chore(deps): bump the all-actions group with 3 updates

[dependabot]

Bumps the all-actions group with 3 updates: actions/attest-build-provenance, actions/attest-sbom and sigstore/cosign-installer.

Updates actions/attest-build-provenance from 2 to 4

Release notes

Sourced from actions/attest-build-provenance's releases.

v4.0.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in actions/attest-build-provenance#835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

v3.2.0

What's Changed

• Bump @​actions/core from 1.11.1 to 2.0.1 by @​dependabot[bot] in actions/attest-build-provenance#776
• Add more documentation on Artifact Metadata Storage Records by @​malancas in actions/attest-build-provenance#797
• Update actions/attest to latest version v3.2.0 by @​malancas in actions/attest-build-provenance#812

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

v3.1.0

What's Changed

• Prepare v3 release by @​bdehamer in actions/attest-build-provenance#697
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in actions/attest-build-provenance#749
• Bump tar from 7.5.1 to 7.5.2 by @​dependabot[bot] in actions/attest-build-provenance#753
• Bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in actions/attest-build-provenance#754
• Bump @​types/node from 24.10.1 to 25.0.2 by @​dependabot[bot] in actions/attest-build-provenance#774
• Bump @​actions/attest from 1.6.0 to 2.0.0 by @​dependabot[bot] in actions/attest-build-provenance#736
• Bump @​actions/attest from 2.0.0 to 2.1.0 by @​dependabot[bot] in actions/attest-build-provenance#775
• Add support for creating artifact metadata storage records by @​malancas in actions/attest-build-provenance#779

New Contributors

• @​malancas made their first contribution in actions/attest-build-provenance#779

Full Changelog: actions/attest-build-provenance@v3...v3.1.0

v3.0.0

What's Changed

• Adjust node max-http-header-size setting by @​bdehamer in actions/attest-build-provenance#687
• Bump actions/attest from v2.4.0 to v3.0.0 by @​bdehamer in actions/attest-build-provenance#691
  • Bump to node24 runtime
  • Improved checksum parsing
• Bump attest-build-provenance/predicate to v2.0.0 by @​bdehamer in actions/attest-build-provenance#693
  • Bump to node24 runtime by @​bdehamer in actions/attest-build-provenance#692

⚠️ Minimum Compatible Runner Version

v2.327.1 Release Notes

Make sure your runner is updated to this version or newer to use this release.

... (truncated)

Commits

• a2bbfa2 bump actions/attest from 4.0.0 to 4.1.0 (#838)
• 0856891 update RELEASE.md docs (#836)
• e4d4f7c prepare v4 release (#835)
• 02a49bd Bump github/codeql-action in the actions-minor group (#824)
• 7c757df Bump the npm-development group with 2 updates (#825)
• c44148e Bump github/codeql-action in the actions-minor group (#818)
• 3234352 Bump @​types/node from 25.0.10 to 25.2.0 in the npm-development group (#819)
• 18db129 Bump tar from 7.5.6 to 7.5.7 (#816)
• 90fadfa Bump @​actions/core from 2.0.1 to 2.0.2 in the npm-production group (#799)
• 57db8ba Bump the npm-development group across 1 directory with 3 updates (#808)
• Additional commits viewable in compare view

Updates actions/attest-sbom from 1 to 4

Release notes

Sourced from actions/attest-sbom's releases.

v4.0.0

[!WARNING] As of version 4.0.0 this action is being deprecated in favor of actions/attest. actions/attest-sbom will continue to function as a wrapper on top of actions/attest for some period of time, but applications should make plans to migrate.

All of the existing action inputs are compatible with the actions/attest interface.

What's Changed

• Prepare v4 release by @​bdehamer in actions/attest-sbom#253

Full Changelog: actions/attest-sbom@v3...v4.0.0

v3.0.0

What's Changed

• Adjust node max-http-header-size setting by @​bdehamer in actions/attest-sbom#201
• Bump actions/attest from v2.4.0 to v3.0.0 by @​bdehamer in actions/attest-sbom#202
  • Bump runtime to node24
  • Improved checksum parsing
• Bump attest-sbom/predicate to v2.0.0 by @​bdehamer in actions/attest-sbom#206
  • Bump predicate runtime to node24 by @​bdehamer in actions/attest-sbom#204

⚠️ Minimum Compatible Runner Version

v2.327.1 Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/attest-sbom@v2.4.0...v3.0.0

v2.4.0

What's Changed

• Bump actions/attest from 2.2.1 to 2.3.0 in the actions-minor group by @​dependabot in actions/attest-sbom#169
• Bump undici from 5.28.5 to 5.29.0 by @​dependabot in actions/attest-sbom#172
• Bump actions/attest from 2.3.0 to 2.4.0 by @​bdehamer in actions/attest-sbom#178
  • Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

Full Changelog: actions/attest-sbom@v2.2.0...v2.4.0

v2.2.0

What's Changed

• Bump actions/attest from v2.1.0 to v2.2.0 by @​bdehamer in actions/attest-sbom#148
  • Includes support for new subject-checksums input parameter

Full Changelog: actions/attest-sbom@v2.1.0...v2.2.0

v2.1.0

What's Changed

• Update README w/ note about GH plans supporting attestations by @​bdehamer in actions/attest-sbom#136

... (truncated)

Commits

• 07e74fc perpare v4 release (#253)
• b74e951 Bump the actions-minor group with 2 updates (#247)
• 7d9b9d6 Bump the npm-development group across 1 directory with 4 updates (#245)
• 35d5f43 Bump @​actions/core from 2.0.1 to 2.0.2 in the npm-production group (#243)
• 876bb5f Bump the actions-minor group across 1 directory with 3 updates (#246)
• 6cf30ca Bump the npm-development group with 2 updates (#241)
• e395115 Bump the actions-minor group with 2 updates (#239)
• afc801d Bump the npm-development group with 3 updates (#240)
• 6ec0860 Bump @​actions/core from 1.11.1 to 2.0.1 (#237)
• 532af8a Bump github/codeql-action in the actions-minor group (#233)
• Additional commits viewable in compare view

Updates sigstore/cosign-installer from 3.8.1 to 4.1.0

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.0

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

• Bump cosign to 3.0.5 in sigstore/cosign-installer#220
• fix: add retry to curl downloads for transient network failures in sigstore/cosign-installer#210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

v4.0.0

What's Changed?

Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.

In version v3+, using cosign sign-blob requires adding the --bundle flag which may require you to update your signing command.

• Add support for Cosign v3 releases (#201)

v3.10.1

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

• Bump default Cosign to v2.6.1 (#203)

v3.10.0

What's Changed

• Bump default Cosign to v2.6.0 in sigstore/cosign-installer#200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

What's Changed

• not fail fast and setup permissions in sigstore/cosign-installer#195
• drop old unsupported versions <v2.0.0 in sigstore/cosign-installer#192
• Update default to v2.5.3 in sigstore/cosign-installer#196

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

v3.9.1

What's Changed

• default action install to use release v2.5.1 by @​cpanato in sigstore/cosign-installer#193
• default cosign to v2.5.2 by @​cpanato in sigstore/cosign-installer#194

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

... (truncated)

Commits

• ba7bc0a fix: add retry to curl downloads for transient network failures (#210)
• 5a292e1 Bump cosign to 3.0.5 (#220)
• 351ea76 Bump actions/checkout from 6.0.1 to 6.0.2 (#217)
• c17565f test with go 1.26 too (#221)
• a6fdd19 Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)
• 430b6a7 docs: fix registry from gcr.io to ghcr.io (#213)
• 4d14d7f feat: update to v3.0.3 (#212)
• f148005 fix: use env vars for template expansions; show curl errors (#207)
• c3f2d79 Bump actions/checkout from 6.0.0 to 6.0.1 (#208)
• b9a9af4 drop tests with go1.24 as it cant build (#211)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions