fix(deps): update go

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/coreos/go-oidc/v3	v3.10.0 -> v3.11.0
github.com/sigstore/cosign/v2	v2.2.4 -> v2.4.1
github.com/sigstore/sigstore	v1.8.3 -> v1.8.10
github.com/spf13/cobra	v1.8.0 -> v1.8.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

coreos/go-oidc (github.com/coreos/go-oidc/v3)

v3.11.0

Compare Source

What's Changed

• oidc: verify support for algs from discovery by @​ericchiang in https://github.com/coreos/go-oidc/pull/430
• chore(deps): bump dependencies to address security issues by @​clambin in https://github.com/coreos/go-oidc/pull/432
• oidc: ignore cancellation of remote key set context by @​ericchiang in https://github.com/coreos/go-oidc/pull/433

New Contributors

• @​clambin made their first contribution in https://github.com/coreos/go-oidc/pull/432

Full Changelog: coreos/go-oidc@v3.10.0...v3.11.0

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.4.1

Compare Source

v2.4.1 largely contains bug fixes and updates dependencies.

Features

• Added fuzzing coverage to multiple packages

Bug Fixes

• Fix bug in attest-blob when using a timestamp authority with new bundles (#​3877)
• fix: documentation link for installation guide (#​3884)

Contributors

• AdamKorcz
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• Hemil K
• Sota Sugiura
• Zach Steindler

v2.4.0

Compare Source

v2.4.0 begins the modernization of the Cosign client, which includes:

• Support for the newer Sigstore specification-compliant bundle format
• Support for providing trust roots (e.g. Fulcio certificates, Rekor keys)
  through a trust root file, instead of many different flags
• Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

• General support for the trust root file, instead of only when using the bundle
  format during verification
• Simplification of trust root flags and deprecation of the
  Cosign-specific bundle format
• Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

• Add new bundle support to verify-blob and verify-blob-attestation (#​3796)
• Adding protobuf bundle support to sign-blob and attest-blob (#​3752)
• Bump sigstore/sigstore to support email_verified as string or boolean (#​3819)
• Conformance testing for cosign (#​3806)
• move incremental builds per commit to GHCR instead of GCR (#​3808)
• Add support for recording creation timestamp for cosign attest (#​3797)
• Include SCT verification failure details in error message (#​3799)

Contributors

• Bob Callaway
• Hayden B
• Slavek Kabrda
• Zach Steindler
• Zsolt Horvath

v2.3.0

Compare Source

Features

• Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#​3693)
• add registry options to cosign save (#​3645)
• Add debug providers command. (#​3728)
• Make config layers in ociremote mountable (#​3741)
• upgrade to go1.22 (#​3739)
• adds tsa cert chain check for env var or tuf targets. (#​3600)
• add --ca-roots and --ca-intermediates flags to 'cosign verify' (#​3464)
• add handling of keyless verification for all verify commands (#​3761)

Bug Fixes

• fix: close attestationFile (#​3679)
• Set bundleVerified to true after Rekor verification (Resolves #​3740) (#​3745)

Documentation

• Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#​3776)

Testing

• Refactor KMS E2E tests (#​3684)
• Remove sign_blob_test.sh test (#​3707)
• Remove KMS E2E test script (#​3702)
• Refactor insecure registry E2E tests (#​3701)

Contributors

• Billy Lynch
• bminahan73
• Bob Callaway
• Carlos Tadeu Panato Junior
• Cody Soyland
• Colleen Murphy
• Dmitry Savintsev
• guangwu
• Hayden B
• Hector Fernandez
• ian hundere
• Jason Power
• Jon Johnson
• Max Lambrecht
• Meeki1l

sigstore/sigstore (github.com/sigstore/sigstore)

v1.8.10

Compare Source

What's Changed

• fix(kms): fix CreateKey may panic when using GCP KMS by @​mozillazg in https://github.com/sigstore/sigstore/pull/1829
• update to go1.22.7 and ci job by @​cpanato in https://github.com/sigstore/sigstore/pull/1847
• Mark TUF client as deprecated by @​haydentherapper in https://github.com/sigstore/sigstore/pull/1858
• bump to go 1.22.8 by @​cpanato in https://github.com/sigstore/sigstore/pull/1865

and several dependencies updates

New Contributors

• @​mozillazg made their first contribution in https://github.com/sigstore/sigstore/pull/1829

Full Changelog: sigstore/sigstore@v1.8.9...v1.8.10

v1.8.9

Compare Source

What's Changed

• fuzzing: improve coverage by @​AdamKorcz in https://github.com/sigstore/sigstore/pull/1809
• Deserialize ed25519 keys from hashivault correctly by @​stevenjohnstone in https://github.com/sigstore/sigstore/pull/1811
• oauthflow: Add SubjectFromUnverifiedToken by @​adityasaky in https://github.com/sigstore/sigstore/pull/1826

Full Changelog: sigstore/sigstore@v1.8.8...v1.8.9

v1.8.8

Compare Source

What's Changed

• Fixes issue in Device access token request by @​rishabhsvats in https://github.com/sigstore/sigstore/pull/1752
• Support email_verified as a String by @​sabre1041 in https://github.com/sigstore/sigstore/pull/1794
• Dependency updates

Full Changelog: sigstore/sigstore@v1.8.7...v1.8.8

v1.8.7

Compare Source

Dependencies updates only

What's Changed

• build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1770
• build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1769
• build(deps): Bump hashicorp/vault from 1.17.0 to 1.17.1 in /test/e2e in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1767
• build(deps): Bump github.com/sigstore/sigstore from 1.8.4 to 1.8.6 in /test/fuzz in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1768
• build(deps): Bump golang.org/x/crypto from 0.24.0 to 0.25.0 in /pkg/signature/kms/azure in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1772
• build(deps): Bump the all group across 1 directory with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1776
• build(deps): Bump actions/upload-artifact from 4.3.3 to 4.3.4 in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1771
• build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1773
• build(deps): Bump google.golang.org/grpc from 1.64.0 to 1.64.1 in /pkg/signature/kms/gcp by @​dependabot in https://github.com/sigstore/sigstore/pull/1778
• build(deps): Bump the all group across 1 directory with 4 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1777

Full Changelog: sigstore/sigstore@v1.8.6...v1.8.7

v1.8.6

Compare Source

What's Changed

• Bump goodkey, fix breakage by @​jonjohnsonjr in https://github.com/sigstore/sigstore/pull/1761

New Contributors

• @​jonjohnsonjr made their first contribution in https://github.com/sigstore/sigstore/pull/1761

Full Changelog: sigstore/sigstore@v1.8.5...v1.8.6

v1.8.5

Compare Source

Major are dependencies updates

What's Changed

• build(deps): Bump google.golang.org/api from 0.181.0 to 0.182.0 in /pkg/signature/kms/gcp in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1741
• build(deps): Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 in /test/fuzz in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1743
• build(deps): Bump hashicorp/vault from 1.16.2 to 1.16.3 in /test/e2e in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1742
• build(deps): Bump github.com/aws/aws-sdk-go from 1.53.10 to 1.53.14 in /pkg/signature/kms/aws in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1740
• build(deps): Bump actions/dependency-review-action from 4.3.2 to 4.3.3 in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1746
• build(deps): Bump the all group in /pkg/signature/kms/azure with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1744
• build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1745
• build(deps): Bump dexidp/dex from v2.39.1 to v2.40.0 in /test/e2e in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1748
• build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1749
• Update to latest letsencrypt/boulder. by @​kommendorkapten in https://github.com/sigstore/sigstore/pull/1753
• build(deps): Bump actions/checkout from 4.1.6 to 4.1.7 in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1760
• build(deps): Bump the all group in /pkg/signature/kms/aws with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1759
• build(deps): Bump the all group in /test/e2e with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1758
• build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1756
• build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 in /pkg/signature/kms/azure in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1755
• build(deps): Bump github.com/hashicorp/go-retryablehttp from 0.7.6 to 0.7.7 in /pkg/signature/kms/hashivault by @​dependabot in https://github.com/sigstore/sigstore/pull/1766
• build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1765
• build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1764
• build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.6.0 to 1.7.0 in /pkg/signature/kms/azure in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1762
• build(deps): Bump the all group across 1 directory with 6 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1763

Full Changelog: sigstore/sigstore@v1.8.4...v1.8.5

v1.8.4

Compare Source

What's Changed

• finish move of reusable-release to sigstore/community by @​bobcallaway in https://github.com/sigstore/sigstore/pull/1699
• update Makefile so CodeQL covers all go files by @​bobcallaway in https://github.com/sigstore/sigstore/pull/1700
• bump go to 1.21 by @​bobcallaway in https://github.com/sigstore/sigstore/pull/1701
• pin container images to quiet scorecard alert by @​bobcallaway in https://github.com/sigstore/sigstore/pull/1709
• set gh action perms by @​bobcallaway in https://github.com/sigstore/sigstore/pull/1710
• tuf: Remove debug metadata downloads by @​jku in https://github.com/sigstore/sigstore/pull/1717
• Fix Hashicorp Vault KMS to use PKCS1 v1.5 by @​berkitamas in https://github.com/sigstore/sigstore/pull/1736

New Contributors

• @​jku made their first contribution in https://github.com/sigstore/sigstore/pull/1717
• @​berkitamas made their first contribution in https://github.com/sigstore/sigstore/pull/1736

Full Changelog: sigstore/sigstore@v1.8.3...v1.8.4

spf13/cobra (github.com/spf13/cobra)

v1.8.1

Compare Source

✨ Features

• Add env variable to suppress completion descriptions on create by @​scop in https://github.com/spf13/cobra/pull/1938

🐛 Bug fixes

• Micro-optimizations by @​scop in https://github.com/spf13/cobra/pull/1957

🔧 Maintenance

• build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.3 to 2.0.4 by @​dependabot in https://github.com/spf13/cobra/pull/2127
• Consistent annotation names by @​nirs in https://github.com/spf13/cobra/pull/2140
• Remove fully inactivated linters by @​nirs in https://github.com/spf13/cobra/pull/2148
• Address golangci-lint deprecation warnings, enable some more linters by @​scop in https://github.com/spf13/cobra/pull/2152

🧪 Testing & CI/CD

• Add test for func in cobra.go by @​korovindenis in https://github.com/spf13/cobra/pull/2094
• ci: test golang 1.22 by @​cyrilico in https://github.com/spf13/cobra/pull/2113
• Optimized and added more linting by @​scop in https://github.com/spf13/cobra/pull/2099
• build(deps): bump actions/setup-go from 4 to 5 by @​dependabot in https://github.com/spf13/cobra/pull/2087
• build(deps): bump actions/labeler from 4 to 5 by @​dependabot in https://github.com/spf13/cobra/pull/2086
• build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @​dependabot in https://github.com/spf13/cobra/pull/2108
• build(deps): bump actions/cache from 3 to 4 by @​dependabot in https://github.com/spf13/cobra/pull/2102

✏️ Documentation

• Fixes and docs for usage as plugin by @​nirs in https://github.com/spf13/cobra/pull/2070
• flags: clarify documentation that LocalFlags related function do not modify the state by @​niamster in https://github.com/spf13/cobra/pull/2064
• chore: remove repetitive words by @​racerole in https://github.com/spf13/cobra/pull/2122
• Add LXC to the list of projects using Cobra @​VaradBelwalkar in https://github.com/spf13/cobra/pull/2071
• Update projects_using_cobra.md by @​marcuskohlberg in https://github.com/spf13/cobra/pull/2089
• [chore]: update projects using cobra by @​cmwylie19 in https://github.com/spf13/cobra/pull/2093
• Add Taikun CLI to list of projects by @​Smidra in https://github.com/spf13/cobra/pull/2098
• Add Incus to the list of projects using Cobra by @​montag451 in https://github.com/spf13/cobra/pull/2118

New Contributors

• @​VaradBelwalkar made their first contribution in https://github.com/spf13/cobra/pull/2071
• @​marcuskohlberg made their first contribution in https://github.com/spf13/cobra/pull/2089
• @​cmwylie19 made their first contribution in https://github.com/spf13/cobra/pull/2093
• @​korovindenis made their first contribution in https://github.com/spf13/cobra/pull/2094
• @​niamster made their first contribution in https://github.com/spf13/cobra/pull/2064
• @​Smidra made their first contribution in https://github.com/spf13/cobra/pull/2098
• @​montag451 made their first contribution in https://github.com/spf13/cobra/pull/2118
• @​cyrilico made their first contribution in https://github.com/spf13/cobra/pull/2113
• @​racerole made their first contribution in https://github.com/spf13/cobra/pull/2122
• @​pedromotita made their first contribution in https://github.com/spf13/cobra/pull/2120
• @​cubxxw made their first contribution in https://github.com/spf13/cobra/pull/2128

---

Thank you everyone who contributed to this release and all your hard work! Cobra and this community would never be possible without all of you!!!! 🐍

Full Changelog: spf13/cobra@v1.8.0...v1.8.1

---

Configuration

📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 54 additional dependencies were updated

Details:

Package	Change
github.com/Microsoft/go-winio	v0.6.1 -> v0.6.2
github.com/aliyun/credentials-go	v1.3.1 -> v1.3.2
github.com/aws/aws-sdk-go-v2	v1.26.0 -> v1.30.5
github.com/aws/aws-sdk-go-v2/config	v1.27.9 -> v1.27.33
github.com/aws/aws-sdk-go-v2/credentials	v1.17.9 -> v1.17.32
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.16.0 -> v1.16.13
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.3.4 -> v1.3.17
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.6.4 -> v2.6.17
github.com/aws/aws-sdk-go-v2/internal/ini	v1.8.0 -> v1.8.1
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.11.1 -> v1.11.4
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.11.6 -> v1.11.19
github.com/aws/aws-sdk-go-v2/service/sso	v1.20.3 -> v1.22.7
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.23.3 -> v1.26.7
github.com/aws/aws-sdk-go-v2/service/sts	v1.28.5 -> v1.30.7
github.com/aws/smithy-go	v1.20.1 -> v1.20.4
github.com/buildkite/agent/v3	v3.62.0 -> v3.81.0
github.com/buildkite/go-pipeline	v0.3.2 -> v0.13.1
github.com/buildkite/interpolate	v0.0.0-20200526001904-07f35b4ae251 -> v0.1.3
github.com/docker/cli	v24.0.7+incompatible -> v27.1.1+incompatible
github.com/go-jose/go-jose/v4	v4.0.1 -> v4.0.4
github.com/go-logr/logr	v1.4.1 -> v1.4.2
github.com/google/certificate-transparency-go	v1.1.8 -> v1.2.1
github.com/google/go-containerregistry	v0.19.1 -> v0.20.2
github.com/google/s2a-go	v0.1.7 -> v0.1.8
github.com/googleapis/enterprise-certificate-proxy	v0.3.2 -> v0.3.3
github.com/klauspost/compress	v1.17.4 -> v1.17.9
github.com/letsencrypt/boulder	v0.0.0-20231026200631-000cd05d5491 -> v0.0.0-20240620165639-de9c06129bec
github.com/mozillazg/docker-credential-acr-helper	v0.3.0 -> v0.4.0
github.com/oleiade/reflections	v1.0.1 -> v1.1.0
github.com/pelletier/go-toml/v2	v2.1.0 -> v2.2.2
github.com/sigstore/fulcio	v1.4.5 -> v1.6.3
github.com/spf13/viper	v1.18.2 -> v1.19.0
github.com/spiffe/go-spiffe/v2	v2.2.0 -> v2.3.0
github.com/xanzy/go-gitlab	v0.102.0 -> v0.109.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.49.0 -> v0.54.0
go.opentelemetry.io/otel	v1.24.0 -> v1.29.0
go.opentelemetry.io/otel/metric	v1.24.0 -> v1.29.0
go.opentelemetry.io/otel/trace	v1.24.0 -> v1.29.0
go.step.sm/crypto	v0.44.2 -> v0.51.2
golang.org/x/crypto	v0.22.0 -> v0.28.0
golang.org/x/exp	v0.0.0-20231108232855-2478ac86f678 -> v0.0.0-20240613232115-7f521ea00fb8
golang.org/x/mod	v0.16.0 -> v0.20.0
golang.org/x/net	v0.23.0 -> v0.28.0
golang.org/x/sync	v0.7.0 -> v0.8.0
golang.org/x/sys	v0.20.0 -> v0.26.0
golang.org/x/term	v0.19.0 -> v0.25.0
golang.org/x/text	v0.14.0 -> v0.19.0
golang.org/x/time	v0.5.0 -> v0.6.0
google.golang.org/api	v0.172.0 -> v0.196.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240318140521-94a12d6c2237 -> v0.0.0-20240903143218-8af14fe29dc1
google.golang.org/grpc	v1.62.1 -> v1.66.0
google.golang.org/protobuf	v1.33.0 -> v1.34.2
k8s.io/utils	v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240502163921-fe8a2dddb1d0
sigs.k8s.io/release-utils	v0.7.7 -> v0.8.4