Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 #236

Closed
wants to merge 2 commits into from
Closed

Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 #236

wants to merge 2 commits into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 14, 2022
edited

Bumps github.com/sigstore/cosign from 1.11.1 to 1.12.0.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.12.0

Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP

What's Changed

New Contributors

Full Changelog: sigstore/cosign@v1.11.1...v1.12.0

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.11.0

Enhancements

Bug Fixes

Documention

Others

Contributors

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Sep 14, 2022
@codecov-commenter
Copy link

codecov-commenter commented Sep 14, 2022
edited

Codecov Report

Merging #236 (9641679) into main (bd3a558) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #236   +/-   ##
=======================================
  Coverage   63.14%   63.14%           
=======================================
  Files          27       27           
  Lines        2415     2415           
=======================================
  Hits         1525     1525           
  Misses        815      815           
  Partials       75       75

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@cpanato
Copy link
Member

cpanato commented Sep 15, 2022

getting this error

E0915 08:43:32.319465   18680 library.go:115] Failed to find license for github.com/alibabacloud-go/cr-20160607/client: cannot find a known open source license for "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/cr-20160607@v1.0.1/client" whose name matches regexp ^(?i)(LICEN(S|C)E|COPYING|README|NOTICE).*$ and locates up until "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/cr-20160607@v1.0.1"
E0915 08:43:32.411231   18680 library.go:115] Failed to find license for github.com/alibabacloud-go/tea-xml/service: cannot find a known open source license for "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/tea-xml@v1.1.2/service" whose name matches regexp ^(?i)(LICEN(S|C)E|COPYING|README|NOTICE).*$ and locates up until "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/tea-xml@v1.1.2"
Error: one or more libraries have an incompatible/unknown license: map["unknown":["github.com/alibabacloud-go/cr-20160607/client" "github.com/alibabacloud-go/tea-xml/service"]]
Usage:
  go-licenses save <package> [package...] [flags]

Flags:
      --force              Delete the destination directory if it already exists.
  -h, --help               help for save
      --save_path string   Directory into which files should be saved that are required by license terms

Global Flags:
      --alsologtostderr                  log to standard error as well as files
      --confidence_threshold float       Minimum confidence required in order to positively identify a license. (default 0.9)
      --ignore strings                   Package path prefixes to be ignored. Dependencies from the ignored packages are still checked. Can be specified multiple times.
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                   If non-empty, write log files in this directory
      --logtostderr                      log to standard error instead of files (default true)
      --stderrthreshold severity         logs at or above this threshold go to stderr
  -v, --v Level                          log level for V logs
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging

F0915 08:43:38.626077   18680 main.go:75] one or more libraries have an incompatible/unknown license: map["unknown":["github.com/alibabacloud-go/cr-20160607/client" "github.com/alibabacloud-go/tea-xml/service"]]
exit status 1
--- FAIL: go-licenses failed to update licenses

cc @vaikas

@vaikas
Copy link
Collaborator

vaikas commented Sep 16, 2022

@cpanato looks like there's no LICENSE in that repo. What's bringing that in I wonder?
https://github.com/alibabacloud-go/tea-xml

I see it was brought in to cosign and hence here. Why did cosign not complain, do we not check licenses there?

This was referenced Sep 16, 2022
Closed
Closed
Open
@vaikas
Copy link
Collaborator

vaikas commented Sep 16, 2022

@cpanato let's see what happens with those :)

@cpanato
Copy link
Member

cpanato commented Sep 16, 2022

all those dependencies were added in this PR sigstore/cosign#2008

@cpanato cpanato mentioned this pull request Sep 16, 2022
Closed
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.12.0 branch 2 times, most recently from 5495cc3 to ae7d6a2 Compare September 16, 2022 19:21
dependabot bot and others added 2 commits September 21, 2022 10:42
@dependabot @hectorj2f
Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0
e19db0f 
Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.11.1 to 1.12.0.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v1.11.1...v1.12.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@hectorj2f
chore: run update-codegen
9641679 
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
@hectorj2f hectorj2f force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.12.0 branch from 0c92c9a to 9641679 Compare September 21, 2022 08:56
@hectorj2f hectorj2f self-assigned this Sep 21, 2022
@cpanato
Copy link
Member

cpanato commented Sep 21, 2022

how that got fixed? 🤔

@hectorj2f
Copy link
Collaborator

generally, I rebase this PR, and run update-codegen.sh.

@cpanato
Copy link
Member

cpanato commented Sep 21, 2022

was failing in the missing licenses, wondering what changed :)

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 21, 2022

A newer version of github.com/sigstore/cosign exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@hectorj2f
Copy link
Collaborator

I am closing this PR, as we should bump cosign to 1.12.1

@hectorj2f hectorj2f closed this Sep 22, 2022
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 22, 2022

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/go_modules/github.com/sigstore/cosign-1.12.0 branch September 22, 2022 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato Awaiting requested review from cpanato

@vaikas vaikas Awaiting requested review from vaikas

Assignees

@hectorj2f hectorj2f

Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@codecov-commenter @cpanato @vaikas @hectorj2f