf` from 1.36.3 to 1.36.4 Updates `github.com/google/go-containerregistry` from 0.20.2 to 0.20.3 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.20.2...v0.20.3) --- updated-dependencies: - dependency-name: github.com/in-toto/attestation dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github.com/sigstore/rekor dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github.com/google/go-containerregistry dependency-type: indirect update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github.com/in-toto/attestation dependency-type: indirect update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github.com/sigstore/rekor dependency-type: indirect update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: google.golang.org/protobuf dependency-type: indirect update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>

codysoyland · 2025-01-27T21:00:22Z

The update to go-containerregistry requires go1.23, which we downgraded from in #384. Thoughts on resuming go1.23 requirement? We recently tagged v0.7.0 so users who cannot upgrade their compiler can use the tagged version.

haydentherapper · 2025-01-27T21:06:45Z

I think we should ignore the update, given all of the work that went into keeping the Go mod version lower. go-containerregistry doesn't seem like a critical dependency, as only the example code needs the library.

Signed-off-by: Cody Soyland <codysoyland@github.com>

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jan 27, 2025

dependabot bot requested a review from a team as a code owner January 27, 2025 20:31

This was referenced Jan 27, 2025

Bump google.golang.org/protobuf from 1.36.3 to 1.36.4 #392

Closed

Bump github.com/in-toto/attestation from 1.1.0 to 1.1.1 #393

Closed

Bump github.com/google/go-containerregistry from 0.20.2 to 0.20.3 in /examples/oci-image-verification #394

Closed

Ignore update to github.com/google/go-containerregistry

3a15c26

Signed-off-by: Cody Soyland <codysoyland@github.com>

codysoyland force-pushed the dependabot/go_modules/minor-patch-cb65e9ce67 branch from 58ca7ac to 3a15c26 Compare January 27, 2025 21:13

codysoyland enabled auto-merge (squash) January 27, 2025 21:16

haydentherapper approved these changes Jan 27, 2025

View reviewed changes

codysoyland merged commit d4fccdf into main Jan 27, 2025
12 checks passed

codysoyland deleted the dependabot/go_modules/minor-patch-cb65e9ce67 branch January 27, 2025 21:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the minor-patch group across 2 directories with 4 updates #397

Bump the minor-patch group across 2 directories with 4 updates #397

dependabot bot commented on behalf of github Jan 27, 2025

codysoyland commented Jan 27, 2025

haydentherapper commented Jan 27, 2025

Bump the minor-patch group across 2 directories with 4 updates #397

Bump the minor-patch group across 2 directories with 4 updates #397

Conversation

dependabot bot commented on behalf of github Jan 27, 2025

v1.1.1

What's Changed

New Contributors

v1.3.9

Changelog

Thanks for all contributors!

v1.3.9

Features

Contributors

v0.20.3

What's Changed

New Contributors

v1.1.1

What's Changed

New Contributors

v1.3.9

Changelog

Thanks for all contributors!

v1.3.9

Features

Contributors

v0.20.3

What's Changed

New Contributors

codysoyland commented Jan 27, 2025

haydentherapper commented Jan 27, 2025