Releases: sigstore/cosign
Releases · sigstore/cosign
v1.11.1
What's Changed
- add stale workflow using the workflow template by @cpanato in #2175
- Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
- add release cadence section in the readme by @cpanato in #2179
- bump scaffold in tests to use release v0.4.5 by @cpanato in #2180
- Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 by @dependabot in #2181
- Bump google.golang.org/api from 0.92.0 to 0.93.0 by @dependabot in #2183
- Bump github.com/go-openapi/swag from 0.22.1 to 0.22.3 by @dependabot in #2182
- Bump github/codeql-action from 2.1.18 to 2.1.19 by @dependabot in #2184
- Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #2185
- bump fulcio dep to 0.5.2 by @k4leung4 in #2176
- feat: Rework fig autocomplete command by @dirien in #2187
- Bump github.com/sigstore/fulcio from 0.5.2 to 0.5.3 by @dependabot in #2190
- Bump github.com/xanzy/go-gitlab from 0.72.0 to 0.73.0 by @dependabot in #2191
- Bump github/codeql-action from 2.1.19 to 2.1.20 by @dependabot in #2193
- Bump actions/cache from 3.0.7 to 3.0.8 by @dependabot in #2192
- Bump github.com/xanzy/go-gitlab from 0.73.0 to 0.73.1 by @dependabot in #2195
- Bump actions/setup-go from 3.2.1 to 3.3.0 by @dependabot in #2196
- fix: fix typo that caused attestation verification failure by @asraa in #2199
Full Changelog: v1.11.0...v1.11.1
Thanks to all contributors!
v1.11.0
What's Changed
- Update CHANGELOG for 1.10.1 release by @priyawadhwa in #2130
- Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in #2129
- Bump github.com/go-piv/piv-go from 1.9.0 to 1.10.0 by @dependabot in #2135
- Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in #2136
- Bump github.com/xanzy/go-gitlab from 0.70.0 to 0.71.0 by @dependabot in #2142
- Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 by @dependabot in #2140
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.6 to 0.1.7 by @dependabot in #2141
- Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
- Add notes to clarify registry use. by @bendory in #2145
- Use TUF from scaffolding for validating cosign. by @vaikas in #2146
- Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in #2151
- Bump google.golang.org/api from 0.91.0 to 0.92.0 by @dependabot in #2150
- Bump tests to use scaffolding-0.4.3. by @vaikas in #2153
- docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
- Bump github.com/xanzy/go-gitlab from 0.71.0 to 0.72.0 by @dependabot in #2148
- Bump go.uber.org/atomic from 1.9.0 to 1.10.0 by @dependabot in #2155
- Bump actions/github-script from 6.1.0 to 6.1.1 by @dependabot in #2156
- fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
- Run tests using Go 1.18 by @imjasonh in #2093
- Bump sigs.k8s.io/release-utils from 0.6.0 to 0.7.3 by @dependabot in #2102
- fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
- fix handling of verify-attestation types for URIs by @otms61 in #2159
- bump to scaffolding v0.4.4 by @vaikas in #2165
- fix oidc post-merge job by @cpanato in #2164
- Remove third_party by @imjasonh in #2166
- use updated device flow logic with PKCE by @bobcallaway in #2163
- fix: rekor get tlog entry with uuid by @asraa in #2058
- update e2e job to run only when push to main by @cpanato in #2169
- Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #2168
- fix: add env cmd to root by @developer-guy in #2171
- Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 by @dependabot in #2167
- fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162
- add changelog for v1.11.0 by @cpanato in #2173
- update builder image by @cpanato in #2174
New Contributors
- @wata727 made their first contribution in #2139
- @bendory made their first contribution in #2145
- @nkreiger made their first contribution in #2118
- @dsa0x made their first contribution in #2162
Full Changelog: v1.10.1...v1.11.0
Thanks to all contributors!
v1.10.1
This release fixes a security issue
cosign verify-attestaton --type
can report a false positive if any attestation exists
GHSA-vjxv-45g9-9296
What's Changed
- Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in #2088
- Remove knative/pkg deps by @imjasonh in #2092
- add flag to allow skipping upload to transparency log by @k4leung4 in #2089
- Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in #2100
- Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
- Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
- Fix field names in the vulnerability attestation by @otms61 in #2099
- Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by @dependabot in #2103
- remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
- Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #2107
- Bump google.golang.org/api from 0.88.0 to 0.89.0 by @dependabot in #2106
- ✨ Enable Scorecard badge by @azeemshaikh38 in #2109
- Resolves #522 set Created date to time of execution by @Lerentis in #2108
- Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #2110
- Introduce a custom error type to classify errors. by @mattmoor in #2114
- Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #2112
- Bump google.golang.org/api from 0.89.0 to 0.90.0 by @dependabot in #2111
- feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
- Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 by @dependabot in #2115
- Bump mikefarah/yq from 4.26.1 to 4.27.2 by @dependabot in #2116
- update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
- Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 by @dependabot in #2120
- chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
- Bump google.golang.org/api from 0.90.0 to 0.91.0 by @dependabot in #2125
- Correct the type used for attest by @mattmoor in #2128
New Contributors
- @otms61 made their first contribution in #2099
- @azeemshaikh38 made their first contribution in #2109
- @Lerentis made their first contribution in #2108
Full Changelog: v1.10.0...v1.10.1
Thanks to all contributors!
v1.10.0
What's Changed
- Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in #1948
- Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in #1951
- replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 by @dependabot in #1958
- Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in #1943
- Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #1963
- Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
- tuf: improve TUF client concurrency and caching by @asraa in #1953
- Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
- feat(fulcioroots): singleton error pattern by @developer-guy in #1965
- Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 by @dependabot in #1968
- Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in #1970
- Drop tuf client dependency on GCS client library by @imjasonh in #1967
- Add spdxjson predicate type for attestations by @jdolitsky in #1974
- Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #1980
- Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
- cleanup: unexport kubernetes.Client method by @imjasonh in #1973
- Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in #1979
- cleanup ci job and remove policy-controller references by @cpanato in #1981
- fix typos by @cpanato in #1982
- fix/update post build job by @cpanato in #1983
- docs: updated Azure kms commands. by @JBrejnholt in #1972
- Add cyclonedx predicate type for attestations by @jdolitsky in #1977
- Route deprecated -version to version subcommand by @puerco in #1854
- docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
- Add --platform flag to cosign sbom download by @puerco in #1975
- Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 by @dependabot in #1988
- Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
- Bump sigstore/sigstore to HEAD by @puerco in #1995
- Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
- Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in #1999
- Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in #2000
- Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 by @dependabot in #1996
- Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in #2001
- encrypt values to create the github action secret by @cpanato in #1990
- Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in #2009
- Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #2013
- Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #2012
- Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 by @dependabot in #2011
- Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in #2010
- Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in #2015
- sign-blob: bundle should work independently and respect
--output-certificate
and--output-signature
by @Dentrax in #2016 - Bump mikefarah/yq from 4.25.2 to 4.25.3 by @dependabot in #2022
- Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in #2021
- Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in #2023
- Attempt to clean up pkg/cosign by @imjasonh in #2018
- public-key: fix command description by @Dentrax in #2024
- Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in #2026
- Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 by @dependabot in #2029
- [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
- Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in #2033
- feat: cert-extensions verify by @developer-guy in #1626
- Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in #2035
- Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in #2036
- Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in #2038
- Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 by @dependabot in #2037
- Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
- Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 by @dependabot in #2032
- Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
- chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
- Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in #2042
- Fix OIDC test by @cpanato in #2050
- Add env subcommand. by @wlynch in #2051
- remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
- update ct/otel and etcd by @cpanato in #2054
- Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 by @dependabot in #2046
- update to go 1.18 by @asraa in #2059
- Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in #2066
- Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #2065
- Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #2060
- Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #2062
- Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 by @dependabot in #2063
- chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
- Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in #2064
- Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #2073
- Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 by @dependabot in #2075
- Bump mikefarah/yq from 4.25.3 to 4.26.1 by @dependabot in #2076
- Remove replace directives in go.mod. by @wlynch in #2070
- update design doc link by @bobcallaway in #2077
- Remove hack/tools.go by @imjasonh in #2080
- Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in #2081
- Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in #2078
- Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 by @dependabot in #2079
- update builder image to use go1.18.4 by @cpanato in #2086
- add changelog for v1.10.0 release by @cpanato in #2087
- fix missing quote by @cpanato in #2090
New Contributors
- @ciaracarey made their first contribution in #1966
- @JBrejnholt made their first contribution in #1972
*...
v1.10.0-rc.1
Thanks to all contributors!
What's Changed
- Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in #1948
- Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in #1951
- replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 by @dependabot in #1958
- Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in #1943
- Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #1963
- Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
- tuf: improve TUF client concurrency and caching by @asraa in #1953
- Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
- feat(fulcioroots): singleton error pattern by @developer-guy in #1965
- Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 by @dependabot in #1968
- Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in #1970
- Drop tuf client dependency on GCS client library by @imjasonh in #1967
- Add spdxjson predicate type for attestations by @jdolitsky in #1974
- Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #1980
- Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
- cleanup: unexport kubernetes.Client method by @imjasonh in #1973
- Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in #1979
- cleanup ci job and remove policy-controller references by @cpanato in #1981
- fix typos by @cpanato in #1982
- fix/update post build job by @cpanato in #1983
- docs: updated Azure kms commands. by @JBrejnholt in #1972
- Add cyclonedx predicate type for attestations by @jdolitsky in #1977
- Route deprecated -version to version subcommand by @puerco in #1854
- docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
- Add --platform flag to cosign sbom download by @puerco in #1975
- Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 by @dependabot in #1988
- Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
- Bump sigstore/sigstore to HEAD by @puerco in #1995
- Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
- Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in #1999
- Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in #2000
- Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 by @dependabot in #1996
- Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in #2001
- encrypt values to create the github action secret by @cpanato in #1990
- Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in #2009
- Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #2013
- Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #2012
- Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 by @dependabot in #2011
- Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in #2010
- Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in #2015
- sign-blob: bundle should work independently and respect
--output-certificate
and--output-signature
by @Dentrax in #2016 - Bump mikefarah/yq from 4.25.2 to 4.25.3 by @dependabot in #2022
- Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in #2021
- Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in #2023
- Attempt to clean up pkg/cosign by @imjasonh in #2018
- public-key: fix command description by @Dentrax in #2024
- Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in #2026
- Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 by @dependabot in #2029
- [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
- Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in #2033
- feat: cert-extensions verify by @developer-guy in #1626
- Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in #2035
- Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in #2036
- Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in #2038
- Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 by @dependabot in #2037
- Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
- Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 by @dependabot in #2032
- Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
- chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
- Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in #2042
- Fix OIDC test by @cpanato in #2050
- Add env subcommand. by @wlynch in #2051
- remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
- update ct/otel and etcd by @cpanato in #2054
- Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 by @dependabot in #2046
- update to go 1.18 by @asraa in #2059
- Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in #2066
- Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #2065
- Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #2060
- Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #2062
- Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 by @dependabot in #2063
- chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
- Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in #2064
- Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #2073
- Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 by @dependabot in #2075
- Bump mikefarah/yq from 4.25.3 to 4.26.1 by @dependabot in #2076
- Remove replace directives in go.mod. by @wlynch in #2070
- update design doc link by @bobcallaway in #2077
- Remove hack/tools.go by @imjasonh in #2080
- Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in #2081
- Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in #2078
- Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 by @dependabot in #2079
- update builder image to use go1.18.4 by @cpanato in #2086
- add changelog for v1.10.0 release by @cpanato in #2087
New Contributors
- @ciaracarey made their first contribution in #1966
- @JBrejnholt made their first contribution in #1972
- @woodruffw made their first contribution in h...
v1.9.0
What's Changed
- Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 by @dependabot in #1808
- update changelog for 1.8.0 by @cpanato in #1807
- Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in #1809
- Bump google.golang.org/api from 0.75.0 to 0.76.0 by @dependabot in #1810
- Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in #1814
- Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 by @dependabot in #1813
- Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
- [Cosigned] Add signature pull secrets by @DennyHoang in #1805
- feat: add rego policy support by @hectorj2f in #1817
- Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
- cosigned: Test unsupported KMS providers by @imjasonh in #1820
- chore(deps): Included dependency review by @naveensrinivasan in #1792
- Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 by @dependabot in #1828
- Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 by @dependabot in #1830
- Add auth flow option to KeyOpts. by @wlynch in #1827
- Bump google.golang.org/api from 0.76.0 to 0.77.0 by @dependabot in #1829
- Bump mikefarah/yq from 4.24.5 to 4.25.1 by @dependabot in #1831
- Document Staging instance usage with Keyless by @k4leung4 in #1824
- New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
- Validate tlog entry when verifying signature via public key. by @wlynch in #1833
- Add function to explicitly request a certain provider by @priyawadhwa in #1837
- cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
- Bump google.golang.org/api from 0.77.0 to 0.78.0 by @dependabot in #1838
- Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 by @dependabot in #1843
- remove exclude from go.mod by @cpanato in #1846
- [Cosigned] Glob matching improvement by @DennyHoang in #1842
- Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 by @dependabot in #1851
- sget: Enable KMS providers for sget by @imjasonh in #1852
- Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
- Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
- Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 by @dependabot in #1857
- Bump google.golang.org/api from 0.78.0 to 0.79.0 by @dependabot in #1858
- If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
- Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
- Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in #1864
- Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in #1863
- Normalize certificate flag names by @haydentherapper in #1868
- Check certificate policy flags with only a certificate by @haydentherapper in #1869
- Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
- Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in #1870
- Point git commmit FUN.md to gitsign! by @wlynch in #1874
- Bump actions/github-script from 6.0.0 to 6.1.0 by @dependabot in #1876
- Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in #1875
- [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
- go.mod: format go.mod by @zchee in #1879
- Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in #1886
- Bump google.golang.org/grpc from 1.46.0 to 1.46.2 by @dependabot in #1884
- Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
- tree: only report artifacts that are present by @ribbybibby in #1872
- update README with ebpf modules by @EItanya in #1888
- Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
- Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in #1891
- v1beta1 API for cosigned by @vaikas in #1890
- Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in #1898
- Bump google.golang.org/api from 0.79.0 to 0.80.0 by @dependabot in #1897
- tree: support --attachment-tag-prefix by @ribbybibby in #1900
- [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896
- GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894
- The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901
- Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in #1907
- Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 by @dependabot in #1906
- [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 by @dependabot in #1883
- Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 by @dependabot in #1902
- Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910
- Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 by @dependabot in #1913
- Add support for "**" in image glob matching by @imjasonh in #1914
- Add privacy statement for PII storage by @haydentherapper in #1909
- Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 by @dependabot in #1920
- Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 by @dependabot in #1919
- Bump google.golang.org/api from 0.80.0 to 0.81.0 by @dependabot in #1918
- Bump ossf/scorecard-action from 1.0.4 to 1.1.0 by @dependabot in #1922
- Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in #1916
- Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in #1915
- Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in #1927
- Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 by @dependabot in #1926
- Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #1924
- Do not push to public rekor. by @vaikas in #1931
- Bump mikefarah/yq from 4.25.1 to 4.25.2 by @dependabot in #1933
- Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #1937
- fix: fix fetching updated targets from TUF root by @asraa in #1921
- Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in #1944
- Bump ossf/scorecard-action from 1.1.0 to 1.1.1 by @dependabot in #1945
- fix: fix #1930 for AWS KMS formats by @vaikas in #1946
- update cross-builder image to use go1.17.11 by @cpanato in #1950
- Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 by @dependabot in #1949
- remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952
- add cha...
v1.8.0
What's Changed
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.3 to 0.1.4 by @dependabot in #1620
- Bump github.com/xanzy/go-gitlab from 0.62.0 to 0.63.0 by @dependabot in #1745
- Bump mikefarah/yq from 4.24.2 to 4.24.4 by @dependabot in #1746
- Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
- [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
- Refactor policy related code, add support for vuln verify by @vaikas in #1747
- Use bundle log ID to find verification key by @haydentherapper in #1748
- [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
- Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
- Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in #1751
- test: create fake TUF test root and create test SETs for verification by @asraa in #1750
- update go builder and cosign images by @cpanato in #1755
- Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in #1752
- Implement identities, fix bug in webhook validation. by @vaikas in #1759
- Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
- chore: add warning when attaching sBOMs by @hectorj2f in #1756
- Verify embedded SCTs by @haydentherapper in #1731
- chore: add warning when downloading a sBOM by @hectorj2f in #1763
- [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
- Bump mikefarah/yq from 4.24.4 to 4.24.5 by @dependabot in #1765
- Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in #1764
- Break the CIP action tests into a sh script. by @vaikas in #1767
- tuf: add debug info if tuf update fails by @asraa in #1766
- cosigned: add support for rsa keys by @hectorj2f in #1768
- Cosigned validate against remote sig src by @DennyHoang in #1754
- Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
- Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in #1784
- fix: more informative error by @ybelMekk in #1778
- Bump cuelang.org/go from 0.4.2 to 0.4.3 by @dependabot in #1779
- Bump google.golang.org/api from 0.74.0 to 0.75.0 by @dependabot in #1780
- Bump k8s.io/code-generator from 0.23.5 to 0.23.6 by @dependabot in #1781
- Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 by @dependabot in #1782
- Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in #1783
- Run update-codegen. by @wlynch in #1789
- Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
- Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
- test: add cue unit tests by @hectorj2f in #1791
- Attestations + policy in cip. by @vaikas in #1772
- chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
- Add parallelization for processing policies / authorities. by @vaikas in #1795
- Allow passing keys via environment variables (
env://
refs) by @znewman01 in #1794 - Handle context cancelled properly + tests. by @vaikas in #1796
- Fix a bug where an error would send duplicate results. by @vaikas in #1797
- Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798
- Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 by @dependabot in #1799
- Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in #1800
- Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in #1801
- Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 by @dependabot in #1758
- cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793
- Don't fail open in VerifyBundle by @mtrmac in #1648
- Load in intermediate cert pool from TUF by @haydentherapper in #1804
- add changelog for release v1.8.0 by @cpanato in #1803
- Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806
New Contributors
- @vpnachev made their first contribution in #1726
- @ybelMekk made their first contribution in #1778
- @wlynch made their first contribution in #1789
- @mtrmac made their first contribution in #1648
Full Changelog: v1.7.2...v1.8.0
Thanks to all contributors!
v1.7.2
What's Changed
- Bump codecov/codecov-action from 2.1.0 to 3 by @dependabot in #1714
- Bump github/codeql-action from 2.1.6 to 2.1.7 by @dependabot in #1713
- Bump google-github-actions/auth from 0.6.0 to 0.7.0 by @dependabot in #1712
- Bump github.com/xanzy/go-gitlab from 0.61.0 to 0.62.0 by @dependabot in #1711
- Makefile: fix directory not found error by @hectorj2f in #1718
- Update release job by @cpanato in #1720
- [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
- fix: add permissions to patch events by @hectorj2f in #1722
- Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 by @dependabot in #1723
- Bump cloud.google.com/go/storage from 1.21.0 to 1.22.0 by @dependabot in #1721
- Bump github/codeql-action from 2.1.7 to 2.1.8 by @dependabot in #1725
- Make public all types required to use ValidatePolicy by @jdolitsky in #1727
- Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
- Bump github.com/hashicorp/go-uuid from 1.0.2 to 1.0.3 by @dependabot in #1724
- Remove newline from
download sbom
output by @ribbybibby in #1732 - Fix packages name and binary in the packages by @cpanato in #1734
- Fix fulcioroots test and linter error by @haydentherapper in #1741
- Support non-ECDSA public keys in certificates by @haydentherapper in #1740
- bug: remove old fulcio root and fix fallback target code by @asraa in #1738
- Bump actions/cache from 3.0.1 to 3.0.2 by @dependabot in #1737
- add changelog for v1.7.2 by @cpanato in #1735
Full Changelog: v1.7.1...v1.7.2
Thanks to all contributors!
v1.7.1
What's Changed
- commenting out the copy from gcr to ghcr due issues on github side by @cpanato in #1715
- Update images for release job by @cpanato in #1551
- pkcs11: fix build instructions by @rgerganov in #1550
- Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in #1553
- Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 by @dependabot in #1552
- Mirror signed release images from GCR to GHCR as part of release with… by @k4leung4 in #1547
- Update hashicorp/parseutil to v0.1.3. by @dlorenc in #1557
- Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 by @dependabot in #1560
- Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 by @dependabot in #1559
- Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 by @dependabot in #1561
- add definition for artifact hub to verify the ownership by @cpanato in #1563
- Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in #1565
- Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
- Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
- Bump google.golang.org/api from 0.70.0 to 0.71.0 by @dependabot in #1577
- Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 by @dependabot in #1576
- Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 by @dependabot in #1578
- Support deletion of ClusterImagePolicy by @vaikas in #1580
- Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 by @dependabot in #1579
- 1417 policy validations by @kkavitha in #1548
- Don't lowercase input image refs, just fail by @imjasonh in #1586
- Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
- Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in #1588
- Bump google.golang.org/grpc from 1.44.0 to 1.45.0 by @dependabot in #1587
- Bump mikefarah/yq from 4.21.1 to 4.22.1 by @dependabot in #1589
- Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
- Fix #1592 move authorities as siblings of images. by @vaikas in #1593
- Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 by @dependabot in #1597
- Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
- Fix copy/paste mistake in repo name. by @k4leung4 in #1600
- Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
- Add public key validation by @kkavitha in #1598
- Validate a public key in a secret is valid. by @vaikas in #1602
- Ensure entry is removed from CM on secret error. by @vaikas in #1605
- Bump google.golang.org/api from 0.71.0 to 0.72.0 by @dependabot in #1612
- Bump to knative pkg 1.3 by @mattmoor in #1614
- Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
- Init entity from ociremote when signing a digest ref by @puerco in #1616
- rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617
- improve cosigned validation error messages by @cpanato in #1618
- Bump ecr-login to pick up WithLogger rename by @mattmoor in #1624
- Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in #1622
- Bump google.golang.org/api from 0.72.0 to 0.73.0 by @dependabot in #1619
- Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in #1621
- Use latest knative/pkg's configmap informer by @tcnghia in #1615
- Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628
- Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 by @dependabot in #1634
- FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633
- update crane to v0.8.0 release by @cpanato in #1635
- push latest tag when building a release by @cpanato in #1636
- Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637
- Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 by @dependabot in #1638
- Bump actions/cache from 2.1.7 to 3 by @dependabot in #1640
- Document Elastic container registry support by @mgreau in #1641
- Bump mikefarah/yq from 4.22.1 to 4.23.1 by @dependabot in #1639
- Validate authority keys by @coyote240 in #1623
- feat: tree command utility by @developer-guy in #1603
- fix build date format for version command by @cpanato in #1644
- Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in #1646
- Add support for intermediate certificates when verifiying by @haydentherapper in #1631
- Prompt user before running
cosign clean
by @priyawadhwa in #1649 - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650
- KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661
- Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657
- Add support for certificate chain to verify certificate by @haydentherapper in #1659
- First batch of followups to #1650 by @vaikas in #1664
- Add certificate chain flag for signing by @haydentherapper in #1656
- [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663
- update font when output the cosign version by @cpanato in #1668
- feat: add ability to override registry keychain by @noamichael in #1666
- remove replace directive by @cpanato in #1669
- Bump mikefarah/yq from 4.23.1 to 4.24.2 by @dependabot in #1670
- Refactor based on discussions in #1650 by @vaikas in #1674
- Find all valid entries in verify-blob by @priyawadhwa in #1673
- Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677
- Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671
- Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678
- Make
cosign copy
copy metadata attached to child images. by @mattmoor in #1682 - change file_name_template to PackageName by @strongjz in #1683
- Update error message for verify/verify attestation by @haydentherapper in #1686
- cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687
- verify: add leaf hash verification for tlog entries by @asraa in #1688
- Fix handling of policy in verify-attestation by @lcarva in #1672
- Add e2e test for attest / verify-attestation by @vaikas in #1685
- Bump actions/cache from 3.0.0 to 3.0.1 by @dependabot in #1689
- Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in #1690
- Bump google.golang.org/api from 0.73.0 to 0.74.0 by @dependabot in #1695
- verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694
- Remove the hardcoded sigstore audience by @mattmoor in...
v1.6.0
This release contains fixes for GHSA-ccxc-vr6p-4858, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858
What's Changed
- add changelog for 1.5.1 release by @cpanato in #1376
- Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 by @dependabot in #1382
- Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 by @dependabot in #1383
- Fix double
time
import in e2e tests by @saschagrunert in #1388 - Add
--timeout
support tosign
command by @saschagrunert in #1379 - Bump github.com/go-openapi/swag from 0.20.0 to 0.21.1 by @dependabot in #1386
- Bump github.com/xanzy/go-gitlab from 0.54.3 to 0.54.4 by @dependabot in #1391
- Fix comparison in replace option for attestation by @bburky in #1366
- Add Cosign logo to README by @nsmith5 in #1395
- Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
- Fix a link of SECURITY.md by @knqyf263 in #1399
- update cosign and cross-build image for the release job by @cpanato in #1400
- Bump cuelang.org/go from 0.4.1 to 0.4.2 by @dependabot in #1401
- Bump google.golang.org/api from 0.66.0 to 0.67.0 by @dependabot in #1402
- feat: login command by @developer-guy in #1398
- TUF: Add root status output by @asraa in #1404
- Bump cloud.google.com/go/storage from 1.19.0 to 1.20.0 by @dependabot in #1403
- Add a newline after password input by @knqyf263 in #1407
- make imageRef lowercase before parsing by @bobcallaway in #1409
- Improve error message when image is not found in registry by @imjasonh in #1410
- Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 by @dependabot in #1412
- Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 by @dependabot in #1411
- Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
- Fix incorrect error check when verifying SCT by @haydentherapper in #1422
- Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
- Allow
PassFunc
to benil
by @saschagrunert in #1426 - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
- Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
- Add docs on API stability and deprecation table by @priyawadhwa in #1429
- Bump google.golang.org/api from 0.67.0 to 0.68.0 by @dependabot in #1434
- update cross-build image which adds goimports by @cpanato in #1435
- feat: enhance clean cmd capability by @developer-guy in #1430
- use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
- Improve log lines to match with implementation by @marcofranssen in #1432
- Bump go-containerregistry, pick up new features by @imjasonh in #1442
- feat: fig autocomplete feature by @developer-guy in #1360
- update cross-build to use go 1.17.7 by @cpanato in #1446
- Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
- feat: add -buildid= to ldflags by @developer-guy in #1451
- Streamline
SignBlobCmd
API withSignCmd
by @saschagrunert in #1454 - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453
- Bump webhook timeout. by @dlorenc in #1465
- Fix tkn link in readme by @Yongxuanzhang in #1459
- Bump the gitlab library and add a nil opt for the API change. by @dlorenc in #1466
- Print message when verifying with old TUF targets by @haydentherapper in #1468
- Bump google.golang.org/api from 0.68.0 to 0.69.0 by @dependabot in #1469
- fix(sign): refactor unsupported provider log by @Dentrax in #1464
- tests:
/bin/bash
->/usr/bin/env bash
by @znewman01 in #1470 - Double goreleaser timeout by @znewman01 in #1472
- increase timeout for goreleaser snapshot by @cpanato in #1473
- fix(sign): kms unspported message by @Dentrax in #1475
- refactor release cloudbuild job by @cpanato in #1476
- Bump sigstore/sigstore to pick up the kms change and the monkey-patch… by @dlorenc in #1479
- Fix wording on attach attestation help by @luhring in #1480
- update go-tuf and simplify TUF client code by @asraa in #1455
- add initial changelog for 1.5.2 by @cpanato in #1483
- Fix linter error on main by @priyawadhwa in #1484
- Update Changelog for Security Advisory by @cpanato in #1485
- Bump cloud.google.com/go/storage from 1.20.0 to 1.21.0 by @dependabot in #1481
- chore(makefile): use kocache, convert publish to build by @developer-guy in #1488
- Pick up a change to quiet ECR-login logging. by @mattmoor in #1491
- feat: support other types in copy cmd by @developer-guy in #1493
- Pick up some of the shared workflows by @mattmoor in #1490
- Bump google-github-actions/setup-gcloud from 0.3.0 to 0.5.1 by @dependabot in #1499
- Update github/codeql-action requirement to d39d5d5c9707b926d517b1b292905ef4c03aa777 by @dependabot in #1498
- Bump actions/github-script from 4.1.1 to 6 by @dependabot in #1497
- Bump sigstore/cosign-installer from 1.4.1 to 2.0.1 by @dependabot in #1496
- feat: nominate Dentrax as codeowner by @developer-guy in #1492
- Bump google.golang.org/api from 0.69.0 to 0.70.0 by @dependabot in #1500
- Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.4 by @dependabot in #1502
- Bump google-github-actions/auth from 0.4.4 to 0.6.0 by @dependabot in #1501
- add correct layer media type to cosign attach attestation by @spiffcs in #1503
- Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in #1495
- This sets up the scaffolding for the
cosigned
CRD types. by @mattmoor in #1504 - Bump go.uber.org/zap from 1.20.0 to 1.21.0 by @dependabot in #1509
- Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 by @dependabot in #1507
- Bump mikefarah/yq from 4.16.2 to 4.20.2 by @dependabot in #1510
- use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511
- Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in #1512
- Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513
- Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in #1516
- bug fix: import ed25519 keys and fix error handling by @asraa in #1518
- optimize codeql speed by using caching and tracing by @bobcallaway in #1519
- Add a dummy.go file to allow vendoring config by @jdolitsky in #1520
- Add CertExtensions func to extract all extensions by @ckotzbauer in #1515
- chore(ci): add artifact hub support by @Dentrax in #1522
- Bump github.com/secure-systems-lab/go-securesystemsli...